Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lC7L7oBBMC.exe

Overview

General Information

Sample name:lC7L7oBBMC.exe
renamed because original name is a hash value
Original sample name:0787749d9897612314975e2943139157efcff4dbf604323d3d950c76b7555719.exe
Analysis ID:1569297
MD5:4c363afc82b0757d2723ff1287ab85de
SHA1:eae78234d3125edb5e161641b1c61dfab9456a46
SHA256:0787749d9897612314975e2943139157efcff4dbf604323d3d950c76b7555719
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • lC7L7oBBMC.exe (PID: 7120 cmdline: "C:\Users\user\Desktop\lC7L7oBBMC.exe" MD5: 4C363AFC82B0757D2723FF1287AB85DE)
    • powershell.exe (PID: 3216 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6372 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7016 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • lC7L7oBBMC.exe (PID: 5104 cmdline: "C:\Users\user\Desktop\lC7L7oBBMC.exe" MD5: 4C363AFC82B0757D2723FF1287AB85DE)
      • powershell.exe (PID: 7188 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7232 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wlBldyvi.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WmiPrvSE.exe (PID: 7496 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
      • schtasks.exe (PID: 7264 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\user\AppData\Local\Temp\tmpE08F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 7328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • lC7L7oBBMC.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\lC7L7oBBMC.exe" MD5: 4C363AFC82B0757D2723FF1287AB85DE)
  • IxumRsOtTdrVAu.exe (PID: 7296 cmdline: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe MD5: 4C363AFC82B0757D2723FF1287AB85DE)
    • schtasks.exe (PID: 1792 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpF62A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • IxumRsOtTdrVAu.exe (PID: 6688 cmdline: "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe" MD5: 4C363AFC82B0757D2723FF1287AB85DE)
      • schtasks.exe (PID: 3964 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\user\AppData\Local\Temp\tmpFF43.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • IxumRsOtTdrVAu.exe (PID: 816 cmdline: "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe" MD5: 4C363AFC82B0757D2723FF1287AB85DE)
      • IxumRsOtTdrVAu.exe (PID: 4412 cmdline: "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe" MD5: 4C363AFC82B0757D2723FF1287AB85DE)
      • IxumRsOtTdrVAu.exe (PID: 5096 cmdline: "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe" MD5: 4C363AFC82B0757D2723FF1287AB85DE)
  • wlBldyvi.exe (PID: 7700 cmdline: C:\Users\user\AppData\Roaming\wlBldyvi.exe MD5: 4C363AFC82B0757D2723FF1287AB85DE)
    • schtasks.exe (PID: 7244 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpF58E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wlBldyvi.exe (PID: 2620 cmdline: "C:\Users\user\AppData\Roaming\wlBldyvi.exe" MD5: 4C363AFC82B0757D2723FF1287AB85DE)
      • schtasks.exe (PID: 6520 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\user\AppData\Local\Temp\tmpFF91.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 4136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wlBldyvi.exe (PID: 2708 cmdline: "C:\Users\user\AppData\Roaming\wlBldyvi.exe" MD5: 4C363AFC82B0757D2723FF1287AB85DE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000025.00000002.2491122015.000000000316C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000013.00000002.2491663736.0000000002A7C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000027.00000002.2481915050.0000000000436000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000027.00000002.2481915050.0000000000436000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000025.00000002.2491122015.0000000003141000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 22 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.lC7L7oBBMC.exe.45436d0.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              9.2.lC7L7oBBMC.exe.45436d0.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                9.2.lC7L7oBBMC.exe.45436d0.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31761:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3187d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31959:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a7f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                9.2.lC7L7oBBMC.exe.4508cb0.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  9.2.lC7L7oBBMC.exe.4508cb0.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 9 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lC7L7oBBMC.exe", ParentImage: C:\Users\user\Desktop\lC7L7oBBMC.exe, ParentProcessId: 7120, ParentProcessName: lC7L7oBBMC.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe", ProcessId: 3216, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lC7L7oBBMC.exe", ParentImage: C:\Users\user\Desktop\lC7L7oBBMC.exe, ParentProcessId: 7120, ParentProcessName: lC7L7oBBMC.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe", ProcessId: 3216, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpF58E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpF58E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\wlBldyvi.exe, ParentImage: C:\Users\user\AppData\Roaming\wlBldyvi.exe, ParentProcessId: 7700, ParentProcessName: wlBldyvi.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpF58E.tmp", ProcessId: 7244, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\lC7L7oBBMC.exe, Initiated: true, ProcessId: 7488, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49705
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\lC7L7oBBMC.exe", ParentImage: C:\Users\user\Desktop\lC7L7oBBMC.exe, ParentProcessId: 7120, ParentProcessName: lC7L7oBBMC.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CF.tmp", ProcessId: 7016, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lC7L7oBBMC.exe", ParentImage: C:\Users\user\Desktop\lC7L7oBBMC.exe, ParentProcessId: 7120, ParentProcessName: lC7L7oBBMC.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe", ProcessId: 3216, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\lC7L7oBBMC.exe", ParentImage: C:\Users\user\Desktop\lC7L7oBBMC.exe, ParentProcessId: 7120, ParentProcessName: lC7L7oBBMC.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CF.tmp", ProcessId: 7016, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 9.2.lC7L7oBBMC.exe.4508cb0.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeReversingLabs: Detection: 71%
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeReversingLabs: Detection: 71%
                    Multi AV Scanner detection for submitted file
                    Source: lC7L7oBBMC.exeReversingLabs: Detection: 71%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: lC7L7oBBMC.exeJoe Sandbox ML: detected
                    Source: lC7L7oBBMC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49703 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49712 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49713 version: TLS 1.2
                    Source: lC7L7oBBMC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Wxw.pdbSHA256.- source: lC7L7oBBMC.exe, wlBldyvi.exe.9.dr, IxumRsOtTdrVAu.exe.0.dr
                    Source: Binary string: Wxw.pdb source: lC7L7oBBMC.exe, wlBldyvi.exe.9.dr, IxumRsOtTdrVAu.exe.0.dr

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 9.2.lC7L7oBBMC.exe.45436d0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.lC7L7oBBMC.exe.4508cb0.3.raw.unpack, type: UNPACKEDPE
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.7:49705 -> 46.175.148.58:25
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: lC7L7oBBMC.exe, 00000013.00000002.2491663736.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp, wlBldyvi.exe, 00000025.00000002.2491122015.000000000316C000.00000004.00000800.00020000.00000000.sdmp, IxumRsOtTdrVAu.exe, 00000027.00000002.2490785586.0000000002FCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: lC7L7oBBMC.exe, 00000000.00000002.1271041828.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, lC7L7oBBMC.exe, 00000009.00000002.1296219521.000000000349B000.00000004.00000800.00020000.00000000.sdmp, IxumRsOtTdrVAu.exe, 00000011.00000002.1358182217.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, lC7L7oBBMC.exe, 00000013.00000002.2491663736.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, wlBldyvi.exe, 00000015.00000002.1350292766.0000000003190000.00000004.00000800.00020000.00000000.sdmp, wlBldyvi.exe, 0000001E.00000002.1380641575.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, IxumRsOtTdrVAu.exe, 0000001F.00000002.1377942726.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, wlBldyvi.exe, 00000025.00000002.2491122015.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, IxumRsOtTdrVAu.exe, 00000027.00000002.2490785586.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: lC7L7oBBMC.exe, 00000009.00000002.1299742405.0000000004482000.00000004.00000800.00020000.00000000.sdmp, IxumRsOtTdrVAu.exe, 00000027.00000002.2481915050.0000000000436000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: lC7L7oBBMC.exe, 00000009.00000002.1299742405.0000000004482000.00000004.00000800.00020000.00000000.sdmp, lC7L7oBBMC.exe, 00000013.00000002.2491663736.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, lC7L7oBBMC.exe, 00000013.00000002.2481907734.0000000000434000.00000040.00000400.00020000.00000000.sdmp, wlBldyvi.exe, 00000025.00000002.2491122015.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, IxumRsOtTdrVAu.exe, 00000027.00000002.2490785586.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: lC7L7oBBMC.exe, 00000013.00000002.2491663736.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, wlBldyvi.exe, 00000025.00000002.2491122015.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, IxumRsOtTdrVAu.exe, 00000027.00000002.2490785586.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: lC7L7oBBMC.exe, 00000013.00000002.2491663736.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, wlBldyvi.exe, 00000025.00000002.2491122015.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, IxumRsOtTdrVAu.exe, 00000027.00000002.2490785586.0000000002F51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49703 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49712 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.7:49713 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 9.2.lC7L7oBBMC.exe.45436d0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.lC7L7oBBMC.exe.4508cb0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.lC7L7oBBMC.exe.45436d0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.lC7L7oBBMC.exe.4508cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 0.2.lC7L7oBBMC.exe.3ca48c0.3.raw.unpack, Lab06_Bai03.csLarge array initialization: : array initializer size 573336
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 0_2_00EDDC740_2_00EDDC74
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 0_2_074517480_2_07451748
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 0_2_0745D9070_2_0745D907
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 0_2_074564710_2_07456471
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 0_2_074564800_2_07456480
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 0_2_074560480_2_07456048
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 0_2_074580A80_2_074580A8
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 0_2_074580B80_2_074580B8
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 0_2_07457C700_2_07457C70
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 0_2_07455C100_2_07455C10
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 0_2_07457C800_2_07457C80
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 9_2_032CDFCC9_2_032CDFCC
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 9_2_07DC85589_2_07DC8558
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 9_2_07DC15009_2_07DC1500
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 9_2_07DC14EF9_2_07DC14EF
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 9_2_07DC10C89_2_07DC10C8
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 9_2_07DC2D009_2_07DC2D00
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 9_2_07DC0C909_2_07DC0C90
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 9_2_07DC08589_2_07DC0858
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 17_2_0144DC7417_2_0144DC74
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 17_2_030F6A6017_2_030F6A60
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 17_2_030F000717_2_030F0007
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 17_2_030F004017_2_030F0040
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 17_2_030F6A5017_2_030F6A50
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 17_2_05C2CBE817_2_05C2CBE8
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 17_2_05C2634017_2_05C26340
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 17_2_05C2635017_2_05C26350
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 17_2_05C27F8817_2_05C27F88
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 17_2_05C27F7817_2_05C27F78
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 17_2_05C25F1817_2_05C25F18
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 17_2_05C27B4017_2_05C27B40
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 17_2_05C27B5017_2_05C27B50
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 17_2_05C25ACF17_2_05C25ACF
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 17_2_05C25AE017_2_05C25AE0
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_00F1A94F19_2_00F1A94F
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_00F14A9819_2_00F14A98
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_00F13E8019_2_00F13E80
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_00F141C819_2_00F141C8
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_06697D6819_2_06697D68
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_066965E019_2_066965E0
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_0669558819_2_06695588
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_0669B20F19_2_0669B20F
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_0669304019_2_06693040
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_0669768819_2_06697688
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_06695CD319_2_06695CD3
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_0669234919_2_06692349
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_0669E38819_2_0669E388
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_0669004019_2_06690040
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_0669000619_2_06690006
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_066902CB19_2_066902CB
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 21_2_0186DC7421_2_0186DC74
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 21_2_073F174821_2_073F1748
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 21_2_073FCBF821_2_073FCBF8
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 21_2_073F635021_2_073F6350
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 21_2_073F634021_2_073F6340
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 21_2_073F5F1821_2_073F5F18
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 21_2_073F7F7821_2_073F7F78
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 21_2_073F7F8821_2_073F7F88
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 21_2_073F7B5021_2_073F7B50
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 21_2_073F7B4021_2_073F7B40
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 21_2_073F5AE021_2_073F5AE0
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 30_2_011DDFCC30_2_011DDFCC
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 30_2_0545118430_2_05451184
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 30_2_0545004030_2_05450040
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 30_2_05451FFD30_2_05451FFD
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 30_2_075677E130_2_075677E1
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 30_2_0756150030_2_07561500
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 30_2_075614EF30_2_075614EF
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 30_2_075610C830_2_075610C8
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 30_2_07562D0030_2_07562D00
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 30_2_07560C9030_2_07560C90
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 30_2_0756085830_2_07560858
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 31_2_054EDFCC31_2_054EDFCC
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 31_2_0561004031_2_05610040
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 31_2_0561002531_2_05610025
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 31_2_077478F831_2_077478F8
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 31_2_0774150031_2_07741500
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 31_2_077414EF31_2_077414EF
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 31_2_077410C831_2_077410C8
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 31_2_07742D0031_2_07742D00
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 31_2_07740C9031_2_07740C90
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 31_2_0774085831_2_07740858
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_015CA19837_2_015CA198
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_015CE6B037_2_015CE6B0
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_015CA96037_2_015CA960
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_015C4A9837_2_015C4A98
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_015C3E8037_2_015C3E80
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_015C41C837_2_015C41C8
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_06D965E037_2_06D965E0
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_06D9558837_2_06D95588
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_06D97D6837_2_06D97D68
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_06D9B20F37_2_06D9B20F
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_06D9235837_2_06D92358
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_06D9768837_2_06D97688
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_06D95CE837_2_06D95CE8
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_06D9E38837_2_06D9E388
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_06D9032C37_2_06D9032C
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_06D9000737_2_06D90007
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_014AE6A139_2_014AE6A1
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_014A4A9839_2_014A4A98
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_014A3E8039_2_014A3E80
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_014A41C839_2_014A41C8
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_014AA96039_2_014AA960
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_06C865E039_2_06C865E0
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_06C8558839_2_06C85588
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_06C87D6839_2_06C87D68
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_06C8B20F39_2_06C8B20F
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_06C8304039_2_06C83040
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_06C8768839_2_06C87688
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_06C85CD339_2_06C85CD3
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_06C8E38839_2_06C8E388
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_06C8234A39_2_06C8234A
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_06C8004039_2_06C80040
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_06C8000639_2_06C80006
                    Source: lC7L7oBBMC.exe, 00000000.00000002.1299858863.0000000007A40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs lC7L7oBBMC.exe
                    Source: lC7L7oBBMC.exe, 00000000.00000002.1260225423.0000000000C7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs lC7L7oBBMC.exe
                    Source: lC7L7oBBMC.exe, 00000000.00000000.1240656812.0000000000780000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameChromeSetup (1).exe< vs lC7L7oBBMC.exe
                    Source: lC7L7oBBMC.exe, 00000009.00000002.1311958816.000000000AE90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs lC7L7oBBMC.exe
                    Source: lC7L7oBBMC.exe, 00000009.00000002.1311958816.000000000AE90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs lC7L7oBBMC.exe
                    Source: lC7L7oBBMC.exe, 00000009.00000002.1308492523.0000000007E40000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs lC7L7oBBMC.exe
                    Source: lC7L7oBBMC.exe, 00000009.00000002.1296219521.000000000349B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs lC7L7oBBMC.exe
                    Source: lC7L7oBBMC.exe, 00000009.00000002.1299742405.0000000004482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs lC7L7oBBMC.exe
                    Source: lC7L7oBBMC.exe, 00000009.00000002.1299742405.0000000004482000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs lC7L7oBBMC.exe
                    Source: lC7L7oBBMC.exe, 00000013.00000002.2483448126.0000000000AF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs lC7L7oBBMC.exe
                    Source: lC7L7oBBMC.exeBinary or memory string: OriginalFilenameChromeSetup (1).exe< vs lC7L7oBBMC.exe
                    Source: lC7L7oBBMC.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 9.2.lC7L7oBBMC.exe.45436d0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.lC7L7oBBMC.exe.4508cb0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.lC7L7oBBMC.exe.45436d0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.lC7L7oBBMC.exe.4508cb0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: lC7L7oBBMC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: IxumRsOtTdrVAu.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, kqvva3nmCUQi6s2CqL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, KXterRI5WV5h4shtQl.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, KXterRI5WV5h4shtQl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, KXterRI5WV5h4shtQl.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, kqvva3nmCUQi6s2CqL.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, KXterRI5WV5h4shtQl.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, KXterRI5WV5h4shtQl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, KXterRI5WV5h4shtQl.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@50/30@2/2
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeFile created: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7328:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3744:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6024:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4136:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD8CF.tmpJump to behavior
                    Source: lC7L7oBBMC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: lC7L7oBBMC.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: lC7L7oBBMC.exeReversingLabs: Detection: 71%
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeFile read: C:\Users\user\Desktop\lC7L7oBBMC.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\lC7L7oBBMC.exe "C:\Users\user\Desktop\lC7L7oBBMC.exe"
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CF.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Users\user\Desktop\lC7L7oBBMC.exe "C:\Users\user\Desktop\lC7L7oBBMC.exe"
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wlBldyvi.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\user\AppData\Local\Temp\tmpE08F.tmp"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Users\user\Desktop\lC7L7oBBMC.exe "C:\Users\user\Desktop\lC7L7oBBMC.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\wlBldyvi.exe C:\Users\user\AppData\Roaming\wlBldyvi.exe
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpF58E.tmp"
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpF62A.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeProcess created: C:\Users\user\AppData\Roaming\wlBldyvi.exe "C:\Users\user\AppData\Roaming\wlBldyvi.exe"
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\user\AppData\Local\Temp\tmpFF43.tmp"
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\user\AppData\Local\Temp\tmpFF91.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeProcess created: C:\Users\user\AppData\Roaming\wlBldyvi.exe "C:\Users\user\AppData\Roaming\wlBldyvi.exe"
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CF.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Users\user\Desktop\lC7L7oBBMC.exe "C:\Users\user\Desktop\lC7L7oBBMC.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wlBldyvi.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\user\AppData\Local\Temp\tmpE08F.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Users\user\Desktop\lC7L7oBBMC.exe "C:\Users\user\Desktop\lC7L7oBBMC.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpF62A.tmp"
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpF58E.tmp"
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeProcess created: C:\Users\user\AppData\Roaming\wlBldyvi.exe "C:\Users\user\AppData\Roaming\wlBldyvi.exe"
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\user\AppData\Local\Temp\tmpFF91.tmp"
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeProcess created: C:\Users\user\AppData\Roaming\wlBldyvi.exe "C:\Users\user\AppData\Roaming\wlBldyvi.exe"
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\user\AppData\Local\Temp\tmpFF43.tmp"
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: version.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: wldp.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: profapi.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: amsi.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: userenv.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: rasman.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: secur32.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: schannel.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeSection loaded: wintypes.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: apphelp.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles
                    Source: lC7L7oBBMC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: lC7L7oBBMC.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: lC7L7oBBMC.exeStatic file information: File size 1452032 > 1048576
                    Source: lC7L7oBBMC.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x12c200
                    Source: lC7L7oBBMC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: lC7L7oBBMC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: Wxw.pdbSHA256.- source: lC7L7oBBMC.exe, wlBldyvi.exe.9.dr, IxumRsOtTdrVAu.exe.0.dr
                    Source: Binary string: Wxw.pdb source: lC7L7oBBMC.exe, wlBldyvi.exe.9.dr, IxumRsOtTdrVAu.exe.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: lC7L7oBBMC.exe, StartForm.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: IxumRsOtTdrVAu.exe.0.dr, StartForm.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, KXterRI5WV5h4shtQl.cs.Net Code: g8UCbsRdqG System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, KXterRI5WV5h4shtQl.cs.Net Code: g8UCbsRdqG System.Reflection.Assembly.Load(byte[])
                    Source: lC7L7oBBMC.exeStatic PE information: 0xE1106C7A [Sat Aug 27 02:59:06 2089 UTC]
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 0_2_00EDEA60 pushad ; retf 0_2_00EDEA69
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 9_2_032CDA10 push eax; iretd 9_2_032CDA11
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 17_2_05C29E1B push eax; iretd 17_2_05C29E21
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 17_2_05C25AC8 push edi; retn 0005h17_2_05C25ACA
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_00F10C6D push edi; retf 19_2_00F10C7A
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_00F10C53 push ebx; retf 19_2_00F10C52
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_00F10C45 push ebx; retf 19_2_00F10C52
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeCode function: 19_2_0669FFBF push es; ret 19_2_0669FFC0
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 21_2_0186EA60 pushad ; retf 21_2_0186EA69
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 30_2_011DDA10 push eax; iretd 30_2_011DDA11
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 30_2_0545C712 push 0005437Ah; iretd 30_2_0545C71D
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 31_2_054EDA10 push eax; iretd 31_2_054EDA11
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 31_2_0561C712 push 0005607Ah; iretd 31_2_0561C71D
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_015C0C45 push ebx; retf 37_2_015C0C52
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeCode function: 37_2_015C0C6D push edi; retf 37_2_015C0C7A
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_014A0C45 push ebx; retf 39_2_014A0C52
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_014A0C6D push edi; retf 39_2_014A0C7A
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_014ADCB0 push ebp; retf 39_2_014ADCFD
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeCode function: 39_2_06C8FFBF push es; ret 39_2_06C8FFC0
                    Source: lC7L7oBBMC.exeStatic PE information: section name: .text entropy: 7.992598388880175
                    Source: IxumRsOtTdrVAu.exe.0.drStatic PE information: section name: .text entropy: 7.992598388880175
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, m3rsJZUU9AMmfEKPcJ.csHigh entropy of concatenated method names: 'Fy752bo0fU', 'GRg5ioYhux', 'msj5n3G7E1', 'CHu5UGupEs', 'UL05EZpkdj', 'IQC5R0rlM6', 'i2f5jdGlrM', 'fNT53BycdF', 'lRL5oZMjk5', 'oBo5tA2nuM'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, YWtcI84eE492XxlRU33.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pZ6tdDqgOH', 'DyLt0L3hH0', 'BmotkSvpJa', 'jRwtQsEbZd', 'INXtAs1vJ0', 'bRXtTCvjHj', 'g8KtrHKWxG'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, UdLZjDYWaUqCPuulSH.csHigh entropy of concatenated method names: 'Dispose', 'XuP4xKinrj', 'bKvKL7OoGx', 'lfiTT8OUNR', 'dpa48Nrkw5', 'JSg4zIsK3y', 'ProcessDialogKey', 'aLaKXN3o5J', 'hf0K4YjPcn', 'VFgKKxOO66'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, KXterRI5WV5h4shtQl.csHigh entropy of concatenated method names: 'u19emtp1XI', 'iAUe6IahYV', 'O6KeYTPbPv', 'xube50bBsJ', 'cZAefak8NZ', 'AIdeakUtQH', 'vIYec4g4LQ', 'ENHeInV8xF', 'XMreFEkhDg', 'NKte9UZEu8'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, iN3o5Jxff0YjPcnTFg.csHigh entropy of concatenated method names: 'OBR3vvh0ug', 'Cym3LBrjGq', 'xFc3BrlwCu', 'ooZ3h2lvEO', 'b1C3dUp6ec', 'uAJ3DNk9gv', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, sWPPJBS5mPXs8ZupjQ.csHigh entropy of concatenated method names: 'gXJNnyVnin', 'rgXNU2la0v', 'fk7NvA6K4I', 'qEgNLNUnhG', 'YPmNhqDrdK', 'ilOND6hkpB', 'vu8NVlgo5D', 'M6SNgLLqYl', 'wluNMEDMmP', 'g4JNHUmHT6'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, xaNrkwZ5DSgIsK3yXL.csHigh entropy of concatenated method names: 'Tse36IjjZI', 'xJk3Y9jYu2', 'J0t35XXplt', 'NRX3fIQNHt', 'foI3achGUV', 'xOB3c4ZfSP', 'NZK3I27ZqB', 'aqL3F9qg9s', 'Fjp39i4wo0', 'Fcm37WfXps'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, shfnXRdPejheSQTySc.csHigh entropy of concatenated method names: 'BU2EMYsBhy', 'E8hEs7CaQV', 'EWEEddf7Ti', 'h1YE0yVoXU', 'MluELaYCSd', 'WdhEBIl79b', 'QLZEhlkQ8c', 'QavEDKRt6A', 'BPEEJSVOfR', 'TsrEVdcmiQ'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, VpxjIyCFimbjc6WSps.csHigh entropy of concatenated method names: 'IkI4cqvva3', 'eCU4IQi6s2', 'WU949AMmfE', 'cPc47JCM1a', 'xL54E6b2wd', 'OXb4R995ic', 'PNVY1kiBc973DZgkKR', 'i4EuEbUdtfX7TeibKo', 'mit44Mybd1', 'RJA4eIgeVh'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, FUa4tSzj9tk1avVVa3.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'su5oNIkIAa', 'yjCoEbA1cf', 'Ld0oRuXlui', 'XY1ojwgyKw', 'zXwo38ZHjf', 'pMTooWimHm', 'xwkotpH6fD'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, LgHaddTxl5N2h3KPP4.csHigh entropy of concatenated method names: 'csZjZo1UBi', 'ho2j84tDTr', 'A3S3XCw7P6', 'B6634kBfZA', 'tmEjHKWxGE', 'jkJjsrr9Yn', 'sxjjSuaSgC', 'twpjdgCRZD', 'b4Xj02yBWx', 'cqnjksXWtl'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, UVEhrc4XMwtAun7HHOa.csHigh entropy of concatenated method names: 'gMWolNg1gB', 'oTno1koDVO', 'xKyobSvEPN', 'Jl7o2pxRHV', 'JGkoqnO8HT', 'B8moiatop2', 'YgIoWEi9fo', 'jMWonwn6wl', 'zAaoU8JehB', 'jr3ouom3US'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, XOO66K8vtoEq7BITLb.csHigh entropy of concatenated method names: 'OZYo4s0RBd', 'mZ4oe1ePWn', 'UP6oCxsw1c', 'MFqo6VCifv', 'vEFoY0TWP2', 'ndgofKZBnF', 'wOnoarwcmO', 'DkM3rNZjw4', 'tKl3Zx337g', 'Fdo3xF35W3'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, VeueFswoE7Ox3M36eX.csHigh entropy of concatenated method names: 'CULcl1rrLy', 'PCvc1RVvF5', 'Pl6cbIb7l6', 'M1wc2jYFRO', 'aVccqxytSv', 'fikci9X4j8', 'JuqcWhtqdE', 'Wp6cnPGvw4', 'l6kcUXhIv2', 'qC8cuQcA5g'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, KsalxLKjuZvxdSSCr6.csHigh entropy of concatenated method names: 'q3kbVq3bG', 'qHV2JOv6D', 'PkpikeLrD', 'AZBWKqCON', 'oymUm0t5T', 'k83uMjYi1', 'pmWdeJasImpMxj6vwR', 'HMSZD9OEAVRFeIddZG', 'WG03OOft6', 'i6xtHXkif'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, dM1akdueVQZXVlL56b.csHigh entropy of concatenated method names: 'O1sfqZqyNA', 'mYZfWjuHef', 'r9a5Bys3rK', 'JsS5hyO1kL', 'o395DIc0lm', 'fi25JvFF1P', 'usI5VxgHMZ', 'h8W5gyGWMJ', 'YbJ5wgALtK', 'ose5MhuiQ8'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, L95SDJVFDabwJWbcqA.csHigh entropy of concatenated method names: 'rYfc6SGVIl', 'SrPc57skU9', 'uADca7lFUM', 'XEna82Rsxo', 'Ls3azKt8g0', 'nOqcXbbAvB', 'g0sc4xYION', 'aiFcKmIi9s', 'lTQcelGf40', 'sQbcCWhvYE'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, AwdHXbv995icFZqwgS.csHigh entropy of concatenated method names: 'zOEamPwCyJ', 'vBgaYZWuYC', 'YXoafi3N8v', 'XLSacUqqZm', 'QDFaI69qqy', 'fvNfAy4xRQ', 'DKdfTJfj9R', 'GX5frgjEBG', 'tkffZOY3It', 'OWJfxX1q01'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, XH6WeqQ56QFHPXBTFP.csHigh entropy of concatenated method names: 'Ex9j9NsRUW', 'vmmj7t4ntB', 'ToString', 'wnOj6IrITH', 'ofmjYXiqME', 'wGvj52Km2Y', 'xWDjf0MXQS', 'pOcjaTXLwP', 'PCRjc5Y0Q4', 'GcmjIWUk1H'
                    Source: 0.2.lC7L7oBBMC.exe.7a40000.5.raw.unpack, kqvva3nmCUQi6s2CqL.csHigh entropy of concatenated method names: 'FYgYdmoP0N', 'OUwY0tVDYI', 'UZxYklAydW', 'nVXYQ0I6KO', 'wRBYALJ9Dn', 'DDQYTrR4wb', 'qP0YrFwERB', 'Ke2YZGFycV', 'SxTYxvcBe0', 'c0LY8xM2BB'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, m3rsJZUU9AMmfEKPcJ.csHigh entropy of concatenated method names: 'Fy752bo0fU', 'GRg5ioYhux', 'msj5n3G7E1', 'CHu5UGupEs', 'UL05EZpkdj', 'IQC5R0rlM6', 'i2f5jdGlrM', 'fNT53BycdF', 'lRL5oZMjk5', 'oBo5tA2nuM'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, YWtcI84eE492XxlRU33.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pZ6tdDqgOH', 'DyLt0L3hH0', 'BmotkSvpJa', 'jRwtQsEbZd', 'INXtAs1vJ0', 'bRXtTCvjHj', 'g8KtrHKWxG'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, UdLZjDYWaUqCPuulSH.csHigh entropy of concatenated method names: 'Dispose', 'XuP4xKinrj', 'bKvKL7OoGx', 'lfiTT8OUNR', 'dpa48Nrkw5', 'JSg4zIsK3y', 'ProcessDialogKey', 'aLaKXN3o5J', 'hf0K4YjPcn', 'VFgKKxOO66'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, KXterRI5WV5h4shtQl.csHigh entropy of concatenated method names: 'u19emtp1XI', 'iAUe6IahYV', 'O6KeYTPbPv', 'xube50bBsJ', 'cZAefak8NZ', 'AIdeakUtQH', 'vIYec4g4LQ', 'ENHeInV8xF', 'XMreFEkhDg', 'NKte9UZEu8'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, iN3o5Jxff0YjPcnTFg.csHigh entropy of concatenated method names: 'OBR3vvh0ug', 'Cym3LBrjGq', 'xFc3BrlwCu', 'ooZ3h2lvEO', 'b1C3dUp6ec', 'uAJ3DNk9gv', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, sWPPJBS5mPXs8ZupjQ.csHigh entropy of concatenated method names: 'gXJNnyVnin', 'rgXNU2la0v', 'fk7NvA6K4I', 'qEgNLNUnhG', 'YPmNhqDrdK', 'ilOND6hkpB', 'vu8NVlgo5D', 'M6SNgLLqYl', 'wluNMEDMmP', 'g4JNHUmHT6'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, xaNrkwZ5DSgIsK3yXL.csHigh entropy of concatenated method names: 'Tse36IjjZI', 'xJk3Y9jYu2', 'J0t35XXplt', 'NRX3fIQNHt', 'foI3achGUV', 'xOB3c4ZfSP', 'NZK3I27ZqB', 'aqL3F9qg9s', 'Fjp39i4wo0', 'Fcm37WfXps'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, shfnXRdPejheSQTySc.csHigh entropy of concatenated method names: 'BU2EMYsBhy', 'E8hEs7CaQV', 'EWEEddf7Ti', 'h1YE0yVoXU', 'MluELaYCSd', 'WdhEBIl79b', 'QLZEhlkQ8c', 'QavEDKRt6A', 'BPEEJSVOfR', 'TsrEVdcmiQ'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, VpxjIyCFimbjc6WSps.csHigh entropy of concatenated method names: 'IkI4cqvva3', 'eCU4IQi6s2', 'WU949AMmfE', 'cPc47JCM1a', 'xL54E6b2wd', 'OXb4R995ic', 'PNVY1kiBc973DZgkKR', 'i4EuEbUdtfX7TeibKo', 'mit44Mybd1', 'RJA4eIgeVh'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, FUa4tSzj9tk1avVVa3.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'su5oNIkIAa', 'yjCoEbA1cf', 'Ld0oRuXlui', 'XY1ojwgyKw', 'zXwo38ZHjf', 'pMTooWimHm', 'xwkotpH6fD'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, LgHaddTxl5N2h3KPP4.csHigh entropy of concatenated method names: 'csZjZo1UBi', 'ho2j84tDTr', 'A3S3XCw7P6', 'B6634kBfZA', 'tmEjHKWxGE', 'jkJjsrr9Yn', 'sxjjSuaSgC', 'twpjdgCRZD', 'b4Xj02yBWx', 'cqnjksXWtl'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, UVEhrc4XMwtAun7HHOa.csHigh entropy of concatenated method names: 'gMWolNg1gB', 'oTno1koDVO', 'xKyobSvEPN', 'Jl7o2pxRHV', 'JGkoqnO8HT', 'B8moiatop2', 'YgIoWEi9fo', 'jMWonwn6wl', 'zAaoU8JehB', 'jr3ouom3US'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, XOO66K8vtoEq7BITLb.csHigh entropy of concatenated method names: 'OZYo4s0RBd', 'mZ4oe1ePWn', 'UP6oCxsw1c', 'MFqo6VCifv', 'vEFoY0TWP2', 'ndgofKZBnF', 'wOnoarwcmO', 'DkM3rNZjw4', 'tKl3Zx337g', 'Fdo3xF35W3'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, VeueFswoE7Ox3M36eX.csHigh entropy of concatenated method names: 'CULcl1rrLy', 'PCvc1RVvF5', 'Pl6cbIb7l6', 'M1wc2jYFRO', 'aVccqxytSv', 'fikci9X4j8', 'JuqcWhtqdE', 'Wp6cnPGvw4', 'l6kcUXhIv2', 'qC8cuQcA5g'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, KsalxLKjuZvxdSSCr6.csHigh entropy of concatenated method names: 'q3kbVq3bG', 'qHV2JOv6D', 'PkpikeLrD', 'AZBWKqCON', 'oymUm0t5T', 'k83uMjYi1', 'pmWdeJasImpMxj6vwR', 'HMSZD9OEAVRFeIddZG', 'WG03OOft6', 'i6xtHXkif'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, dM1akdueVQZXVlL56b.csHigh entropy of concatenated method names: 'O1sfqZqyNA', 'mYZfWjuHef', 'r9a5Bys3rK', 'JsS5hyO1kL', 'o395DIc0lm', 'fi25JvFF1P', 'usI5VxgHMZ', 'h8W5gyGWMJ', 'YbJ5wgALtK', 'ose5MhuiQ8'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, L95SDJVFDabwJWbcqA.csHigh entropy of concatenated method names: 'rYfc6SGVIl', 'SrPc57skU9', 'uADca7lFUM', 'XEna82Rsxo', 'Ls3azKt8g0', 'nOqcXbbAvB', 'g0sc4xYION', 'aiFcKmIi9s', 'lTQcelGf40', 'sQbcCWhvYE'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, AwdHXbv995icFZqwgS.csHigh entropy of concatenated method names: 'zOEamPwCyJ', 'vBgaYZWuYC', 'YXoafi3N8v', 'XLSacUqqZm', 'QDFaI69qqy', 'fvNfAy4xRQ', 'DKdfTJfj9R', 'GX5frgjEBG', 'tkffZOY3It', 'OWJfxX1q01'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, XH6WeqQ56QFHPXBTFP.csHigh entropy of concatenated method names: 'Ex9j9NsRUW', 'vmmj7t4ntB', 'ToString', 'wnOj6IrITH', 'ofmjYXiqME', 'wGvj52Km2Y', 'xWDjf0MXQS', 'pOcjaTXLwP', 'PCRjc5Y0Q4', 'GcmjIWUk1H'
                    Source: 0.2.lC7L7oBBMC.exe.3fdd3d0.2.raw.unpack, kqvva3nmCUQi6s2CqL.csHigh entropy of concatenated method names: 'FYgYdmoP0N', 'OUwY0tVDYI', 'UZxYklAydW', 'nVXYQ0I6KO', 'wRBYALJ9Dn', 'DDQYTrR4wb', 'qP0YrFwERB', 'Ke2YZGFycV', 'SxTYxvcBe0', 'c0LY8xM2BB'
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeFile created: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeJump to dropped file
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeFile created: C:\Users\user\AppData\Roaming\wlBldyvi.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CF.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: lC7L7oBBMC.exe PID: 7120, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lC7L7oBBMC.exe PID: 5104, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IxumRsOtTdrVAu.exe PID: 7296, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: wlBldyvi.exe PID: 7700, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: wlBldyvi.exe PID: 2620, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IxumRsOtTdrVAu.exe PID: 6688, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: ED0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: 2B80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: 2A80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: 7C50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: 8C50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: 8E10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: 9E10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: 3220000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: 3450000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: 3220000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: 8290000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: 9290000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: 9440000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: A440000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory allocated: 1400000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory allocated: 3240000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory allocated: 3050000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory allocated: 7E30000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory allocated: 8E30000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory allocated: 8FD0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory allocated: 9FD0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: ED0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: 2A00000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: 2860000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory allocated: 1840000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory allocated: 3130000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory allocated: 5130000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory allocated: 7F10000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory allocated: 8F10000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory allocated: 90C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory allocated: A0C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory allocated: 11D0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory allocated: 2F40000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory allocated: 4F40000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory allocated: 7700000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory allocated: 8700000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory allocated: 8890000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory allocated: 9890000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory allocated: 2FB0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory allocated: 3060000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory allocated: 2FB0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory allocated: 7940000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory allocated: 8940000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory allocated: 8AD0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory allocated: 9AD0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory allocated: 15C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory allocated: 30F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory allocated: 50F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory allocated: 14A0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory allocated: 2F50000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory allocated: 1510000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3531Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 554Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4896Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 370Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3438
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3122
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeWindow / User API: threadDelayed 7817
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeWindow / User API: threadDelayed 2028
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeWindow / User API: threadDelayed 3815
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeWindow / User API: threadDelayed 6004
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeWindow / User API: threadDelayed 3602
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeWindow / User API: threadDelayed 6258
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 2552Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4524Thread sleep count: 3531 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6680Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2460Thread sleep count: 554 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7084Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6444Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3868Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 3180Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7304Thread sleep count: 3438 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7468Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7356Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7432Thread sleep count: 3122 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7484Thread sleep time: -2767011611056431s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7456Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7784Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep count: 33 > 30
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -30437127721620741s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8152Thread sleep count: 7817 > 30
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -99875s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -99765s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -99656s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -99547s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -99436s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -99328s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -99219s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8152Thread sleep count: 2028 > 30
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -99109s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -99000s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -98891s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -98781s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -98672s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -98562s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -98453s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -98344s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -98234s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -98125s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -98014s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -97893s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -97609s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -97484s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -97375s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -97265s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -97156s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -97047s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -96937s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -96828s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -96719s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -96609s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -96499s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -96390s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -96279s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -96172s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -96062s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -95953s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -95844s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -95734s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -95622s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -95515s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -95406s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -95296s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -95160s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -95005s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -94875s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -94766s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -94656s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -94547s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -94437s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -94328s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exe TID: 8116Thread sleep time: -94219s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7752Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 5604Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 4220Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep count: 37 > 30
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -34126476536362649s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7204Thread sleep count: 3815 > 30
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -99860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7204Thread sleep count: 6004 > 30
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep count: 32 > 30
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -99688s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -99563s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -99438s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -99328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -99218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -99109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -98986s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -98860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -98750s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -98641s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -98516s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -98405s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -98297s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -98188s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -98063s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -97938s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -97828s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -97719s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -97594s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -97485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -97360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -97235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -97110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -96985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -96860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -96735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -96610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -96485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -96362s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -96235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -96110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -95985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -95860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -95735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -95610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -95485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -95360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -95235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -95110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -94985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -94860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -94735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -94610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -94485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -94360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -94235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -94110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exe TID: 7188Thread sleep time: -93985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep count: 36 > 30
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -33204139332677172s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -99873s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7364Thread sleep count: 3602 > 30
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7364Thread sleep count: 6258 > 30
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -99765s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -99656s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -99546s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -99436s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -99327s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -99211s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -99093s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -98984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -98874s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -98765s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -98644s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -98515s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -98406s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -98297s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -98187s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -98078s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -97968s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -97859s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -97750s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -97640s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -97531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -97421s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -97312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -97203s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -97093s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -96980s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -96875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -96765s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -96656s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -96546s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -96437s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -96327s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -96211s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -96109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -95999s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -95890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -95781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -95671s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -95549s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -95422s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -95312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -95202s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -95093s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -94984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -94858s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -94750s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -94640s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe TID: 7372Thread sleep time: -94516s >= -30000s
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 99875
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 99765
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 99656
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 99547
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 99436
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 99328
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 99219
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 99109
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 99000
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 98891
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 98781
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 98672
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 98562
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 98453
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 98344
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 98234
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 98125
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 98014
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 97893
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 97609
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 97484
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 97375
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 97265
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 97156
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 97047
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 96937
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 96828
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 96719
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 96609
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 96499
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 96390
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 96279
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 96172
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 96062
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 95953
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 95844
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 95734
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 95622
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 95515
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 95406
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 95296
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 95160
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 95005
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 94875
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 94766
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 94656
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 94547
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 94437
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 94328
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeThread delayed: delay time: 94219
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 99860
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 99688
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 99563
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 99438
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 99328
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 99218
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 99109
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 98986
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 98860
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 98750
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 98641
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 98516
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 98405
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 98297
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 98188
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 98063
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 97938
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 97828
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 97719
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 97594
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 97485
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 97360
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 97235
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 97110
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 96985
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 96860
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 96735
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 96610
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 96485
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 96362
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 96235
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 96110
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 95985
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 95860
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 95735
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 95610
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 95485
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 95360
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 95235
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 95110
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 94985
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 94860
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 94735
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 94610
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 94485
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 94360
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 94235
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 94110
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeThread delayed: delay time: 93985
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 99873
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 99765
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 99656
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 99546
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 99436
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 99327
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 99211
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 99093
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 98984
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 98874
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 98765
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 98644
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 98515
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 98406
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 98297
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 98187
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 98078
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 97968
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 97859
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 97750
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 97640
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 97531
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 97421
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 97312
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 97203
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 97093
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 96980
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 96875
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 96765
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 96656
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 96546
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 96437
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 96327
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 96211
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 96109
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 95999
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 95890
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 95781
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 95671
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 95549
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 95422
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 95312
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 95202
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 95093
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 94984
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 94858
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 94750
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 94640
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeThread delayed: delay time: 94516
                    Source: IxumRsOtTdrVAu.exe, 00000011.00000002.1396294446.0000000007375000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: IxumRsOtTdrVAu.exe, 00000011.00000002.1396294446.0000000007375000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: IxumRsOtTdrVAu.exe, 0000001F.00000002.1375709751.0000000001504000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\gk
                    Source: lC7L7oBBMC.exe, 00000013.00000002.2483607723.0000000000C64000.00000004.00000020.00020000.00000000.sdmp, wlBldyvi.exe, 00000025.00000002.2487940592.000000000142A000.00000004.00000020.00020000.00000000.sdmp, IxumRsOtTdrVAu.exe, 00000027.00000002.2484191024.000000000121E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe"
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe"
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wlBldyvi.exe"
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wlBldyvi.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory written: C:\Users\user\Desktop\lC7L7oBBMC.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeMemory written: C:\Users\user\Desktop\lC7L7oBBMC.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory written: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory written: C:\Users\user\AppData\Roaming\wlBldyvi.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeMemory written: C:\Users\user\AppData\Roaming\wlBldyvi.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeMemory written: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CF.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Users\user\Desktop\lC7L7oBBMC.exe "C:\Users\user\Desktop\lC7L7oBBMC.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wlBldyvi.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\user\AppData\Local\Temp\tmpE08F.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeProcess created: C:\Users\user\Desktop\lC7L7oBBMC.exe "C:\Users\user\Desktop\lC7L7oBBMC.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpF62A.tmp"
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpF58E.tmp"
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeProcess created: C:\Users\user\AppData\Roaming\wlBldyvi.exe "C:\Users\user\AppData\Roaming\wlBldyvi.exe"
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\user\AppData\Local\Temp\tmpFF91.tmp"
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeProcess created: C:\Users\user\AppData\Roaming\wlBldyvi.exe "C:\Users\user\AppData\Roaming\wlBldyvi.exe"
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\user\AppData\Local\Temp\tmpFF43.tmp"
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeProcess created: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Users\user\Desktop\lC7L7oBBMC.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Users\user\Desktop\lC7L7oBBMC.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeQueries volume information: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Users\user\Desktop\lC7L7oBBMC.exe VolumeInformation
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeQueries volume information: C:\Users\user\AppData\Roaming\wlBldyvi.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeQueries volume information: C:\Users\user\AppData\Roaming\wlBldyvi.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeQueries volume information: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeQueries volume information: C:\Users\user\AppData\Roaming\wlBldyvi.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeQueries volume information: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.2.lC7L7oBBMC.exe.45436d0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.lC7L7oBBMC.exe.4508cb0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.lC7L7oBBMC.exe.45436d0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.lC7L7oBBMC.exe.4508cb0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000025.00000002.2491122015.000000000316C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2491663736.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.2481915050.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.2491122015.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.2490785586.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2491663736.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.2490785586.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1299742405.0000000004482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: lC7L7oBBMC.exe PID: 5104, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lC7L7oBBMC.exe PID: 7488, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: wlBldyvi.exe PID: 2708, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IxumRsOtTdrVAu.exe PID: 5096, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\Desktop\lC7L7oBBMC.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\wlBldyvi.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 9.2.lC7L7oBBMC.exe.45436d0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.lC7L7oBBMC.exe.4508cb0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.lC7L7oBBMC.exe.45436d0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.lC7L7oBBMC.exe.4508cb0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000027.00000002.2481915050.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.2491122015.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2491663736.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.2490785586.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1299742405.0000000004482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: lC7L7oBBMC.exe PID: 5104, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lC7L7oBBMC.exe PID: 7488, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: wlBldyvi.exe PID: 2708, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IxumRsOtTdrVAu.exe PID: 5096, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.2.lC7L7oBBMC.exe.45436d0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.lC7L7oBBMC.exe.4508cb0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.lC7L7oBBMC.exe.45436d0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.lC7L7oBBMC.exe.4508cb0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000025.00000002.2491122015.000000000316C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2491663736.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.2481915050.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.2491122015.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.2490785586.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.2491663736.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.2490785586.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1299742405.0000000004482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: lC7L7oBBMC.exe PID: 5104, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lC7L7oBBMC.exe PID: 7488, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: wlBldyvi.exe PID: 2708, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IxumRsOtTdrVAu.exe PID: 5096, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		12
                    Software Packing                    		Security Account Manager211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Timestomp                    		NTDS1
                    Process Discovery                    		Distributed Component Object ModelInput Capture23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569297 Sample: lC7L7oBBMC.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 83 mail.iaa-airferight.com 2->83 85 api.ipify.org 2->85 93 Found malware configuration 2->93 95 Malicious sample detected (through community Yara rule) 2->95 97 Sigma detected: Scheduled temp file as task from temp location 2->97 99 9 other signatures 2->99 9 lC7L7oBBMC.exe 7 2->9         started        13 IxumRsOtTdrVAu.exe 2->13         started        15 wlBldyvi.exe 2->15         started        signatures3 process4 file5 71 C:\Users\user\AppData\...\IxumRsOtTdrVAu.exe, PE32 9->71 dropped 73 C:\...\IxumRsOtTdrVAu.exe:Zone.Identifier, ASCII 9->73 dropped 75 C:\Users\user\AppData\Local\...\tmpD8CF.tmp, XML 9->75 dropped 77 C:\Users\user\AppData\...\lC7L7oBBMC.exe.log, ASCII 9->77 dropped 111 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->111 113 Uses schtasks.exe or at.exe to add and modify task schedules 9->113 115 Adds a directory exclusion to Windows Defender 9->115 17 lC7L7oBBMC.exe 6 9->17         started        21 powershell.exe 23 9->21         started        23 powershell.exe 23 9->23         started        25 schtasks.exe 1 9->25         started        117 Multi AV Scanner detection for dropped file 13->117 119 Machine Learning detection for dropped file 13->119 121 Injects a PE file into a foreign processes 13->121 27 IxumRsOtTdrVAu.exe 13->27         started        29 schtasks.exe 13->29         started        31 wlBldyvi.exe 15->31         started        33 schtasks.exe 15->33         started        signatures6 process7 file8 67 C:\Users\user\AppData\Roaming\wlBldyvi.exe, PE32 17->67 dropped 69 C:\Users\...\wlBldyvi.exe:Zone.Identifier, ASCII 17->69 dropped 87 Adds a directory exclusion to Windows Defender 17->87 89 Injects a PE file into a foreign processes 17->89 48 4 other processes 17->48 91 Loading BitLocker PowerShell Module 21->91 35 conhost.exe 21->35         started        37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        41 IxumRsOtTdrVAu.exe 27->41         started        51 3 other processes 27->51 44 conhost.exe 29->44         started        53 2 other processes 31->53 46 conhost.exe 33->46         started        signatures9 process10 dnsIp11 101 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->101 103 Tries to steal Mail credentials (via file / registry access) 41->103 105 Tries to harvest and steal ftp login credentials 41->105 107 Tries to harvest and steal browser information (history, passwords, etc) 41->107 79 api.ipify.org 104.26.13.205, 443, 49703, 49712 CLOUDFLARENETUS United States 48->79 81 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 48->81 109 Loading BitLocker PowerShell Module 48->109 55 conhost.exe 48->55         started        57 conhost.exe 48->57         started        59 conhost.exe 48->59         started        61 WmiPrvSE.exe 48->61         started        63 conhost.exe 51->63         started        65 conhost.exe 53->65         started        signatures12 process13

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    lC7L7oBBMC.exe71%ReversingLabsByteCode-MSIL.Trojan.Remcos
                    lC7L7oBBMC.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\wlBldyvi.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe71%ReversingLabsByteCode-MSIL.Trojan.Remcos
                    C:\Users\user\AppData\Roaming\wlBldyvi.exe71%ReversingLabsByteCode-MSIL.Trojan.Remcos

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truefalse
                      		high
                      api.ipify.org
                      		104.26.13.205
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.orglC7L7oBBMC.exe, 00000009.00000002.1299742405.0000000004482000.00000004.00000800.00020000.00000000.sdmp, lC7L7oBBMC.exe, 00000013.00000002.2491663736.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, lC7L7oBBMC.exe, 00000013.00000002.2481907734.0000000000434000.00000040.00000400.00020000.00000000.sdmp, wlBldyvi.exe, 00000025.00000002.2491122015.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, IxumRsOtTdrVAu.exe, 00000027.00000002.2490785586.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://account.dyn.com/lC7L7oBBMC.exe, 00000009.00000002.1299742405.0000000004482000.00000004.00000800.00020000.00000000.sdmp, IxumRsOtTdrVAu.exe, 00000027.00000002.2481915050.0000000000436000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              https://api.ipify.org/tlC7L7oBBMC.exe, 00000013.00000002.2491663736.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, wlBldyvi.exe, 00000025.00000002.2491122015.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, IxumRsOtTdrVAu.exe, 00000027.00000002.2490785586.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namelC7L7oBBMC.exe, 00000000.00000002.1271041828.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, lC7L7oBBMC.exe, 00000009.00000002.1296219521.000000000349B000.00000004.00000800.00020000.00000000.sdmp, IxumRsOtTdrVAu.exe, 00000011.00000002.1358182217.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, lC7L7oBBMC.exe, 00000013.00000002.2491663736.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, wlBldyvi.exe, 00000015.00000002.1350292766.0000000003190000.00000004.00000800.00020000.00000000.sdmp, wlBldyvi.exe, 0000001E.00000002.1380641575.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp, IxumRsOtTdrVAu.exe, 0000001F.00000002.1377942726.00000000030AB000.00000004.00000800.00020000.00000000.sdmp, wlBldyvi.exe, 00000025.00000002.2491122015.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, IxumRsOtTdrVAu.exe, 00000027.00000002.2490785586.0000000002F51000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://mail.iaa-airferight.comlC7L7oBBMC.exe, 00000013.00000002.2491663736.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp, wlBldyvi.exe, 00000025.00000002.2491122015.000000000316C000.00000004.00000800.00020000.00000000.sdmp, IxumRsOtTdrVAu.exe, 00000027.00000002.2490785586.0000000002FCC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    46.175.148.58
                                    		mail.iaa-airferight.comUkraine
                                    		56394ASLAGIDKOM-NETUAfalse
                                    104.26.13.205
                                    		api.ipify.orgUnited States
                                    		13335CLOUDFLARENETUSfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1569297
                                    Start date and time:2024-12-05 17:39:43 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 10m 31s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:44
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:lC7L7oBBMC.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:0787749d9897612314975e2943139157efcff4dbf604323d3d950c76b7555719.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@50/30@2/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 313
                                    • Number of non-executed functions: 27
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: lC7L7oBBMC.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    11:40:36API Interceptor189x Sleep call for process: lC7L7oBBMC.exe modified
                                    11:40:37API Interceptor93x Sleep call for process: powershell.exe modified
                                    11:40:43API Interceptor172x Sleep call for process: wlBldyvi.exe modified
                                    11:40:43API Interceptor190x Sleep call for process: IxumRsOtTdrVAu.exe modified
                                    17:40:38Task SchedulerRun new task: IxumRsOtTdrVAu path: C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe
                                    17:40:41Task SchedulerRun new task: wlBldyvi path: C:\Users\user\AppData\Roaming\wlBldyvi.exe

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    46.175.148.58OHScaqAPjt.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                      RFQ ENQ186 OI REQUIRE RATE.exeGet hashmaliciousAgentTeslaBrowse
                                        v58HgfB8Af.exeGet hashmaliciousAgentTeslaBrowse
                                          l6F8Xgr0Ov.exeGet hashmaliciousAgentTeslaBrowse
                                            SPlVyHiGOz.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                              2bOizaPPDC.exeGet hashmaliciousAgentTeslaBrowse
                                                McEdhqMMhs.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                  55qIbHIAZi.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                    tEEa6j67ss.exeGet hashmaliciousAgentTeslaBrowse
                                                      RXvVlckUyt.exeGet hashmaliciousAgentTeslaBrowse
                                                        104.26.13.2052b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                        • api.ipify.org/
                                                        Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                        • api.ipify.org/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        mail.iaa-airferight.comOHScaqAPjt.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                        • 46.175.148.58
                                                        RFQ ENQ186 OI REQUIRE RATE.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        v58HgfB8Af.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        l6F8Xgr0Ov.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        SPlVyHiGOz.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                        • 46.175.148.58
                                                        2bOizaPPDC.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        McEdhqMMhs.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                        • 46.175.148.58
                                                        55qIbHIAZi.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                        • 46.175.148.58
                                                        tEEa6j67ss.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        RXvVlckUyt.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        api.ipify.org0wxckB4Iba.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 172.67.74.152
                                                        OHScaqAPjt.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                        • 172.67.74.152
                                                        8JuGuaUaZP.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        lUy4SKlE6A.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        xFHqehx1tb.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                        • 104.26.12.205
                                                        https://app.peony.ink/view/902b02a8-11f0-4e28-89b1-5318035c10ebGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                        • 104.26.12.205
                                                        7Gt3icFvQW.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        1AxSwjpyGp.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                        • 104.26.12.205
                                                        FPBKcOFjEP.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                        • 104.26.12.205
                                                        MerchantDetailedStatement_37063_04122024.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        ASLAGIDKOM-NETUAOHScaqAPjt.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                        • 46.175.148.58
                                                        RFQ ENQ186 OI REQUIRE RATE.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        v58HgfB8Af.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        l6F8Xgr0Ov.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        SPlVyHiGOz.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                        • 46.175.148.58
                                                        2bOizaPPDC.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        McEdhqMMhs.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                        • 46.175.148.58
                                                        55qIbHIAZi.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                        • 46.175.148.58
                                                        tEEa6j67ss.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        RXvVlckUyt.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        CLOUDFLARENETUShttps://tippfloorcovering-my.sharepoint.com/:f:/g/personal/inderjeet_tippfloor_com/EpEIzIGDzrlMs2z8rWgki5MBO5-d64iEaOqqeF3ulFqTiw?e=T39wglGet hashmaliciousUnknownBrowse
                                                        • 104.17.25.14
                                                        NBMZzcmkwv.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 172.67.177.134
                                                        0wxckB4Iba.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 172.67.74.152
                                                        6SQADa3zKv.exeGet hashmaliciousLokibot, PureLog Stealer, zgRATBrowse
                                                        • 172.67.153.63
                                                        Uit9z2gICf.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                        • 172.67.177.134
                                                        OHScaqAPjt.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                        • 172.67.74.152
                                                        3D7sM44MQp.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                        • 172.67.177.134
                                                        8JuGuaUaZP.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        lUy4SKlE6A.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        http://kitces.emlnk1.comGet hashmaliciousUnknownBrowse
                                                        • 104.20.0.15

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        3b5074b1b5d032e5620f69f9f700ff0e0wxckB4Iba.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 104.26.13.205
                                                        OHScaqAPjt.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                        • 104.26.13.205
                                                        8JuGuaUaZP.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        lUy4SKlE6A.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        DX7V71Ro7b.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                        • 104.26.13.205
                                                        xFHqehx1tb.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                        • 104.26.13.205
                                                        9KpgpwwGDy.imgGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.26.13.205
                                                        z43INF_20231205_A1B5C3.msiGet hashmaliciousUnknownBrowse
                                                        • 104.26.13.205
                                                        9V4TlKwcz3.exeGet hashmaliciousScreenConnect ToolBrowse
                                                        • 104.26.13.205
                                                        uC70JKtV2B.exeGet hashmaliciousScreenConnect ToolBrowse
                                                        • 104.26.13.205

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IxumRsOtTdrVAu.exe.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                        Malicious:false
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lC7L7oBBMC.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\lC7L7oBBMC.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                        Malicious:true
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wlBldyvi.exe.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\wlBldyvi.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                        Malicious:false
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):2232
                                                        Entropy (8bit):5.380805901110357
                                                        Encrypted:false
                                                        SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
                                                        MD5:16AD599332DD2FF94DA0787D71688B62
                                                        SHA1:02F738694B02E84FFE3BAB7DE5709001823C6E40
                                                        SHA-256:452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
                                                        SHA-512:A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
                                                        Malicious:false
                                                        Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0gz2shuo.dfp.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1awe5qq0.ksy.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1fdh1edr.lrp.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4l3ik1zg.pay.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_acyk3i0h.un0.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cigkw2n1.y1p.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2gplr0b.ao5.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpqoyc5y.tah.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f2ovf0ty.zsr.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gawabjj2.cwq.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktb0hcjs.fq4.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mh5g3rwe.ocw.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ospkdnxg.zwf.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pfoj5gfd.td5.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pohnw1oo.kf4.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_unqslkvr.eq4.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\tmpD8CF.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\lC7L7oBBMC.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1608
                                                        Entropy (8bit):5.121045418549901
                                                        Encrypted:false
                                                        SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtoxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTIv
                                                        MD5:CCF751F0708312C1F09712FF505FB361
                                                        SHA1:DC764494A6FC45E47FFAED341F1612462B33D78F
                                                        SHA-256:A60FA011C74A00086E86B90F8FBAB9008FFCD5B54324C796B74CDE745A66E874
                                                        SHA-512:6DE89E674780F4BCB531EF15E940A8CEFC323E2932703BFC98A8AC10BE049827B303431494DEF0742CC67F9DC3ABD355A50F5598E5C8F42657ED96845DE93305
                                                        Malicious:true
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                                        C:\Users\user\AppData\Local\Temp\tmpE08F.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\lC7L7oBBMC.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1602
                                                        Entropy (8bit):5.1156773331901695
                                                        Encrypted:false
                                                        SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt7axvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTav
                                                        MD5:5CBAA6557044D92627BFE66627F1953C
                                                        SHA1:BAD1C7FCB0FB7FB3D128B8ECCE2965381803E12A
                                                        SHA-256:D6275AA46B9DF736C1B968B72172FF22F783B3962E1B9B632D9ABBF3815B8CCD
                                                        SHA-512:41931120D79AB006F15D7245262C95545C277769237A21FBC843618DDE8B4A5BA97EFE07E0C5D9FC52FA4FC946E3BCD45AD97348FAC5ECC53D68741EA51969F8
                                                        Malicious:false
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                                        C:\Users\user\AppData\Local\Temp\tmpF58E.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\wlBldyvi.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1608
                                                        Entropy (8bit):5.121045418549901
                                                        Encrypted:false
                                                        SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtoxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTIv
                                                        MD5:CCF751F0708312C1F09712FF505FB361
                                                        SHA1:DC764494A6FC45E47FFAED341F1612462B33D78F
                                                        SHA-256:A60FA011C74A00086E86B90F8FBAB9008FFCD5B54324C796B74CDE745A66E874
                                                        SHA-512:6DE89E674780F4BCB531EF15E940A8CEFC323E2932703BFC98A8AC10BE049827B303431494DEF0742CC67F9DC3ABD355A50F5598E5C8F42657ED96845DE93305
                                                        Malicious:false
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                                        C:\Users\user\AppData\Local\Temp\tmpF62A.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1608
                                                        Entropy (8bit):5.121045418549901
                                                        Encrypted:false
                                                        SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtoxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTIv
                                                        MD5:CCF751F0708312C1F09712FF505FB361
                                                        SHA1:DC764494A6FC45E47FFAED341F1612462B33D78F
                                                        SHA-256:A60FA011C74A00086E86B90F8FBAB9008FFCD5B54324C796B74CDE745A66E874
                                                        SHA-512:6DE89E674780F4BCB531EF15E940A8CEFC323E2932703BFC98A8AC10BE049827B303431494DEF0742CC67F9DC3ABD355A50F5598E5C8F42657ED96845DE93305
                                                        Malicious:false
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                                        C:\Users\user\AppData\Local\Temp\tmpFF43.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1602
                                                        Entropy (8bit):5.1156773331901695
                                                        Encrypted:false
                                                        SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt7axvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTav
                                                        MD5:5CBAA6557044D92627BFE66627F1953C
                                                        SHA1:BAD1C7FCB0FB7FB3D128B8ECCE2965381803E12A
                                                        SHA-256:D6275AA46B9DF736C1B968B72172FF22F783B3962E1B9B632D9ABBF3815B8CCD
                                                        SHA-512:41931120D79AB006F15D7245262C95545C277769237A21FBC843618DDE8B4A5BA97EFE07E0C5D9FC52FA4FC946E3BCD45AD97348FAC5ECC53D68741EA51969F8
                                                        Malicious:false
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                                        C:\Users\user\AppData\Local\Temp\tmpFF91.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\wlBldyvi.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1602
                                                        Entropy (8bit):5.1156773331901695
                                                        Encrypted:false
                                                        SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt7axvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTav
                                                        MD5:5CBAA6557044D92627BFE66627F1953C
                                                        SHA1:BAD1C7FCB0FB7FB3D128B8ECCE2965381803E12A
                                                        SHA-256:D6275AA46B9DF736C1B968B72172FF22F783B3962E1B9B632D9ABBF3815B8CCD
                                                        SHA-512:41931120D79AB006F15D7245262C95545C277769237A21FBC843618DDE8B4A5BA97EFE07E0C5D9FC52FA4FC946E3BCD45AD97348FAC5ECC53D68741EA51969F8
                                                        Malicious:false
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                                        C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\lC7L7oBBMC.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1452032
                                                        Entropy (8bit):7.903490142167658
                                                        Encrypted:false
                                                        SSDEEP:24576:szSWNKs08nmbdXiQsGgJF2B+xaJ/ncPUoN0eaxn7wymHinDVw2iTYYuX0J:gSPGyXi0gbKCikPPN0fxn7NmHinDVw2e
                                                        MD5:4C363AFC82B0757D2723FF1287AB85DE
                                                        SHA1:EAE78234D3125EDB5E161641B1C61DFAB9456A46
                                                        SHA-256:0787749D9897612314975E2943139157EFCFF4DBF604323D3D950C76B7555719
                                                        SHA-512:C202CB6C3B8BEF7CB556C335595C03E7DA412E00466491E3BBBEC15391BEC8250D944ADA1EB4B4E5D6215D39C2F28996A025A6DE78243570382CF188744D8AC3
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 71%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zl................0......d......^.... ........@.. ....................................@.....................................O........a..............0L..........p...p............................................ ............... ..H............text...d.... ...................... ..`.rsrc....a.......b..................@..@.reloc...............&..............@..B................@.......H.......D?... ......%...._...n...........................................0..#........~.........,..s..........~.....+..*...}.....(.......(......{....(....|....(....o.....*..*".(.....*...0..+.........,..{.......+....,...{....o........(.....*..0..>.........s....}.....s....}.....s....}.....s....}.....{....o......{....o......(......{.....o......{....o ....{....o!.....{....o ....{....o!.....{....o ....{....o!.....{.....o".....{......s#...o$.....{....r...po%.....{.... ... ....s&...

                                                        C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe:Zone.Identifier

                                                        Download File
                                                        Process:C:\Users\user\Desktop\lC7L7oBBMC.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:true
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        C:\Users\user\AppData\Roaming\wlBldyvi.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\lC7L7oBBMC.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1452032
                                                        Entropy (8bit):7.903490142167658
                                                        Encrypted:false
                                                        SSDEEP:24576:szSWNKs08nmbdXiQsGgJF2B+xaJ/ncPUoN0eaxn7wymHinDVw2iTYYuX0J:gSPGyXi0gbKCikPPN0fxn7NmHinDVw2e
                                                        MD5:4C363AFC82B0757D2723FF1287AB85DE
                                                        SHA1:EAE78234D3125EDB5E161641B1C61DFAB9456A46
                                                        SHA-256:0787749D9897612314975E2943139157EFCFF4DBF604323D3D950C76B7555719
                                                        SHA-512:C202CB6C3B8BEF7CB556C335595C03E7DA412E00466491E3BBBEC15391BEC8250D944ADA1EB4B4E5D6215D39C2F28996A025A6DE78243570382CF188744D8AC3
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 71%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zl................0......d......^.... ........@.. ....................................@.....................................O........a..............0L..........p...p............................................ ............... ..H............text...d.... ...................... ..`.rsrc....a.......b..................@..@.reloc...............&..............@..B................@.......H.......D?... ......%...._...n...........................................0..#........~.........,..s..........~.....+..*...}.....(.......(......{....(....|....(....o.....*..*".(.....*...0..+.........,..{.......+....,...{....o........(.....*..0..>.........s....}.....s....}.....s....}.....s....}.....{....o......{....o......(......{.....o......{....o ....{....o!.....{....o ....{....o!.....{....o ....{....o!.....{.....o".....{......s#...o$.....{....r...po%.....{.... ... ....s&...

                                                        C:\Users\user\AppData\Roaming\wlBldyvi.exe:Zone.Identifier

                                                        Download File
                                                        Process:C:\Users\user\Desktop\lC7L7oBBMC.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:true
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.903490142167658
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                        • Win32 Executable (generic) a (10002005/4) 49.96%
                                                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:lC7L7oBBMC.exe
                                                        File size:1'452'032 bytes
                                                        MD5:4c363afc82b0757d2723ff1287ab85de
                                                        SHA1:eae78234d3125edb5e161641b1c61dfab9456a46
                                                        SHA256:0787749d9897612314975e2943139157efcff4dbf604323d3d950c76b7555719
                                                        SHA512:c202cb6c3b8bef7cb556c335595c03e7da412e00466491e3bbbec15391bec8250d944ada1eb4b4e5d6215d39c2f28996a025a6de78243570382cf188744d8ac3
                                                        SSDEEP:24576:szSWNKs08nmbdXiQsGgJF2B+xaJ/ncPUoN0eaxn7wymHinDVw2iTYYuX0J:gSPGyXi0gbKCikPPN0fxn7NmHinDVw2e
                                                        TLSH:776512EA3DACCA20E291ACB8B251D88F3574D903262EFD5A52E00E5E47DC777291C1D7
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zl................0......d......^.... ........@.. ....................................@................................

                                                        File Icon

                                                        Icon Hash:145cfcf8f2e8cc52

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x52e05e
                                                        Entrypoint Section:.text
                                                        Digitally signed:true
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0xE1106C7A [Sat Aug 27 02:59:06 2089 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Authenticode Signature

                                                        Signature Valid:
                                                        Signature Issuer:
                                                        Signature Validation Error:
                                                        Error Number:
                                                        Not Before, Not After
                                                          Subject Chain
                                                            Version:
                                                            Thumbprint MD5:
                                                            Thumbprint SHA-1:
                                                            Thumbprint SHA-256:
                                                            Serial:

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x12e00c0x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1300000x36118.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x12ce000x4c30
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1680000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x12ce700x70.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x12c0640x12c20005130a0aec3c78017b38bc4ef05662b4False0.9919336995002083data7.992598388880175IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x1300000x361180x362001bdbb18f7b4ba2409f60e76d305732c2False0.4746725245381062data6.613426793550106IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x1680000xc0x2003177096e7a19c2ee344ad888c4329dd8False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x1302b00xe0bePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9943859283206452
                                                            RT_ICON0x13e3700x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.2501330888441973
                                                            RT_ICON0x14eb980x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.30849274752995587
                                                            RT_ICON0x1580400x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.31963955637707947
                                                            RT_ICON0x15d4c80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.3098134152102031
                                                            RT_ICON0x1616f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.3566390041493776
                                                            RT_ICON0x163c980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.4268292682926829
                                                            RT_ICON0x164d400x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.49631147540983606
                                                            RT_ICON0x1656c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5886524822695035
                                                            RT_GROUP_ICON0x165b300x84data0.7045454545454546
                                                            RT_VERSION0x165bb40x378data0.40765765765765766
                                                            RT_MANIFEST0x165f2c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 5, 2024 17:40:42.203234911 CET49703443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:42.203263998 CET44349703104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:42.203362942 CET49703443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:42.210294962 CET49703443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:42.210309029 CET44349703104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:43.436625004 CET44349703104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:43.437046051 CET49703443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:43.440110922 CET49703443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:43.440115929 CET44349703104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:43.440535069 CET44349703104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:43.486531973 CET49703443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:43.489466906 CET49703443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:43.535326958 CET44349703104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:43.881473064 CET44349703104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:43.881544113 CET44349703104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:43.881617069 CET49703443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:43.894164085 CET49703443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:44.690990925 CET4970525192.168.2.746.175.148.58
                                                            Dec 5, 2024 17:40:45.689654112 CET4970525192.168.2.746.175.148.58
                                                            Dec 5, 2024 17:40:47.689611912 CET4970525192.168.2.746.175.148.58
                                                            Dec 5, 2024 17:40:49.719019890 CET49712443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:49.719077110 CET44349712104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:49.719301939 CET49712443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:49.724508047 CET49712443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:49.724526882 CET44349712104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:49.951370955 CET49713443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:49.951407909 CET44349713104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:49.951608896 CET49713443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:49.954796076 CET49713443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:49.954817057 CET44349713104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:51.009011030 CET44349712104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:51.009123087 CET49712443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:51.012345076 CET49712443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:51.012356043 CET44349712104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:51.012614012 CET44349712104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:51.080228090 CET49712443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:51.175988913 CET49712443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:51.191914082 CET44349713104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:51.192024946 CET49713443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:51.193408012 CET49713443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:51.193417072 CET44349713104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:51.193689108 CET44349713104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:51.223340988 CET44349712104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:51.331625938 CET49713443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:51.367397070 CET49713443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:51.411324978 CET44349713104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:51.520603895 CET44349712104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:51.520683050 CET44349712104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:51.520765066 CET49712443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:51.523677111 CET49712443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:51.689620018 CET4970525192.168.2.746.175.148.58
                                                            Dec 5, 2024 17:40:51.730295897 CET44349713104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:51.730356932 CET44349713104.26.13.205192.168.2.7
                                                            Dec 5, 2024 17:40:51.730505943 CET49713443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:51.733551979 CET49713443192.168.2.7104.26.13.205
                                                            Dec 5, 2024 17:40:52.174324989 CET4971925192.168.2.746.175.148.58
                                                            Dec 5, 2024 17:40:52.390620947 CET4972025192.168.2.746.175.148.58
                                                            Dec 5, 2024 17:40:53.205233097 CET4971925192.168.2.746.175.148.58
                                                            Dec 5, 2024 17:40:53.392761946 CET4972025192.168.2.746.175.148.58
                                                            Dec 5, 2024 17:40:55.205218077 CET4971925192.168.2.746.175.148.58
                                                            Dec 5, 2024 17:40:55.408345938 CET4972025192.168.2.746.175.148.58
                                                            Dec 5, 2024 17:40:59.205249071 CET4971925192.168.2.746.175.148.58
                                                            Dec 5, 2024 17:40:59.408361912 CET4972025192.168.2.746.175.148.58
                                                            Dec 5, 2024 17:40:59.689651012 CET4970525192.168.2.746.175.148.58
                                                            Dec 5, 2024 17:41:07.205744982 CET4971925192.168.2.746.175.148.58
                                                            Dec 5, 2024 17:41:07.408377886 CET4972025192.168.2.746.175.148.58

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 5, 2024 17:40:42.054945946 CET6216353192.168.2.71.1.1.1
                                                            Dec 5, 2024 17:40:42.192514896 CET53621631.1.1.1192.168.2.7
                                                            Dec 5, 2024 17:40:44.500349998 CET5414553192.168.2.71.1.1.1
                                                            Dec 5, 2024 17:40:44.689882040 CET53541451.1.1.1192.168.2.7

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 5, 2024 17:40:42.054945946 CET192.168.2.71.1.1.10x179cStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                            Dec 5, 2024 17:40:44.500349998 CET192.168.2.71.1.1.10x12a7Standard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 5, 2024 17:40:42.192514896 CET1.1.1.1192.168.2.70x179cNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                            Dec 5, 2024 17:40:42.192514896 CET1.1.1.1192.168.2.70x179cNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                            Dec 5, 2024 17:40:42.192514896 CET1.1.1.1192.168.2.70x179cNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                            Dec 5, 2024 17:40:44.689882040 CET1.1.1.1192.168.2.70x12a7No error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • api.ipify.org

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.749703104.26.13.2054437488C:\Users\user\Desktop\lC7L7oBBMC.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-05 16:40:43 UTC155OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                            Host: api.ipify.org
                                                            Connection: Keep-Alive
                                                            2024-12-05 16:40:43 UTC424INHTTP/1.1 200 OK
                                                            Date: Thu, 05 Dec 2024 16:40:43 GMT
                                                            Content-Type: text/plain
                                                            Content-Length: 12
                                                            Connection: close
                                                            Vary: Origin
                                                            CF-Cache-Status: DYNAMIC
                                                            Server: cloudflare
                                                            CF-RAY: 8ed57ac92ba94333-EWR
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1661&min_rtt=1640&rtt_var=630&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1780487&cwnd=248&unsent_bytes=0&cid=3d03f49fbab519a5&ts=459&x=0"
                                                            2024-12-05 16:40:43 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38
                                                            Data Ascii: 8.46.123.228


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.749712104.26.13.2054432708C:\Users\user\AppData\Roaming\wlBldyvi.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-05 16:40:51 UTC155OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                            Host: api.ipify.org
                                                            Connection: Keep-Alive
                                                            2024-12-05 16:40:51 UTC426INHTTP/1.1 200 OK
                                                            Date: Thu, 05 Dec 2024 16:40:51 GMT
                                                            Content-Type: text/plain
                                                            Content-Length: 12
                                                            Connection: close
                                                            Vary: Origin
                                                            CF-Cache-Status: DYNAMIC
                                                            Server: cloudflare
                                                            CF-RAY: 8ed57af8ddd1430e-EWR
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=15385&min_rtt=1665&rtt_var=8892&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1753753&cwnd=179&unsent_bytes=0&cid=d55d94b337a3635c&ts=524&x=0"
                                                            2024-12-05 16:40:51 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38
                                                            Data Ascii: 8.46.123.228


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.749713104.26.13.2054435096C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-12-05 16:40:51 UTC155OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                            Host: api.ipify.org
                                                            Connection: Keep-Alive
                                                            2024-12-05 16:40:51 UTC424INHTTP/1.1 200 OK
                                                            Date: Thu, 05 Dec 2024 16:40:51 GMT
                                                            Content-Type: text/plain
                                                            Content-Length: 12
                                                            Connection: close
                                                            Vary: Origin
                                                            CF-Cache-Status: DYNAMIC
                                                            Server: cloudflare
                                                            CF-RAY: 8ed57afa09eb42b5-EWR
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1730&min_rtt=1712&rtt_var=679&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1569048&cwnd=214&unsent_bytes=0&cid=0f486aeb2ca5423b&ts=542&x=0"
                                                            2024-12-05 16:40:51 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38
                                                            Data Ascii: 8.46.123.228


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:11:40:35
                                                            Start date:05/12/2024
                                                            Path:C:\Users\user\Desktop\lC7L7oBBMC.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\lC7L7oBBMC.exe"
                                                            Imagebase:0x650000
                                                            File size:1'452'032 bytes
                                                            MD5 hash:4C363AFC82B0757D2723FF1287AB85DE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:11:40:36
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe"
                                                            Imagebase:0x4f0000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:11:40:36
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:11:40:36
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                                                            Imagebase:0x4f0000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:11:40:36
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:11:40:36
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpD8CF.tmp"
                                                            Imagebase:0x2a0000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:11:40:36
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:11:40:37
                                                            Start date:05/12/2024
                                                            Path:C:\Users\user\Desktop\lC7L7oBBMC.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\lC7L7oBBMC.exe"
                                                            Imagebase:0xfa0000
                                                            File size:1'452'032 bytes
                                                            MD5 hash:4C363AFC82B0757D2723FF1287AB85DE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1299742405.0000000004482000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1299742405.0000000004482000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:11:40:38
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lC7L7oBBMC.exe"
                                                            Imagebase:0x4f0000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:11:40:38
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:11:40:38
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\wlBldyvi.exe"
                                                            Imagebase:0x4f0000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:11:40:38
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:11:40:38
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\user\AppData\Local\Temp\tmpE08F.tmp"
                                                            Imagebase:0x2a0000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:11:40:38
                                                            Start date:05/12/2024
                                                            Path:C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe
                                                            Imagebase:0xc40000
                                                            File size:1'452'032 bytes
                                                            MD5 hash:4C363AFC82B0757D2723FF1287AB85DE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 71%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:11:40:39
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:11:40:39
                                                            Start date:05/12/2024
                                                            Path:C:\Users\user\Desktop\lC7L7oBBMC.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\lC7L7oBBMC.exe"
                                                            Imagebase:0x540000
                                                            File size:1'452'032 bytes
                                                            MD5 hash:4C363AFC82B0757D2723FF1287AB85DE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.2491663736.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.2491663736.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.2491663736.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Has exited:false

                                                            General

                                                            Target ID:20
                                                            Start time:11:40:39
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                            Imagebase:0x7ff7fb730000
                                                            File size:496'640 bytes
                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                            Has elevated privileges:true
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:21
                                                            Start time:11:40:41
                                                            Start date:05/12/2024
                                                            Path:C:\Users\user\AppData\Roaming\wlBldyvi.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Roaming\wlBldyvi.exe
                                                            Imagebase:0xce0000
                                                            File size:1'452'032 bytes
                                                            MD5 hash:4C363AFC82B0757D2723FF1287AB85DE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 71%, ReversingLabs
                                                            Has exited:true

                                                            General

                                                            Target ID:26
                                                            Start time:11:40:44
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpF58E.tmp"
                                                            Imagebase:0x2a0000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:27
                                                            Start time:11:40:44
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IxumRsOtTdrVAu" /XML "C:\Users\user\AppData\Local\Temp\tmpF62A.tmp"
                                                            Imagebase:0x2a0000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:28
                                                            Start time:11:40:44
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:29
                                                            Start time:11:40:44
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:30
                                                            Start time:11:40:44
                                                            Start date:05/12/2024
                                                            Path:C:\Users\user\AppData\Roaming\wlBldyvi.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\wlBldyvi.exe"
                                                            Imagebase:0xa40000
                                                            File size:1'452'032 bytes
                                                            MD5 hash:4C363AFC82B0757D2723FF1287AB85DE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:31
                                                            Start time:11:40:44
                                                            Start date:05/12/2024
                                                            Path:C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                                                            Imagebase:0xc20000
                                                            File size:1'452'032 bytes
                                                            MD5 hash:4C363AFC82B0757D2723FF1287AB85DE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:32
                                                            Start time:11:40:46
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\user\AppData\Local\Temp\tmpFF43.tmp"
                                                            Imagebase:0x2a0000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:33
                                                            Start time:11:40:46
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wlBldyvi" /XML "C:\Users\user\AppData\Local\Temp\tmpFF91.tmp"
                                                            Imagebase:0x2a0000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:34
                                                            Start time:11:40:46
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:35
                                                            Start time:11:40:47
                                                            Start date:05/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff75da10000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:36
                                                            Start time:11:40:47
                                                            Start date:05/12/2024
                                                            Path:C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                                                            Imagebase:0xe0000
                                                            File size:1'452'032 bytes
                                                            MD5 hash:4C363AFC82B0757D2723FF1287AB85DE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:37
                                                            Start time:11:40:47
                                                            Start date:05/12/2024
                                                            Path:C:\Users\user\AppData\Roaming\wlBldyvi.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\wlBldyvi.exe"
                                                            Imagebase:0xc40000
                                                            File size:1'452'032 bytes
                                                            MD5 hash:4C363AFC82B0757D2723FF1287AB85DE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000002.2491122015.000000000316C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000002.2491122015.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000025.00000002.2491122015.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Has exited:false

                                                            General

                                                            Target ID:38
                                                            Start time:11:40:47
                                                            Start date:05/12/2024
                                                            Path:C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                                                            Imagebase:0x1b0000
                                                            File size:1'452'032 bytes
                                                            MD5 hash:4C363AFC82B0757D2723FF1287AB85DE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:39
                                                            Start time:11:40:47
                                                            Start date:05/12/2024
                                                            Path:C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\IxumRsOtTdrVAu.exe"
                                                            Imagebase:0xb30000
                                                            File size:1'452'032 bytes
                                                            MD5 hash:4C363AFC82B0757D2723FF1287AB85DE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000027.00000002.2481915050.0000000000436000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000027.00000002.2481915050.0000000000436000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000027.00000002.2490785586.0000000002FCC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000027.00000002.2490785586.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000027.00000002.2490785586.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:9.8%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:174
                                                              Total number of Limit Nodes:10
                                                              execution_graph 26271 ed4668 26272 ed467a 26271->26272 26273 ed4686 26272->26273 26275 ed4779 26272->26275 26276 ed479d 26275->26276 26280 ed4888 26276->26280 26284 ed4878 26276->26284 26282 ed48af 26280->26282 26281 ed498c 26281->26281 26282->26281 26288 ed449c 26282->26288 26286 ed48af 26284->26286 26285 ed498c 26285->26285 26286->26285 26287 ed449c CreateActCtxA 26286->26287 26287->26285 26289 ed5918 CreateActCtxA 26288->26289 26291 ed59db 26289->26291 26291->26291 26470 edd0b8 26471 edd0fe GetCurrentProcess 26470->26471 26473 edd149 26471->26473 26474 edd150 GetCurrentThread 26471->26474 26473->26474 26475 edd18d GetCurrentProcess 26474->26475 26476 edd186 26474->26476 26477 edd1c3 26475->26477 26476->26475 26478 edd1eb GetCurrentThreadId 26477->26478 26479 edd21c 26478->26479 26480 edad38 26484 edae21 26480->26484 26489 edae30 26480->26489 26481 edad47 26485 edae64 26484->26485 26486 edae41 26484->26486 26485->26481 26486->26485 26487 edb068 GetModuleHandleW 26486->26487 26488 edb095 26487->26488 26488->26481 26490 edae64 26489->26490 26491 edae41 26489->26491 26490->26481 26491->26490 26492 edb068 GetModuleHandleW 26491->26492 26493 edb095 26492->26493 26493->26481 26292 edd300 26293 edd342 DuplicateHandle 26292->26293 26294 edd396 26293->26294 26295 745920a 26296 74592ba 26295->26296 26297 74591cc 26295->26297 26296->26297 26301 745b846 26296->26301 26331 745b7da 26296->26331 26346 745b7e8 26296->26346 26302 745b7d4 26301->26302 26306 745b849 26301->26306 26303 745b81f 26302->26303 26305 745b7db 26302->26305 26304 745b826 26303->26304 26319 745c025 2 API calls 26303->26319 26366 745bc0b 26303->26366 26371 745bdfb 26303->26371 26375 745bef9 26303->26375 26379 745c3de 26303->26379 26382 745be1d 26303->26382 26386 745bca0 26303->26386 26391 745bee6 26303->26391 26396 745c547 26303->26396 26400 745bd94 26303->26400 26404 745bf94 26303->26404 26408 745c1c5 26303->26408 26304->26297 26308 745c1c5 WriteProcessMemory 26305->26308 26309 745bf94 ReadProcessMemory 26305->26309 26310 745bd94 2 API calls 26305->26310 26311 745c547 WriteProcessMemory 26305->26311 26312 745bee6 2 API calls 26305->26312 26313 745bca0 2 API calls 26305->26313 26314 745be1d 3 API calls 26305->26314 26315 745c3de WriteProcessMemory 26305->26315 26316 745bef9 2 API calls 26305->26316 26317 745bdfb WriteProcessMemory 26305->26317 26318 745bc0b 2 API calls 26305->26318 26361 745c025 26305->26361 26306->26297 26308->26304 26309->26304 26310->26304 26311->26304 26312->26304 26313->26304 26314->26304 26315->26304 26316->26304 26317->26304 26318->26304 26319->26304 26332 745b7e8 26331->26332 26334 745c025 2 API calls 26332->26334 26335 745c1c5 WriteProcessMemory 26332->26335 26336 745bf94 ReadProcessMemory 26332->26336 26337 745bd94 2 API calls 26332->26337 26338 745c547 WriteProcessMemory 26332->26338 26339 745bee6 2 API calls 26332->26339 26340 745bca0 2 API calls 26332->26340 26341 745be1d 3 API calls 26332->26341 26342 745c3de WriteProcessMemory 26332->26342 26343 745bef9 2 API calls 26332->26343 26344 745bdfb WriteProcessMemory 26332->26344 26345 745bc0b 2 API calls 26332->26345 26333 745b826 26333->26297 26334->26333 26335->26333 26336->26333 26337->26333 26338->26333 26339->26333 26340->26333 26341->26333 26342->26333 26343->26333 26344->26333 26345->26333 26347 745b802 26346->26347 26349 745c025 2 API calls 26347->26349 26350 745c1c5 WriteProcessMemory 26347->26350 26351 745bf94 ReadProcessMemory 26347->26351 26352 745bd94 2 API calls 26347->26352 26353 745c547 WriteProcessMemory 26347->26353 26354 745bee6 2 API calls 26347->26354 26355 745bca0 2 API calls 26347->26355 26356 745be1d 3 API calls 26347->26356 26357 745c3de WriteProcessMemory 26347->26357 26358 745bef9 2 API calls 26347->26358 26359 745bdfb WriteProcessMemory 26347->26359 26360 745bc0b 2 API calls 26347->26360 26348 745b826 26348->26297 26349->26348 26350->26348 26351->26348 26352->26348 26353->26348 26354->26348 26355->26348 26356->26348 26357->26348 26358->26348 26359->26348 26360->26348 26362 745c04b 26361->26362 26412 74588e0 26362->26412 26416 74588da 26362->26416 26363 745bf81 26367 745bc15 26366->26367 26420 7458da6 26367->26420 26425 7458db0 26367->26425 26372 745be04 26371->26372 26429 7458b28 26372->26429 26433 7458a68 26375->26433 26437 7458a6a 26375->26437 26376 745be67 26376->26375 26381 7458b28 WriteProcessMemory 26379->26381 26380 745c40c 26381->26380 26441 745c980 26382->26441 26448 745c990 26382->26448 26383 745bd06 26383->26304 26387 745bcad 26386->26387 26388 745bcdb 26387->26388 26389 7458da6 CreateProcessA 26387->26389 26390 7458db0 CreateProcessA 26387->26390 26388->26304 26389->26388 26390->26388 26392 745bef3 26391->26392 26393 745bf81 26392->26393 26394 74588e0 ResumeThread 26392->26394 26395 74588da ResumeThread 26392->26395 26394->26393 26395->26393 26397 745c555 26396->26397 26398 745c1fc 26396->26398 26398->26396 26399 7458b28 WriteProcessMemory 26398->26399 26399->26398 26402 7458990 Wow64SetThreadContext 26400->26402 26403 745898a Wow64SetThreadContext 26400->26403 26401 745bcfa 26402->26401 26403->26401 26466 7458c18 26404->26466 26406 745bd5d 26406->26304 26409 745c1cb 26408->26409 26410 745c555 26409->26410 26411 7458b28 WriteProcessMemory 26409->26411 26411->26409 26413 7458920 ResumeThread 26412->26413 26415 7458951 26413->26415 26415->26363 26417 74588e2 ResumeThread 26416->26417 26419 7458951 26417->26419 26419->26363 26421 7458d9a 26420->26421 26421->26420 26422 7458d69 26421->26422 26423 7458f9e CreateProcessA 26421->26423 26422->26304 26424 7458ffb 26423->26424 26426 7458e39 CreateProcessA 26425->26426 26428 7458ffb 26426->26428 26430 7458b70 WriteProcessMemory 26429->26430 26432 7458bc7 26430->26432 26434 7458aa8 VirtualAllocEx 26433->26434 26436 7458ae5 26434->26436 26436->26376 26438 7458aa8 VirtualAllocEx 26437->26438 26440 7458ae5 26438->26440 26440->26376 26442 745c98f 26441->26442 26443 745c9bb 26441->26443 26455 7458990 26442->26455 26459 745898a 26442->26459 26443->26383 26444 745c973 26443->26444 26463 7457208 26443->26463 26444->26383 26449 745c9a5 26448->26449 26453 7458990 Wow64SetThreadContext 26449->26453 26454 745898a Wow64SetThreadContext 26449->26454 26450 745c973 26450->26383 26451 745c9bb 26451->26383 26451->26450 26452 7457208 PostMessageW 26451->26452 26452->26451 26453->26451 26454->26451 26456 74589d5 Wow64SetThreadContext 26455->26456 26458 7458a1d 26456->26458 26458->26443 26460 7458992 Wow64SetThreadContext 26459->26460 26462 7458a1d 26460->26462 26462->26443 26464 745cc58 PostMessageW 26463->26464 26465 745ccc4 26464->26465 26465->26443 26467 7458c63 ReadProcessMemory 26466->26467 26469 7458ca7 26467->26469 26469->26404 26469->26406

                                                              Executed Functions

                                                              Function 0745D907 Relevance: .4, Instructions: 401COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d8a688d0e5022ae0b961db12eb21a43aa62b563c2fa099a104450a58b0974ace
                                                              • Instruction ID: 26d4328122299c506dfc2203766a6510069cd5af1aad87fd5ab74d0313481d5e
                                                              • Opcode Fuzzy Hash: d8a688d0e5022ae0b961db12eb21a43aa62b563c2fa099a104450a58b0974ace
                                                              • Instruction Fuzzy Hash: 27E1BDB1B016048FDB29DB75C4A0BAFB7F6AF89300F14446EE4469B392CB35D902CB52
                                                              Function 07451748 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 76335ddc5f2c55bf8cff2da95aef1c89ce5b3fd421bd58ccf7c6db47fda8418c
                                                              • Instruction ID: c261ba4c7eb3bd9bc2715715dbe8c6892884302860bbae2ae5ed245295c6ef38
                                                              • Opcode Fuzzy Hash: 76335ddc5f2c55bf8cff2da95aef1c89ce5b3fd421bd58ccf7c6db47fda8418c
                                                              • Instruction Fuzzy Hash: 02413DB5D0425CDFEB14CF5AC8407EEBBB6BF8A300F04C5AAD808A6256D7345985CF51
                                                              Function 00EDD0A8 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 295 edd0a8-edd147 GetCurrentProcess 299 edd149-edd14f 295->299 300 edd150-edd184 GetCurrentThread 295->300 299->300 301 edd18d-edd1c1 GetCurrentProcess 300->301 302 edd186-edd18c 300->302 303 edd1ca-edd1e5 call edd287 301->303 304 edd1c3-edd1c9 301->304 302->301 308 edd1eb-edd21a GetCurrentThreadId 303->308 304->303 309 edd21c-edd222 308->309 310 edd223-edd285 308->310 309->310
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 00EDD136
                                                              • GetCurrentThread.KERNEL32 ref: 00EDD173
                                                              • GetCurrentProcess.KERNEL32 ref: 00EDD1B0
                                                              • GetCurrentThreadId.KERNEL32 ref: 00EDD209
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1265824635.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ed0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 8e9c887c9d5ab57761f3454beed8ff1c7f59edff2606d13bc0b73e3e496609c2
                                                              • Instruction ID: f1c7deb051629e9fac35d34de5d97b9b72f498805b12d73f0168d72527e27b72
                                                              • Opcode Fuzzy Hash: 8e9c887c9d5ab57761f3454beed8ff1c7f59edff2606d13bc0b73e3e496609c2
                                                              • Instruction Fuzzy Hash: CE5166B0D013098FDB14DFA9D949B9EBBF1EF88314F20849AE018A73A0C7759946CB61
                                                              Function 00EDD0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 317 edd0b8-edd147 GetCurrentProcess 321 edd149-edd14f 317->321 322 edd150-edd184 GetCurrentThread 317->322 321->322 323 edd18d-edd1c1 GetCurrentProcess 322->323 324 edd186-edd18c 322->324 325 edd1ca-edd1e5 call edd287 323->325 326 edd1c3-edd1c9 323->326 324->323 330 edd1eb-edd21a GetCurrentThreadId 325->330 326->325 331 edd21c-edd222 330->331 332 edd223-edd285 330->332 331->332
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 00EDD136
                                                              • GetCurrentThread.KERNEL32 ref: 00EDD173
                                                              • GetCurrentProcess.KERNEL32 ref: 00EDD1B0
                                                              • GetCurrentThreadId.KERNEL32 ref: 00EDD209
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1265824635.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ed0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 65f417e76d268850c51791be762bb5fba12ea5ae54fd680e8e90f39db4d2b4be
                                                              • Instruction ID: c2621f3d6bab13651a270289ae3814e68a1819852c4848b8f3afae5b72b5ecff
                                                              • Opcode Fuzzy Hash: 65f417e76d268850c51791be762bb5fba12ea5ae54fd680e8e90f39db4d2b4be
                                                              • Instruction Fuzzy Hash: F95174B0D013098FDB14DFAAD949B9EBBF1EF88314F208459E018B7360CB74A945CB65
                                                              Function 07458DA6 Relevance: 1.8, APIs: 1, Instructions: 274processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 436 7458da6-7458dac 437 7458dae-7458e45 436->437 438 7458d9a-7458da4 436->438 444 7458e47-7458e51 437->444 445 7458e7e-7458e9e 437->445 438->436 439 7458d69-7458d98 438->439 444->445 446 7458e53-7458e55 444->446 451 7458ed7-7458f06 445->451 452 7458ea0-7458eaa 445->452 449 7458e57-7458e61 446->449 450 7458e78-7458e7b 446->450 453 7458e65-7458e74 449->453 454 7458e63 449->454 450->445 461 7458f3f-7458f97 451->461 462 7458f08-7458f12 451->462 452->451 457 7458eac-7458eae 452->457 453->453 455 7458e76 453->455 454->453 455->450 458 7458ed1-7458ed4 457->458 459 7458eb0-7458eba 457->459 458->451 463 7458ebc 459->463 464 7458ebe-7458ecd 459->464 474 7458f9e-7458ff9 CreateProcessA 461->474 462->461 465 7458f14-7458f16 462->465 463->464 464->464 466 7458ecf 464->466 467 7458f39-7458f3c 465->467 468 7458f18-7458f22 465->468 466->458 467->461 470 7458f24 468->470 471 7458f26-7458f35 468->471 470->471 471->471 472 7458f37 471->472 472->467 475 7459002-7459088 474->475 476 7458ffb-7459001 474->476 486 7459098-745909c 475->486 487 745908a-745908e 475->487 476->475 489 74590ac-74590b0 486->489 490 745909e-74590a2 486->490 487->486 488 7459090 487->488 488->486 492 74590c0-74590c4 489->492 493 74590b2-74590b6 489->493 490->489 491 74590a4 490->491 491->489 495 74590d6-74590dd 492->495 496 74590c6-74590cc 492->496 493->492 494 74590b8 493->494 494->492 497 74590f4 495->497 498 74590df-74590ee 495->498 496->495 500 74590f5 497->500 498->497 500->500
                                                              APIs
                                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07458FE6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 4337b879b07f75d58ff95a5801d6d5c503e4ffdc1379f3de48af65fc2f224c2f
                                                              • Instruction ID: 181a807a4f03802edb89856df3c21f7d1143ad4240090677cf1686f8054a0848
                                                              • Opcode Fuzzy Hash: 4337b879b07f75d58ff95a5801d6d5c503e4ffdc1379f3de48af65fc2f224c2f
                                                              • Instruction Fuzzy Hash: 0CA16EB1D0071ADFEB24DF68C841BDEBBB6BF48310F14856AE808A7241DB759985CF91
                                                              Function 07458DB0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 501 7458db0-7458e45 503 7458e47-7458e51 501->503 504 7458e7e-7458e9e 501->504 503->504 505 7458e53-7458e55 503->505 509 7458ed7-7458f06 504->509 510 7458ea0-7458eaa 504->510 507 7458e57-7458e61 505->507 508 7458e78-7458e7b 505->508 511 7458e65-7458e74 507->511 512 7458e63 507->512 508->504 518 7458f3f-7458ff9 CreateProcessA 509->518 519 7458f08-7458f12 509->519 510->509 514 7458eac-7458eae 510->514 511->511 513 7458e76 511->513 512->511 513->508 515 7458ed1-7458ed4 514->515 516 7458eb0-7458eba 514->516 515->509 520 7458ebc 516->520 521 7458ebe-7458ecd 516->521 532 7459002-7459088 518->532 533 7458ffb-7459001 518->533 519->518 522 7458f14-7458f16 519->522 520->521 521->521 523 7458ecf 521->523 524 7458f39-7458f3c 522->524 525 7458f18-7458f22 522->525 523->515 524->518 527 7458f24 525->527 528 7458f26-7458f35 525->528 527->528 528->528 529 7458f37 528->529 529->524 543 7459098-745909c 532->543 544 745908a-745908e 532->544 533->532 546 74590ac-74590b0 543->546 547 745909e-74590a2 543->547 544->543 545 7459090 544->545 545->543 549 74590c0-74590c4 546->549 550 74590b2-74590b6 546->550 547->546 548 74590a4 547->548 548->546 552 74590d6-74590dd 549->552 553 74590c6-74590cc 549->553 550->549 551 74590b8 550->551 551->549 554 74590f4 552->554 555 74590df-74590ee 552->555 553->552 557 74590f5 554->557 555->554 557->557
                                                              APIs
                                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07458FE6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 9353d35fa37901652998cc9c4982209aec1eba46a28898ebbbed1acfc2e550e3
                                                              • Instruction ID: 276693f1dcf478d6366988f48fb4923a15d9393758f499efb0896b7186b2c182
                                                              • Opcode Fuzzy Hash: 9353d35fa37901652998cc9c4982209aec1eba46a28898ebbbed1acfc2e550e3
                                                              • Instruction Fuzzy Hash: BE914BB1D0061ADFEB24DF68C841BDEBBB6BB48310F14856AE808A7241DB759985CF91
                                                              Function 00EDAE30 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 558 edae30-edae3f 559 edae6b-edae6f 558->559 560 edae41-edae4e call ed9838 558->560 562 edae71-edae7b 559->562 563 edae83-edaec4 559->563 566 edae64 560->566 567 edae50 560->567 562->563 569 edaec6-edaece 563->569 570 edaed1-edaedf 563->570 566->559 616 edae56 call edb11c 567->616 617 edae56 call edb0c8 567->617 618 edae56 call edb0b8 567->618 569->570 571 edaee1-edaee6 570->571 572 edaf03-edaf05 570->572 574 edaee8-edaeef call eda814 571->574 575 edaef1 571->575 577 edaf08-edaf0f 572->577 573 edae5c-edae5e 573->566 576 edafa0-edb01c 573->576 581 edaef3-edaf01 574->581 575->581 608 edb01e-edb046 576->608 609 edb048-edb060 576->609 579 edaf1c-edaf23 577->579 580 edaf11-edaf19 577->580 584 edaf25-edaf2d 579->584 585 edaf30-edaf39 call eda824 579->585 580->579 581->577 584->585 589 edaf3b-edaf43 585->589 590 edaf46-edaf4b 585->590 589->590 591 edaf4d-edaf54 590->591 592 edaf69-edaf6d 590->592 591->592 594 edaf56-edaf66 call eda834 call eda844 591->594 597 edaf73-edaf76 592->597 594->592 599 edaf99-edaf9f 597->599 600 edaf78-edaf96 597->600 600->599 608->609 611 edb068-edb093 GetModuleHandleW 609->611 612 edb062-edb065 609->612 613 edb09c-edb0b0 611->613 614 edb095-edb09b 611->614 612->611 614->613 616->573 617->573 618->573
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00EDB086
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1265824635.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ed0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 0c3be8565ba93cfea8c5adef70914e262aa3ca47a0fa3a94d98ce8a2a34fdbf4
                                                              • Instruction ID: be065c5f3516c77dbed6af8448af2b9fa2177655b6d146890afb8ef271a87dcb
                                                              • Opcode Fuzzy Hash: 0c3be8565ba93cfea8c5adef70914e262aa3ca47a0fa3a94d98ce8a2a34fdbf4
                                                              • Instruction Fuzzy Hash: 8B813370A00B058FD724DF29D44179ABBF1FB88304F04992ED48AEBB51D775E94ACB91
                                                              Function 00ED449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 619 ed449c-ed59d9 CreateActCtxA 622 ed59db-ed59e1 619->622 623 ed59e2-ed5a3c 619->623 622->623 630 ed5a3e-ed5a41 623->630 631 ed5a4b-ed5a4f 623->631 630->631 632 ed5a51-ed5a5d 631->632 633 ed5a60 631->633 632->633 635 ed5a61 633->635 635->635
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 00ED59C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1265824635.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ed0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 681c5d93b6d8037d89ee597ed4aced32aedd9030b1cd47051c3d215d966f769e
                                                              • Instruction ID: 9e6c5c8ff64063883faf1538ef43c1e11c09350db6ed6f42ef36b132be7584bf
                                                              • Opcode Fuzzy Hash: 681c5d93b6d8037d89ee597ed4aced32aedd9030b1cd47051c3d215d966f769e
                                                              • Instruction Fuzzy Hash: EA41D271C0072DCBEB24DFAAC844B9DBBB5FF49314F20816AD408AB251DB756946CF90
                                                              Function 00ED590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 636 ed590c-ed5910 637 ed591c-ed59d9 CreateActCtxA 636->637 639 ed59db-ed59e1 637->639 640 ed59e2-ed5a3c 637->640 639->640 647 ed5a3e-ed5a41 640->647 648 ed5a4b-ed5a4f 640->648 647->648 649 ed5a51-ed5a5d 648->649 650 ed5a60 648->650 649->650 652 ed5a61 650->652 652->652
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 00ED59C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1265824635.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ed0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: e49e2da71d4bf066fd5d4f7cf5586005f8c1a57a2e99d94c30fc346d64f74ad7
                                                              • Instruction ID: 27564b9f36f0c9be1f1f8321d8c0bfb70a61aca13504ac7a39e188874d6c81d0
                                                              • Opcode Fuzzy Hash: e49e2da71d4bf066fd5d4f7cf5586005f8c1a57a2e99d94c30fc346d64f74ad7
                                                              • Instruction Fuzzy Hash: 7741D1B1C0072DCBEB24DFAAC88478DBBF5BF49314F20815AD419AB251DB755946CF90
                                                              Function 00EDD2F8 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 653 edd2f8-edd2fc 654 edd2fe-edd33f 653->654 655 edd342-edd394 DuplicateHandle 653->655 654->655 657 edd39d-edd3ba 655->657 658 edd396-edd39c 655->658 658->657
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EDD387
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1265824635.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ed0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: d72b77f432e08f2e280a814faa1da94b14aa88079a0d92c130f9e2933eabb41d
                                                              • Instruction ID: 7bfe6610dfce8d9940bcc2007eeae3ea33f6526a1c76211df21df397f5f6e9f4
                                                              • Opcode Fuzzy Hash: d72b77f432e08f2e280a814faa1da94b14aa88079a0d92c130f9e2933eabb41d
                                                              • Instruction Fuzzy Hash: 6A2137B58003499FDB20CFAAD885ADEFFF5EB49324F14811AE954A7350C379A941CFA1
                                                              Function 07458B28 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 661 7458b28-7458b76 663 7458b86-7458bc5 WriteProcessMemory 661->663 664 7458b78-7458b84 661->664 666 7458bc7-7458bcd 663->666 667 7458bce-7458bfe 663->667 664->663 666->667
                                                              APIs
                                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07458BB8
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 2f72c7c31729c53455d122e8f732c6370b8aa1e1ebed32381d3dcaaca5964228
                                                              • Instruction ID: e909349a107319cd932a3ace8148b84a30c5ceb638bd736c2a509de9ee958243
                                                              • Opcode Fuzzy Hash: 2f72c7c31729c53455d122e8f732c6370b8aa1e1ebed32381d3dcaaca5964228
                                                              • Instruction Fuzzy Hash: C82117B1D003499FDB10DFA9C845BEEBBF5FB48310F50842AE959A7241C7799941CBA4
                                                              Function 0745898A Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 671 745898a-74589db 674 74589dd-74589e9 671->674 675 74589eb-7458a1b Wow64SetThreadContext 671->675 674->675 677 7458a24-7458a54 675->677 678 7458a1d-7458a23 675->678 678->677
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07458A0E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 29fea54ffbd50b9022548dcd6ddd96a3ec1c75014466922e8fa2e23237614717
                                                              • Instruction ID: 699eca43fa7711e0dc822b24c5c5feb4d465a008a9937f3e59506070c43c6e73
                                                              • Opcode Fuzzy Hash: 29fea54ffbd50b9022548dcd6ddd96a3ec1c75014466922e8fa2e23237614717
                                                              • Instruction Fuzzy Hash: 132128B1D003098FDB14DFAAC4857EEBBF4EB48224F14852AD859A7280CB789945CB90
                                                              Function 07458C18 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 692 7458c18-7458ca5 ReadProcessMemory 695 7458ca7-7458cad 692->695 696 7458cae-7458cde 692->696 695->696
                                                              APIs
                                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07458C98
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: f11d7787e30901e8e387c0574500c29d2648feaa603e069a93d237c5a416f663
                                                              • Instruction ID: b79fa2b167a2db2443311fc6de7ca6697fec28359e8298c568a9f1c5909a9abf
                                                              • Opcode Fuzzy Hash: f11d7787e30901e8e387c0574500c29d2648feaa603e069a93d237c5a416f663
                                                              • Instruction Fuzzy Hash: 8221E6B1D013599FDB10DFAAC841BDEBBF5FF48310F50842AE959A7240CB799941CBA4
                                                              Function 07458990 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 682 7458990-74589db 684 74589dd-74589e9 682->684 685 74589eb-7458a1b Wow64SetThreadContext 682->685 684->685 687 7458a24-7458a54 685->687 688 7458a1d-7458a23 685->688 688->687
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07458A0E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 138f8db9e435cac56b15eb29c673e6264395ebacea512a96a2d415b3ac1fdbf8
                                                              • Instruction ID: 3f0cf9c8262f2a1457562b58bceb1bc3bb8ed36566effbb7f683e8a42ad6e38e
                                                              • Opcode Fuzzy Hash: 138f8db9e435cac56b15eb29c673e6264395ebacea512a96a2d415b3ac1fdbf8
                                                              • Instruction Fuzzy Hash: 372107B1D003098FDB10DFAAC485BEEBBF4EB48214F54842AD959A7241CB789945CFA5
                                                              Function 00EDD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EDD387
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1265824635.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ed0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 9e55355831f746e4f0445955081761414e57ca06423e5d9c7f3131e261aaa40b
                                                              • Instruction ID: 61875cb312647b72d796efc09f31e7c5850fe0986b072bc40e4cf0c544343aa7
                                                              • Opcode Fuzzy Hash: 9e55355831f746e4f0445955081761414e57ca06423e5d9c7f3131e261aaa40b
                                                              • Instruction Fuzzy Hash: 8921E3B5D002499FDB10CF9AD885ADEBBF4EB48310F14841AE918A3350C374A951CFA1
                                                              Function 07458A68 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07458AD6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 7f571b40d2fa8f96d85b036b146e1dbd5cdba31b23a99e327b7cc7f15b9e03a6
                                                              • Instruction ID: 12a0723531ad4041aba488f6ecec54759b565ab4c7e9128075d41331d1f97986
                                                              • Opcode Fuzzy Hash: 7f571b40d2fa8f96d85b036b146e1dbd5cdba31b23a99e327b7cc7f15b9e03a6
                                                              • Instruction Fuzzy Hash: A3112672C003499FDB20DFAAC845BDFBBF5EB48320F14881AE915A7250CB759941CFA0
                                                              Function 07458A6A Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07458AD6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: fba10086851bc20d89409cee6fc41b22ca22f323e377a82c0798a8e1fb1745f4
                                                              • Instruction ID: a37af32560d1a44c7d06834d1ae396ff7139f0919a86be093f473c1962b6b93e
                                                              • Opcode Fuzzy Hash: fba10086851bc20d89409cee6fc41b22ca22f323e377a82c0798a8e1fb1745f4
                                                              • Instruction Fuzzy Hash: E0112672C002499FDB20DFAAC845BEFBBF5EB48310F14881AE915A7250CB759941CFA0
                                                              Function 074588DA Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 4cc831e4ff7982b894e8e4798a7afd38567d8cf8d4d7c4a2b6a37725ff6ef4a2
                                                              • Instruction ID: cb9ef58477fee25dcb680717be4ff38f580c6b951e1f941fceba799be12ba21c
                                                              • Opcode Fuzzy Hash: 4cc831e4ff7982b894e8e4798a7afd38567d8cf8d4d7c4a2b6a37725ff6ef4a2
                                                              • Instruction Fuzzy Hash: 55115BB1D003498FDB20DFAAC4457EEFBF5AF48324F20891AD525A7680CB355941CB95
                                                              Function 074588E0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 9d50dfae8d670cb77ea4fbdb3b2c22963891c93d71495077cbda2c9beeb02a22
                                                              • Instruction ID: de0874fe8de81756061217810333297c7a6a279e3e876f312017fb4f80b20d20
                                                              • Opcode Fuzzy Hash: 9d50dfae8d670cb77ea4fbdb3b2c22963891c93d71495077cbda2c9beeb02a22
                                                              • Instruction Fuzzy Hash: 3C1158B1C003498FDB20DFAAC4457DEFBF4AB48224F10881AD519A7240CB356901CB94
                                                              Function 0745CC50 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0745CCB5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 55c37fb7841460915da59e87a2f6aea04044415c8f75694d6d8f1e63dac4a550
                                                              • Instruction ID: 35a6e436ebb7eb366d1b843a18efff16655c8cd25215bc8e3d67cb2489a2b5b2
                                                              • Opcode Fuzzy Hash: 55c37fb7841460915da59e87a2f6aea04044415c8f75694d6d8f1e63dac4a550
                                                              • Instruction Fuzzy Hash: 4711F5B58003499FDB10DF9AD985BDEFBF8EB48324F10851AD924A3780C375A944CFA5
                                                              Function 00EDB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00EDB086
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1265824635.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ed0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 51a4cac2229f8ccc0075cc152b7452f4943f604d84fe386e12313653a0335974
                                                              • Instruction ID: 9427d89de47f9e149b08acb52f4611c13cc3626cbf851592c7d24e8e340e2e65
                                                              • Opcode Fuzzy Hash: 51a4cac2229f8ccc0075cc152b7452f4943f604d84fe386e12313653a0335974
                                                              • Instruction Fuzzy Hash: A311C0B6C00349CBDB20DF9AC444A9EFBF4EB88314F15841AD429B7650D375A946CFA1
                                                              Function 07457208 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0745CCB5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 300c76bab120f1950b57d9b372c5b3d8cef3f7663b99163b60e1b11cb8c1b9ea
                                                              • Instruction ID: 1965cc9e4d9849d2e81cdc4c878fdcd8f5e5da409563f2a47b90b68fa5db1649
                                                              • Opcode Fuzzy Hash: 300c76bab120f1950b57d9b372c5b3d8cef3f7663b99163b60e1b11cb8c1b9ea
                                                              • Instruction Fuzzy Hash: A111F5B58003499FDB10DF9AC585BDEBBF8EB48324F10841AE914A7741C375A944CFA5
                                                              Function 00E7D3D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1263743624.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e7d000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c16bb864f6f42931774013252ceb80bae6f91c10478998c25ec8d1de844e3557
                                                              • Instruction ID: fa7b70fc20c00df8f978b7dc4b5383eb3d184ad35a866c4ea415d144355f1fc0
                                                              • Opcode Fuzzy Hash: c16bb864f6f42931774013252ceb80bae6f91c10478998c25ec8d1de844e3557
                                                              • Instruction Fuzzy Hash: F4210372608204EFDB14DF10DDC4B16BB75FF98324F20C169E80D5B25AD336E856CAA2
                                                              Function 00E8D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1263956216.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e8d000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f12d0f3d7979135be79ee78c9b531f58493d248216f1c9b4ad55c573ef8eb1ce
                                                              • Instruction ID: 2b20a286b5840832f54ae7216b13167b4c5f7573a9eb7fcabd609c48a262b2ea
                                                              • Opcode Fuzzy Hash: f12d0f3d7979135be79ee78c9b531f58493d248216f1c9b4ad55c573ef8eb1ce
                                                              • Instruction Fuzzy Hash: 8621D075608304DFDB14EF14D984B16BB66EB84328F20C569D84E5B2D6C336D847CB62
                                                              Function 00E8D1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1263956216.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e8d000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 48a96c4fc0f094428fdd06bc9a8f76fc660e2a745c0134f0ec8573fbe4543962
                                                              • Instruction ID: 62b719363f89f8c244a1210e70b3263dbe15ff36a928359016e6d0960a038db6
                                                              • Opcode Fuzzy Hash: 48a96c4fc0f094428fdd06bc9a8f76fc660e2a745c0134f0ec8573fbe4543962
                                                              • Instruction Fuzzy Hash: 3E21D3716482049FDB15EF54D9C4B15BB65FB84318F20C66DD84D5B2A2C336D846CB61
                                                              Function 00E8D005 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1263956216.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e8d000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a8ddfaef10d4c2f78c50948322bebc4b044be029384e68648e614f560bf73f67
                                                              • Instruction ID: 2ec6d38d9763b29b315b3e9b0d3402ac53b0b2aa77c91277f3738c1f652f7d0d
                                                              • Opcode Fuzzy Hash: a8ddfaef10d4c2f78c50948322bebc4b044be029384e68648e614f560bf73f67
                                                              • Instruction Fuzzy Hash: 2221837550D3808FCB02DF24D990715BF72EB46314F28C5DAD84D8B2A7C33A980ACB62
                                                              Function 00E7D3D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1263743624.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e7d000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction ID: 18ba4cd03a546876f1d370fee792aff91b25fd65c374f431e4b22e2702e2d652
                                                              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction Fuzzy Hash: 7C11E676504240DFCB15CF14D9C4B16BF72FF94324F24C6A9D8494B656C33AE856CBA1
                                                              Function 00E8D1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1263956216.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_e8d000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction ID: 1c31a1af3725692b372d27ed73ba548b0773d07d4b7d3b5b88fc469d66513d57
                                                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction Fuzzy Hash: B311BB75548280DFCB05EF54C9C0B15BBA2FB84328F24C6ADD84D5B2A6C33AD81ACB61

                                                              Non-executed Functions

                                                              Function 07456480 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 04af02c7617002567213961eb10624afa61cdb4b9953c0d13df742619d31e0bd
                                                              • Instruction ID: 50dae1aaac55cf5105f1e2245afd1c020dde837f9e53184e074a7b0f72509d8e
                                                              • Opcode Fuzzy Hash: 04af02c7617002567213961eb10624afa61cdb4b9953c0d13df742619d31e0bd
                                                              • Instruction Fuzzy Hash: 16E1FAB4E002198FDB14DFA9C5909AEFBB2FF49304F64816AD815A7356DB30AD42CF61
                                                              Function 07456048 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 26d131bd38de53ca00e910c29d869a7c84aa5e0cf74190188c064050981d2417
                                                              • Instruction ID: c755a1de971ec01f59348a55afce68693bdfc464e4c713b5d2b4e45afd584e6e
                                                              • Opcode Fuzzy Hash: 26d131bd38de53ca00e910c29d869a7c84aa5e0cf74190188c064050981d2417
                                                              • Instruction Fuzzy Hash: A8E11CB4E042198FDB14DFA9C590AAEFBB2FF89304F24816AD815A7356DB309D41CF61
                                                              Function 074580B8 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be5e9789861e8aebadcc1a5902a091ffb5f12924212f36be5d37b7c1c10d39cb
                                                              • Instruction ID: 32d80bca00978bfaddd459cbfe01338d6d51ff296a7534b3eb583c5b2c7e67aa
                                                              • Opcode Fuzzy Hash: be5e9789861e8aebadcc1a5902a091ffb5f12924212f36be5d37b7c1c10d39cb
                                                              • Instruction Fuzzy Hash: C5E10CB4E002198FDB14DFA9C590AAEFBF6BF89304F24815AD815AB356DB309D41CF60
                                                              Function 07455C10 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1be274b9f37f0e5015522e3e9dfd910d822f8695962fe1a889e7d8573af3192b
                                                              • Instruction ID: d2dd2e0e8c4c60e544738320d200f2513a0ed62c55d5d79124432f23ad9abd07
                                                              • Opcode Fuzzy Hash: 1be274b9f37f0e5015522e3e9dfd910d822f8695962fe1a889e7d8573af3192b
                                                              • Instruction Fuzzy Hash: ECE11CB4E002198FDB14DFA9C590AAEFBB2FF89304F24815AD815AB356DB309D41CF60
                                                              Function 07457C80 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 83baf6954d1c0153cdb59968b4ccb41c80db86f5c34c1ff7830b36aead81f362
                                                              • Instruction ID: 7ab35e46005d6fb5f56eaa33040b548515fdd47febc2e0281e6497a154ccac05
                                                              • Opcode Fuzzy Hash: 83baf6954d1c0153cdb59968b4ccb41c80db86f5c34c1ff7830b36aead81f362
                                                              • Instruction Fuzzy Hash: B2E1FBB4E042198FDB14DFA9C590AAEFBF2BF49304F24816AD815A7356DB319D41CF60
                                                              Function 00EDDC74 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1265824635.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_ed0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 56d181f29c06ae48268da5a019496091fd66d3c1e036111d49e8bfc44ff19e7d
                                                              • Instruction ID: 1504e2c9c1bf163606f4f6a04360f2d863d63e5da44f0ebef76a721fd15ce9e0
                                                              • Opcode Fuzzy Hash: 56d181f29c06ae48268da5a019496091fd66d3c1e036111d49e8bfc44ff19e7d
                                                              • Instruction Fuzzy Hash: BAA13832E006198FCF05DFB4C8445AEB7B2FF84304B25956AE806BB365DB71E956CB80
                                                              Function 074580A8 Relevance: .1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5a3a5f974c73f4a2a4b9dd845b65d676219d16a9700977692746a958d961fe48
                                                              • Instruction ID: 0b5cbb03b53e98f8e77152a4295fa8dd5a063f895a5e45148651d0bf9dcd4740
                                                              • Opcode Fuzzy Hash: 5a3a5f974c73f4a2a4b9dd845b65d676219d16a9700977692746a958d961fe48
                                                              • Instruction Fuzzy Hash: 4D511BB5E002198FDB14CFA9C5815EEFBB6FF89304F24816AD818A7356DB319941CFA1
                                                              Function 07456471 Relevance: .1, Instructions: 138COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 13102aede882d58c68d23c026668121cedebf608283f1b92a755929af9d9967c
                                                              • Instruction ID: 25fe4b86929db30dd0bdf25ca6224210f201d824079b831e56d99fa20910e1c8
                                                              • Opcode Fuzzy Hash: 13102aede882d58c68d23c026668121cedebf608283f1b92a755929af9d9967c
                                                              • Instruction Fuzzy Hash: 13512CB4E002198FDB14DFA9C5915AEFBF2BF89304F24816AD819A7356DB309942CF61
                                                              Function 07457C70 Relevance: .1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1299525759.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7450000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b3b5ee25af1778ee6e5b41d1c37f43e7859f7721f670e8effe29d5b9f1258eef
                                                              • Instruction ID: 285cc260b144a6df2cf9afea9346b4e7986321ddb13c9cf15ab4ac8460b57e56
                                                              • Opcode Fuzzy Hash: b3b5ee25af1778ee6e5b41d1c37f43e7859f7721f670e8effe29d5b9f1258eef
                                                              • Instruction Fuzzy Hash: BB512EB5E002198FDB14CFA9C5815AEFBF2BF89304F24816AD818A7356D7319D41CFA0

                                                              Execution Graph

                                                              Execution Coverage:10.2%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:237
                                                              Total number of Limit Nodes:7
                                                              execution_graph 22895 7dc3f3f 22896 7dc419e 22895->22896 22902 7dc5f98 22896->22902 22921 7dc59f1 22896->22921 22940 7dc6006 22896->22940 22960 7dc5fa8 22896->22960 22897 7dc420e 22903 7dc5fc2 22902->22903 22979 7dc6851 22903->22979 22983 7dc6430 22903->22983 22988 7dc6bf0 22903->22988 22992 7dc63b6 22903->22992 22997 7dc6995 22903->22997 23005 7dc651b 22903->23005 23010 7dc663e 22903->23010 23014 7dc641c 22903->23014 23019 7dc6581 22903->23019 23024 7dc6c80 22903->23024 23028 7dc65c6 22903->23028 23033 7dc690e 22903->23033 23040 7dc68ce 22903->23040 23045 7dc658d 22903->23045 23050 7dc6792 22903->23050 23055 7dc6cb2 22903->23055 22904 7dc5fe6 22904->22897 22922 7dc5fdd 22921->22922 22924 7dc641c 2 API calls 22922->22924 22925 7dc663e 2 API calls 22922->22925 22926 7dc651b 2 API calls 22922->22926 22927 7dc6995 4 API calls 22922->22927 22928 7dc63b6 2 API calls 22922->22928 22929 7dc6bf0 2 API calls 22922->22929 22930 7dc6430 2 API calls 22922->22930 22931 7dc6851 2 API calls 22922->22931 22932 7dc6cb2 2 API calls 22922->22932 22933 7dc6792 2 API calls 22922->22933 22934 7dc658d 2 API calls 22922->22934 22935 7dc68ce 2 API calls 22922->22935 22936 7dc690e 4 API calls 22922->22936 22937 7dc65c6 2 API calls 22922->22937 22938 7dc6c80 2 API calls 22922->22938 22939 7dc6581 2 API calls 22922->22939 22923 7dc5fe6 22923->22897 22924->22923 22925->22923 22926->22923 22927->22923 22928->22923 22929->22923 22930->22923 22931->22923 22932->22923 22933->22923 22934->22923 22935->22923 22936->22923 22937->22923 22938->22923 22939->22923 22941 7dc6009 22940->22941 22942 7dc5f94 22940->22942 22944 7dc641c 2 API calls 22942->22944 22945 7dc663e 2 API calls 22942->22945 22946 7dc651b 2 API calls 22942->22946 22947 7dc6995 4 API calls 22942->22947 22948 7dc63b6 2 API calls 22942->22948 22949 7dc6bf0 2 API calls 22942->22949 22950 7dc6430 2 API calls 22942->22950 22951 7dc6851 2 API calls 22942->22951 22952 7dc6cb2 2 API calls 22942->22952 22953 7dc6792 2 API calls 22942->22953 22954 7dc658d 2 API calls 22942->22954 22955 7dc68ce 2 API calls 22942->22955 22956 7dc690e 4 API calls 22942->22956 22957 7dc65c6 2 API calls 22942->22957 22958 7dc6c80 2 API calls 22942->22958 22959 7dc6581 2 API calls 22942->22959 22943 7dc5fe6 22943->22897 22944->22943 22945->22943 22946->22943 22947->22943 22948->22943 22949->22943 22950->22943 22951->22943 22952->22943 22953->22943 22954->22943 22955->22943 22956->22943 22957->22943 22958->22943 22959->22943 22961 7dc5fc2 22960->22961 22963 7dc641c 2 API calls 22961->22963 22964 7dc663e 2 API calls 22961->22964 22965 7dc651b 2 API calls 22961->22965 22966 7dc6995 4 API calls 22961->22966 22967 7dc63b6 2 API calls 22961->22967 22968 7dc6bf0 2 API calls 22961->22968 22969 7dc6430 2 API calls 22961->22969 22970 7dc6851 2 API calls 22961->22970 22971 7dc6cb2 2 API calls 22961->22971 22972 7dc6792 2 API calls 22961->22972 22973 7dc658d 2 API calls 22961->22973 22974 7dc68ce 2 API calls 22961->22974 22975 7dc690e 4 API calls 22961->22975 22976 7dc65c6 2 API calls 22961->22976 22977 7dc6c80 2 API calls 22961->22977 22978 7dc6581 2 API calls 22961->22978 22962 7dc5fe6 22962->22897 22963->22962 22964->22962 22965->22962 22966->22962 22967->22962 22968->22962 22969->22962 22970->22962 22971->22962 22972->22962 22973->22962 22974->22962 22975->22962 22976->22962 22977->22962 22978->22962 23060 7dc3769 22979->23060 23064 7dc3770 22979->23064 22980 7dc6875 22984 7dc6434 22983->22984 23068 7dc39ed 22984->23068 23072 7dc39f8 22984->23072 22990 7dc3769 WriteProcessMemory 22988->22990 22991 7dc3770 WriteProcessMemory 22988->22991 22989 7dc6bef 22989->22988 22990->22989 22991->22989 22993 7dc63c4 22992->22993 22995 7dc39ed CreateProcessA 22993->22995 22996 7dc39f8 CreateProcessA 22993->22996 22994 7dc6467 22994->22904 22995->22994 22996->22994 22998 7dc690d 22997->22998 22999 7dc6539 22998->22999 23076 7dc35d8 22998->23076 23080 7dc35d0 22998->23080 22999->22904 23084 7dc7180 22999->23084 23089 7dc7170 22999->23089 23000 7dc6df5 23006 7dc6521 23005->23006 23008 7dc7180 2 API calls 23006->23008 23009 7dc7170 2 API calls 23006->23009 23007 7dc6df5 23008->23007 23009->23007 23102 7dc7070 23010->23102 23107 7dc7060 23010->23107 23011 7dc6656 23011->22904 23015 7dc63ba 23014->23015 23017 7dc39ed CreateProcessA 23015->23017 23018 7dc39f8 CreateProcessA 23015->23018 23016 7dc6467 23016->22904 23017->23016 23018->23016 23020 7dc6abd 23019->23020 23112 7dc36a8 23020->23112 23116 7dc36b0 23020->23116 23021 7dc6adb 23025 7dc6bef 23024->23025 23025->23024 23026 7dc3769 WriteProcessMemory 23025->23026 23027 7dc3770 WriteProcessMemory 23025->23027 23026->23025 23027->23025 23029 7dc65cc 23028->23029 23031 7dc3769 WriteProcessMemory 23029->23031 23032 7dc3770 WriteProcessMemory 23029->23032 23030 7dc65fe 23030->22904 23031->23030 23032->23030 23036 7dc35d8 Wow64SetThreadContext 23033->23036 23037 7dc35d0 Wow64SetThreadContext 23033->23037 23034 7dc6539 23034->22904 23038 7dc7180 2 API calls 23034->23038 23039 7dc7170 2 API calls 23034->23039 23035 7dc6df5 23036->23034 23037->23034 23038->23035 23039->23035 23041 7dc65dd 23040->23041 23042 7dc65fe 23040->23042 23043 7dc3769 WriteProcessMemory 23041->23043 23044 7dc3770 WriteProcessMemory 23041->23044 23042->22904 23043->23042 23044->23042 23046 7dc65a7 23045->23046 23048 7dc7180 2 API calls 23046->23048 23049 7dc7170 2 API calls 23046->23049 23047 7dc6df5 23048->23047 23049->23047 23051 7dc67a7 23050->23051 23120 7dc3858 23051->23120 23124 7dc3860 23051->23124 23052 7dc6492 23052->22904 23056 7dc6cb6 23055->23056 23057 7dc6bef 23055->23057 23058 7dc3769 WriteProcessMemory 23057->23058 23059 7dc3770 WriteProcessMemory 23057->23059 23058->23057 23059->23057 23061 7dc37b8 WriteProcessMemory 23060->23061 23063 7dc380f 23061->23063 23063->22980 23065 7dc37b8 WriteProcessMemory 23064->23065 23067 7dc380f 23065->23067 23067->22980 23069 7dc39f6 CreateProcessA 23068->23069 23071 7dc3c43 23069->23071 23073 7dc3a81 CreateProcessA 23072->23073 23075 7dc3c43 23073->23075 23077 7dc361d Wow64SetThreadContext 23076->23077 23079 7dc3665 23077->23079 23079->22999 23081 7dc361d Wow64SetThreadContext 23080->23081 23083 7dc3665 23081->23083 23083->22999 23085 7dc7195 23084->23085 23094 7dc3520 23085->23094 23098 7dc3528 23085->23098 23086 7dc71a8 23086->23000 23090 7dc7195 23089->23090 23092 7dc3528 ResumeThread 23090->23092 23093 7dc3520 ResumeThread 23090->23093 23091 7dc71a8 23091->23000 23092->23091 23093->23091 23095 7dc3568 ResumeThread 23094->23095 23097 7dc3599 23095->23097 23097->23086 23099 7dc3568 ResumeThread 23098->23099 23101 7dc3599 23099->23101 23101->23086 23103 7dc7085 23102->23103 23105 7dc35d8 Wow64SetThreadContext 23103->23105 23106 7dc35d0 Wow64SetThreadContext 23103->23106 23104 7dc709b 23104->23011 23105->23104 23106->23104 23108 7dc7085 23107->23108 23110 7dc35d8 Wow64SetThreadContext 23108->23110 23111 7dc35d0 Wow64SetThreadContext 23108->23111 23109 7dc709b 23109->23011 23110->23109 23111->23109 23113 7dc36f0 VirtualAllocEx 23112->23113 23115 7dc372d 23113->23115 23115->23021 23117 7dc36f0 VirtualAllocEx 23116->23117 23119 7dc372d 23117->23119 23119->23021 23121 7dc38ab ReadProcessMemory 23120->23121 23123 7dc38ef 23121->23123 23123->23052 23125 7dc38ab ReadProcessMemory 23124->23125 23127 7dc38ef 23125->23127 23127->23052 23157 7dc71c8 23158 7dc7353 23157->23158 23160 7dc71ee 23157->23160 23160->23158 23161 7dc24b0 23160->23161 23162 7dc7448 PostMessageW 23161->23162 23163 7dc74b4 23162->23163 23163->23160 23164 32cb0d8 23167 32cb1d0 23164->23167 23165 32cb0e7 23168 32cb1e1 23167->23168 23169 32cb204 23167->23169 23168->23169 23170 32cb408 GetModuleHandleW 23168->23170 23169->23165 23171 32cb435 23170->23171 23171->23165 23128 7dc41ba 23130 7dc41c0 23128->23130 23129 7dc420e 23129->23129 23131 7dc5f98 12 API calls 23130->23131 23132 7dc5fa8 12 API calls 23130->23132 23133 7dc6006 12 API calls 23130->23133 23134 7dc59f1 12 API calls 23130->23134 23131->23129 23132->23129 23133->23129 23134->23129 23135 7dc3f15 23136 7dc3eba 23135->23136 23138 7dc5f98 12 API calls 23136->23138 23139 7dc5fa8 12 API calls 23136->23139 23140 7dc6006 12 API calls 23136->23140 23141 7dc59f1 12 API calls 23136->23141 23137 7dc420e 23138->23137 23139->23137 23140->23137 23141->23137 23142 32cd460 23143 32cd4a6 23142->23143 23147 32cd62f 23143->23147 23151 32cd640 23143->23151 23144 32cd593 23148 32cd640 23147->23148 23154 32cd238 23148->23154 23152 32cd238 DuplicateHandle 23151->23152 23153 32cd66e 23152->23153 23153->23144 23155 32cd6a8 DuplicateHandle 23154->23155 23156 32cd66e 23155->23156 23156->23144 23172 32c47d0 23173 32c47d9 23172->23173 23174 32c47df 23173->23174 23176 32c48c9 23173->23176 23177 32c48ed 23176->23177 23181 32c4de0 23177->23181 23185 32c4dd0 23177->23185 23183 32c4e07 23181->23183 23182 32c4ee4 23182->23182 23183->23182 23189 32c4a2c 23183->23189 23187 32c4e07 23185->23187 23186 32c4ee4 23186->23186 23187->23186 23188 32c4a2c CreateActCtxA 23187->23188 23188->23186 23190 32c5e70 CreateActCtxA 23189->23190 23192 32c5f33 23190->23192

                                                              Executed Functions

                                                              Function 07DC39ED Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 329 7dc39ed-7dc39f4 330 7dc3a1a-7dc3a8d 329->330 331 7dc39f6-7dc3a19 329->331 333 7dc3a8f-7dc3a99 330->333 334 7dc3ac6-7dc3ae6 330->334 331->330 333->334 335 7dc3a9b-7dc3a9d 333->335 341 7dc3b1f-7dc3b4e 334->341 342 7dc3ae8-7dc3af2 334->342 336 7dc3a9f-7dc3aa9 335->336 337 7dc3ac0-7dc3ac3 335->337 339 7dc3aad-7dc3abc 336->339 340 7dc3aab 336->340 337->334 339->339 343 7dc3abe 339->343 340->339 350 7dc3b87-7dc3c41 CreateProcessA 341->350 351 7dc3b50-7dc3b5a 341->351 342->341 344 7dc3af4-7dc3af6 342->344 343->337 345 7dc3af8-7dc3b02 344->345 346 7dc3b19-7dc3b1c 344->346 348 7dc3b04 345->348 349 7dc3b06-7dc3b15 345->349 346->341 348->349 349->349 352 7dc3b17 349->352 362 7dc3c4a-7dc3cd0 350->362 363 7dc3c43-7dc3c49 350->363 351->350 353 7dc3b5c-7dc3b5e 351->353 352->346 355 7dc3b60-7dc3b6a 353->355 356 7dc3b81-7dc3b84 353->356 357 7dc3b6c 355->357 358 7dc3b6e-7dc3b7d 355->358 356->350 357->358 358->358 360 7dc3b7f 358->360 360->356 373 7dc3ce0-7dc3ce4 362->373 374 7dc3cd2-7dc3cd6 362->374 363->362 376 7dc3cf4-7dc3cf8 373->376 377 7dc3ce6-7dc3cea 373->377 374->373 375 7dc3cd8 374->375 375->373 378 7dc3d08-7dc3d0c 376->378 379 7dc3cfa-7dc3cfe 376->379 377->376 380 7dc3cec 377->380 382 7dc3d1e-7dc3d25 378->382 383 7dc3d0e-7dc3d14 378->383 379->378 381 7dc3d00 379->381 380->376 381->378 384 7dc3d3c 382->384 385 7dc3d27-7dc3d36 382->385 383->382 387 7dc3d3d 384->387 385->384 387->387
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07DC3C2E
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1308295303.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_7dc0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 431a36140f13e7ecfe1aac203a83e184b19cd9d04b278d351b87ba7ad1018511
                                                              • Instruction ID: 6bf02cea5bb3ddf1b353bb0335f6cab53ca398d5496808f7aeca125b098cb382
                                                              • Opcode Fuzzy Hash: 431a36140f13e7ecfe1aac203a83e184b19cd9d04b278d351b87ba7ad1018511
                                                              • Instruction Fuzzy Hash: 9FA15CB1D0075ACFEB24DF68C9417EDFBB2BB48310F148269E809A7250DB759985CF92
                                                              Function 07DC39F8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 388 7dc39f8-7dc3a8d 390 7dc3a8f-7dc3a99 388->390 391 7dc3ac6-7dc3ae6 388->391 390->391 392 7dc3a9b-7dc3a9d 390->392 398 7dc3b1f-7dc3b4e 391->398 399 7dc3ae8-7dc3af2 391->399 393 7dc3a9f-7dc3aa9 392->393 394 7dc3ac0-7dc3ac3 392->394 396 7dc3aad-7dc3abc 393->396 397 7dc3aab 393->397 394->391 396->396 400 7dc3abe 396->400 397->396 407 7dc3b87-7dc3c41 CreateProcessA 398->407 408 7dc3b50-7dc3b5a 398->408 399->398 401 7dc3af4-7dc3af6 399->401 400->394 402 7dc3af8-7dc3b02 401->402 403 7dc3b19-7dc3b1c 401->403 405 7dc3b04 402->405 406 7dc3b06-7dc3b15 402->406 403->398 405->406 406->406 409 7dc3b17 406->409 419 7dc3c4a-7dc3cd0 407->419 420 7dc3c43-7dc3c49 407->420 408->407 410 7dc3b5c-7dc3b5e 408->410 409->403 412 7dc3b60-7dc3b6a 410->412 413 7dc3b81-7dc3b84 410->413 414 7dc3b6c 412->414 415 7dc3b6e-7dc3b7d 412->415 413->407 414->415 415->415 417 7dc3b7f 415->417 417->413 430 7dc3ce0-7dc3ce4 419->430 431 7dc3cd2-7dc3cd6 419->431 420->419 433 7dc3cf4-7dc3cf8 430->433 434 7dc3ce6-7dc3cea 430->434 431->430 432 7dc3cd8 431->432 432->430 435 7dc3d08-7dc3d0c 433->435 436 7dc3cfa-7dc3cfe 433->436 434->433 437 7dc3cec 434->437 439 7dc3d1e-7dc3d25 435->439 440 7dc3d0e-7dc3d14 435->440 436->435 438 7dc3d00 436->438 437->433 438->435 441 7dc3d3c 439->441 442 7dc3d27-7dc3d36 439->442 440->439 444 7dc3d3d 441->444 442->441 444->444
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07DC3C2E
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1308295303.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_7dc0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: b8a834a3b1554507060e5454cbd257397945d79a8a82c879be8a13021ddd89e1
                                                              • Instruction ID: 54f5eb3b13bd2ca7f0a01e8efaa5f3464208cbc655bfa66c0d43792891d59c6f
                                                              • Opcode Fuzzy Hash: b8a834a3b1554507060e5454cbd257397945d79a8a82c879be8a13021ddd89e1
                                                              • Instruction Fuzzy Hash: E6914BB1D0075A8FDB24CF69C941BEDFBB2BB48310F148269E809A7250DB759985CF92
                                                              Function 032CB1D0 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 445 32cb1d0-32cb1df 446 32cb20b-32cb20f 445->446 447 32cb1e1-32cb1ee call 32cae84 445->447 448 32cb211-32cb21b 446->448 449 32cb223-32cb264 446->449 452 32cb204 447->452 453 32cb1f0 447->453 448->449 456 32cb266-32cb26e 449->456 457 32cb271-32cb27f 449->457 452->446 503 32cb1f6 call 32cb468 453->503 504 32cb1f6 call 32cb458 453->504 456->457 459 32cb281-32cb286 457->459 460 32cb2a3-32cb2a5 457->460 458 32cb1fc-32cb1fe 458->452 461 32cb340-32cb36b 458->461 463 32cb288-32cb28f call 32cae90 459->463 464 32cb291 459->464 462 32cb2a8-32cb2af 460->462 481 32cb36c-32cb3b8 461->481 467 32cb2bc-32cb2c3 462->467 468 32cb2b1-32cb2b9 462->468 466 32cb293-32cb2a1 463->466 464->466 466->462 470 32cb2c5-32cb2cd 467->470 471 32cb2d0-32cb2d9 call 32caea0 467->471 468->467 470->471 476 32cb2db-32cb2e3 471->476 477 32cb2e6-32cb2eb 471->477 476->477 478 32cb2ed-32cb2f4 477->478 479 32cb309-32cb316 477->479 478->479 482 32cb2f6-32cb306 call 32caeb0 call 32caec0 478->482 487 32cb318-32cb336 479->487 488 32cb339-32cb33f 479->488 496 32cb3ba-32cb400 481->496 482->479 487->488 498 32cb408-32cb433 GetModuleHandleW 496->498 499 32cb402-32cb405 496->499 500 32cb43c-32cb450 498->500 501 32cb435-32cb43b 498->501 499->498 501->500 503->458 504->458
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 032CB426
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1295418095.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_32c0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 2ad307d5bab4a32789888b94eb273903228a3b455c69c511fa6e45e5855b5103
                                                              • Instruction ID: 9a38856e2101239a33b54241f89c87a36c6ba88f4cdf15dae90f3f3eeeb1fd66
                                                              • Opcode Fuzzy Hash: 2ad307d5bab4a32789888b94eb273903228a3b455c69c511fa6e45e5855b5103
                                                              • Instruction Fuzzy Hash: E0714870A20B468FD724DF6AD44175ABBF5FF88200F048A2DD44ADBA50DB74E885CBD1
                                                              Function 032C5E64 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 505 32c5e64-32c5f31 CreateActCtxA 507 32c5f3a-32c5f94 505->507 508 32c5f33-32c5f39 505->508 515 32c5f96-32c5f99 507->515 516 32c5fa3-32c5fa7 507->516 508->507 515->516 517 32c5fb8 516->517 518 32c5fa9-32c5fb5 516->518 520 32c5fb9 517->520 518->517 520->520
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 032C5F21
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1295418095.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_32c0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 58215cc5e9e134a337b784776788105b675ad2fd17a5aefd6e9418b3b466e232
                                                              • Instruction ID: 523ac5306b3b43cda5361988df4be9f5580c90b61e61d093dff8b0de520e499b
                                                              • Opcode Fuzzy Hash: 58215cc5e9e134a337b784776788105b675ad2fd17a5aefd6e9418b3b466e232
                                                              • Instruction Fuzzy Hash: 2441E2B1C10769CFDB28CFAAC844B8DFBB1BF49304F24816AD408AB255D7756946CF90
                                                              Function 032C4A2C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 521 32c4a2c-32c5f31 CreateActCtxA 524 32c5f3a-32c5f94 521->524 525 32c5f33-32c5f39 521->525 532 32c5f96-32c5f99 524->532 533 32c5fa3-32c5fa7 524->533 525->524 532->533 534 32c5fb8 533->534 535 32c5fa9-32c5fb5 533->535 537 32c5fb9 534->537 535->534 537->537
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 032C5F21
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1295418095.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_32c0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: ca9dc52c6dbb2ba90cb3a98b6e0146ca97bf5253e5bfaae786977c7a9a9610a5
                                                              • Instruction ID: 493f7add2d40ed4ac056a269e855cf935c8856fb23b854709ad1c3aa01e674c2
                                                              • Opcode Fuzzy Hash: ca9dc52c6dbb2ba90cb3a98b6e0146ca97bf5253e5bfaae786977c7a9a9610a5
                                                              • Instruction Fuzzy Hash: E341F2B1C1071DCBDB28DFAAC844B8DBBF5BF49304F20816AD508AB255DB756986CF90
                                                              Function 07DC3769 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 538 7dc3769-7dc37be 540 7dc37ce-7dc380d WriteProcessMemory 538->540 541 7dc37c0-7dc37cc 538->541 543 7dc380f-7dc3815 540->543 544 7dc3816-7dc3846 540->544 541->540 543->544
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07DC3800
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1308295303.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_7dc0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 69c3c600db13f40dffeb010b812ad3d04a35d5bb076e04aa0ff56a09a41b933f
                                                              • Instruction ID: b4d824537524a93c7de2966cccd26c569223351ee62d0f37f15882e9eb0ee047
                                                              • Opcode Fuzzy Hash: 69c3c600db13f40dffeb010b812ad3d04a35d5bb076e04aa0ff56a09a41b933f
                                                              • Instruction Fuzzy Hash: C52155B1D0034A9FDB10DFA9C881BEEBBF1FF48310F14842AE959A7240C7789941CB60
                                                              Function 07DC3770 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 548 7dc3770-7dc37be 550 7dc37ce-7dc380d WriteProcessMemory 548->550 551 7dc37c0-7dc37cc 548->551 553 7dc380f-7dc3815 550->553 554 7dc3816-7dc3846 550->554 551->550 553->554
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07DC3800
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1308295303.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_7dc0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 881ac97239c2b8e5d7d2a37c3873af976b8dcce3497f6eb99121081b0304e159
                                                              • Instruction ID: b3364d93108e4feafbd2a683194d384d3ef053d5daf4192c92236751f59655bc
                                                              • Opcode Fuzzy Hash: 881ac97239c2b8e5d7d2a37c3873af976b8dcce3497f6eb99121081b0304e159
                                                              • Instruction Fuzzy Hash: AF2126B5D003499FDB10DFAAC881BDEBBF5FF48310F50842AE959A7250C7789940CBA5
                                                              Function 07DC35D0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 558 7dc35d0-7dc3623 560 7dc3625-7dc3631 558->560 561 7dc3633-7dc3663 Wow64SetThreadContext 558->561 560->561 563 7dc366c-7dc369c 561->563 564 7dc3665-7dc366b 561->564 564->563
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07DC3656
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1308295303.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_7dc0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: fd8e0e4a030eb744e9452f7b68bbd1e521245cd38743c415d63b1660e448eedc
                                                              • Instruction ID: 446ed33c2646d8dee75e334e428b1e63980380d213501681c83347a9424f3fe5
                                                              • Opcode Fuzzy Hash: fd8e0e4a030eb744e9452f7b68bbd1e521245cd38743c415d63b1660e448eedc
                                                              • Instruction Fuzzy Hash: 452154B1D003098FDB20DFAAC481BAEBBF4AB48210F54842ED419A7740CB789945CFA0
                                                              Function 032CD238 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 568 32cd238-32cd73c DuplicateHandle 570 32cd73e-32cd744 568->570 571 32cd745-32cd762 568->571 570->571
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,032CD66E,?,?,?,?,?), ref: 032CD72F
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1295418095.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_32c0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 018004e81e8ef2c08dd84bbbefc04758ffd514b0d4b13fa749d53d7a5fd73920
                                                              • Instruction ID: 48a48e7ac554f36f484f22d2074de89c17643cc69eb351ed87280539a2c4c276
                                                              • Opcode Fuzzy Hash: 018004e81e8ef2c08dd84bbbefc04758ffd514b0d4b13fa749d53d7a5fd73920
                                                              • Instruction Fuzzy Hash: D321E6B5D103499FDB10DF9AD884ADEFBF4EB48310F14812AE918A3350D374A945CFA4
                                                              Function 032CD6A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 574 32cd6a0-32cd6a3 575 32cd6a8-32cd73c DuplicateHandle 574->575 576 32cd73e-32cd744 575->576 577 32cd745-32cd762 575->577 576->577
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,032CD66E,?,?,?,?,?), ref: 032CD72F
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1295418095.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_32c0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 92d29117dd6492f319c6645e3e03a6245001b1662265da9b14c2e9f1ea36fa07
                                                              • Instruction ID: 46b0d8ed1f70c5d4e41a124ee460c9ebe49fb2e831b84d3e8df94a0d51389351
                                                              • Opcode Fuzzy Hash: 92d29117dd6492f319c6645e3e03a6245001b1662265da9b14c2e9f1ea36fa07
                                                              • Instruction Fuzzy Hash: D121E5B5D10349AFDB10CF9AD885ADEFBF5EB48310F14802AE918A3350D379A945CF61
                                                              Function 07DC3858 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 580 7dc3858-7dc38ed ReadProcessMemory 583 7dc38ef-7dc38f5 580->583 584 7dc38f6-7dc3926 580->584 583->584
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07DC38E0
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1308295303.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_7dc0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: f495c6145c4d3a06851c06329367cd5c3c6746e0426c205ae2437124eb326db4
                                                              • Instruction ID: 24f269c84de70373ba78d327ae060f7b13b136a2060f6b7be55ff095f72ae929
                                                              • Opcode Fuzzy Hash: f495c6145c4d3a06851c06329367cd5c3c6746e0426c205ae2437124eb326db4
                                                              • Instruction Fuzzy Hash: D72125B5D0035A9FDB10DFAAC881BEEFBF1BF48310F54852AE519A7250C7399941CB60
                                                              Function 07DC35D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 588 7dc35d8-7dc3623 590 7dc3625-7dc3631 588->590 591 7dc3633-7dc3663 Wow64SetThreadContext 588->591 590->591 593 7dc366c-7dc369c 591->593 594 7dc3665-7dc366b 591->594 594->593
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07DC3656
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1308295303.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_7dc0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 5a99095f797104011c9fe04774dbd8427f1cddb2aab892aeb0f3049666c3d5a7
                                                              • Instruction ID: 5cb995be9588a0c159471080a95b447dda646fa70d8affafdc843c1739812eb3
                                                              • Opcode Fuzzy Hash: 5a99095f797104011c9fe04774dbd8427f1cddb2aab892aeb0f3049666c3d5a7
                                                              • Instruction Fuzzy Hash: 4E2134B1D003098FDB14DFAAC485BAEFBF4AB48220F54842ED519A7340CB78A945CFA5
                                                              Function 07DC3860 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 598 7dc3860-7dc38ed ReadProcessMemory 601 7dc38ef-7dc38f5 598->601 602 7dc38f6-7dc3926 598->602 601->602
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07DC38E0
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1308295303.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_7dc0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 2b26784418211c460d5c3a559aff847f8ee37d899df729d452bb2d802f883a93
                                                              • Instruction ID: 79627e456e4e7ff874b39b037d576b8d74e6efbf37ace92b1533e0f0dba97d69
                                                              • Opcode Fuzzy Hash: 2b26784418211c460d5c3a559aff847f8ee37d899df729d452bb2d802f883a93
                                                              • Instruction Fuzzy Hash: 5521F4B1C003499FDB10DFAAC841AAEBBB5BF48310F50852AE919A7250C7399901CBA5
                                                              Function 07DC36B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07DC371E
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1308295303.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_7dc0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 0165cef34e8583a6deef4949899a08da587585d19d78331494483ef1004a8865
                                                              • Instruction ID: e38fafcfa7fd8e9c16b45f7978711b4a576bb5e4d9397c9306a67bede59d38ad
                                                              • Opcode Fuzzy Hash: 0165cef34e8583a6deef4949899a08da587585d19d78331494483ef1004a8865
                                                              • Instruction Fuzzy Hash: 321126B5C003499FDB24DFAAC845BDEFBF5EB48320F148419E555A7250CB75A940CFA1
                                                              Function 07DC36A8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07DC371E
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1308295303.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_7dc0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: bd1bf0901b756d388425dbd0d75f0a0dfcdc31cbf1e0543453b8f1a316b36bf2
                                                              • Instruction ID: c1e991f8a6b23bcca8af30e90c59a360f29383f140518192fd1d9873f5d0b2a8
                                                              • Opcode Fuzzy Hash: bd1bf0901b756d388425dbd0d75f0a0dfcdc31cbf1e0543453b8f1a316b36bf2
                                                              • Instruction Fuzzy Hash: 331147B5D002498FDB24DFAAC845BEEFBF5EB48310F14841AE555A7250C7359940CFA0
                                                              Function 07DC3520 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1308295303.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_7dc0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 56be35d07be4f2ed87dde2ff681462741f5f927d30fb37bbcc156f6e02e0a95d
                                                              • Instruction ID: bb34e2d709911a232a1cd742f1bc9dd2f8408678de412b6fe843161438342f45
                                                              • Opcode Fuzzy Hash: 56be35d07be4f2ed87dde2ff681462741f5f927d30fb37bbcc156f6e02e0a95d
                                                              • Instruction Fuzzy Hash: B81188B1D003498FDB20DFAAC4457EEFBF5AB48214F24841ED519A7640CB39A941CF95
                                                              Function 07DC3528 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1308295303.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_7dc0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 9ef070250c7f8f8135b8732339197a1b61a9c5719028070f14e387cfc4e060d4
                                                              • Instruction ID: 3331b5ca494a5f345c311b65d3d5f1123fa7e68cd9210e9beafa6d0eb14eadfc
                                                              • Opcode Fuzzy Hash: 9ef070250c7f8f8135b8732339197a1b61a9c5719028070f14e387cfc4e060d4
                                                              • Instruction Fuzzy Hash: 9C1155B1C003498FDB20DFAAC4457AEFBF4AB88220F24841ED519A7240CA39A900CFA5
                                                              Function 032CB3C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 032CB426
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1295418095.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_32c0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: d59b382a99ebb0d381830f356353e140dd2cee9d17c4c98ffbb7194042f6a1dc
                                                              • Instruction ID: 20ac20ac122f8f0243b52254f6160bf551f40506187ac3063aa881c924747d15
                                                              • Opcode Fuzzy Hash: d59b382a99ebb0d381830f356353e140dd2cee9d17c4c98ffbb7194042f6a1dc
                                                              • Instruction Fuzzy Hash: E7110FB5C103498FCB20DF9AD445ADEFBF4AB88220F14852AD429A7210C379A545CFA1
                                                              Function 07DC24B0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07DC74A5
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1308295303.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_7dc0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 7713007b1f2a75a7c2626009980af0cf56e4012f41e30ddf6b53d4f74f33c1da
                                                              • Instruction ID: f2d405e2ce288be2b016838d087bc5f0c19a64f0e376a340aed339b4fd5996ae
                                                              • Opcode Fuzzy Hash: 7713007b1f2a75a7c2626009980af0cf56e4012f41e30ddf6b53d4f74f33c1da
                                                              • Instruction Fuzzy Hash: 291106B58047499FDB20DF9AC445BDEFFF8EB48320F108419E514A7210D375A944CFA1
                                                              Function 07DC7441 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07DC74A5
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1308295303.0000000007DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_7dc0000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: e550342779ebbcb0ef256cef3bc8d662dc539008db2c020bfc637d7ef1e9ea5b
                                                              • Instruction ID: 55716921e5e01369745f60919454843d783394e2953eb5ffc3cfe1717b9d30f2
                                                              • Opcode Fuzzy Hash: e550342779ebbcb0ef256cef3bc8d662dc539008db2c020bfc637d7ef1e9ea5b
                                                              • Instruction Fuzzy Hash: 8911F5B58006499FDB10DF9AD445BDEFBF4EB48320F14841AD518A7651C379A944CFA1
                                                              Function 018CD4C4 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1293144274.00000000018CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_18cd000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ad4d165cd74fc47cd89e448c41834a5fea4f064e1bf9b0925f627a0a1cbb55d6
                                                              • Instruction ID: 000f66da318ef97f30f060d80b49641803d0f72c9f8f47422cdb9f449198c570
                                                              • Opcode Fuzzy Hash: ad4d165cd74fc47cd89e448c41834a5fea4f064e1bf9b0925f627a0a1cbb55d6
                                                              • Instruction Fuzzy Hash: E8213372504204DFDB15EF54D9C0B26BF61FB98728F20C27DE9098B246C336D506CAE2
                                                              Function 018CD3D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1293144274.00000000018CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_18cd000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7399403902e8c30f62d0bf48d9489506c78d8281df251253c3cb4a6026b5c26
                                                              • Instruction ID: 5f653a196432fc1d5d969e0a71e7d17a9b03ec745101278893ac12384e781fed
                                                              • Opcode Fuzzy Hash: b7399403902e8c30f62d0bf48d9489506c78d8281df251253c3cb4a6026b5c26
                                                              • Instruction Fuzzy Hash: 582121B1604204DFDB05EF54D9C0B66FB65FB88724F20C27DEA098B246C336E546CAE2
                                                              Function 018DD01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1293875900.00000000018DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_18dd000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3e8d793c8fc54f4c6415e3f8de4d2215ba74a034ca60529508cc53f053d60db7
                                                              • Instruction ID: 5418a1cb4ce5c67610063c0eaefebf41881e9744fa23439f657ae6f5353ddee3
                                                              • Opcode Fuzzy Hash: 3e8d793c8fc54f4c6415e3f8de4d2215ba74a034ca60529508cc53f053d60db7
                                                              • Instruction Fuzzy Hash: E3212271604304DFDB15DF64D9C4B16BB65EBC8314F20C66DD80A8B386C33AD907CA62
                                                              Function 018DD1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1293875900.00000000018DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_18dd000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5f2fccf7d0db4df5497c9ec91ea0ef285e181e4a2feb260221f22e8d511b1731
                                                              • Instruction ID: 134a836e4498c3d4f100bbcddb5ca46bb7735c06ec43deddf31fdc5767a0dec9
                                                              • Opcode Fuzzy Hash: 5f2fccf7d0db4df5497c9ec91ea0ef285e181e4a2feb260221f22e8d511b1731
                                                              • Instruction Fuzzy Hash: F4210771644304EFDB15DF94D9C0B25BB65FB84324F20C66DD8498F392C336E546CA61
                                                              Function 018DD005 Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1293875900.00000000018DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_18dd000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 96c1b143c45f827510c133d13275a1853a75d77dbdbbebd62c0ee47bcd92377e
                                                              • Instruction ID: 299f938554fff36fee35b9ac7e6a12de719b21e64d038c4eb10d14f66c040da3
                                                              • Opcode Fuzzy Hash: 96c1b143c45f827510c133d13275a1853a75d77dbdbbebd62c0ee47bcd92377e
                                                              • Instruction Fuzzy Hash: 0F2192755093808FCB16CF24D990715BF71EB85314F28C6EAD8498B697C33A990ACB62
                                                              Function 018CD3D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1293144274.00000000018CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_18cd000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction ID: d2f357e8aeeb36b1380c3625bc1d917be6983f9b16a6badea2608197cad628cf
                                                              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction Fuzzy Hash: C811CAB6504280DFCB06DF44D9C0B56BF62FB84324F24C2ADD9094A656C33AE55ACBA2
                                                              Function 018CD4BF Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1293144274.00000000018CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_18cd000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction ID: 5d8cf0822ca0e064ef7cc686e2740cdf62eff317ff34b56665f5d555e4cdd003
                                                              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction Fuzzy Hash: 50110F76500280CFCB02DF04D9C0B16BF72FB94324F24C2ADE8094B256C336D516CBA1
                                                              Function 018DD1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.1293875900.00000000018DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_18dd000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction ID: 434d586887f829c0b96d9480a2fc48c825784f8142e59b41f431f3c7224c7332
                                                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction Fuzzy Hash: 0011BB75504280DFCB06CF54C5C0B15BBB2FB84324F24C6ADD8498B696C33AE40ACB61

                                                              Execution Graph

                                                              Execution Coverage:9.6%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:221
                                                              Total number of Limit Nodes:11
                                                              execution_graph 36069 5c2bcc0 36070 5c2be4b 36069->36070 36072 5c2bce6 36069->36072 36072->36070 36073 5c270d4 36072->36073 36074 5c2bf40 PostMessageW 36073->36074 36075 5c2bfac 36074->36075 36075->36072 36076 144d300 DuplicateHandle 36077 144d396 36076->36077 36078 30f1ea8 36079 30f1ece 36078->36079 36082 30f0ad4 36079->36082 36085 30f0adf 36082->36085 36083 30f2c79 36107 30f0bfc 36083->36107 36085->36083 36086 30f2c69 36085->36086 36091 30f2e6c 36086->36091 36097 30f2da0 36086->36097 36102 30f2d91 36086->36102 36087 30f2c77 36092 30f2e7a 36091->36092 36093 30f2e2a 36091->36093 36111 30f2e47 36093->36111 36114 30f2e58 36093->36114 36094 30f2e40 36094->36087 36099 30f2db4 36097->36099 36098 30f2e40 36098->36087 36100 30f2e58 CallWindowProcW 36099->36100 36101 30f2e47 CallWindowProcW 36099->36101 36100->36098 36101->36098 36104 30f2db4 36102->36104 36103 30f2e40 36103->36087 36105 30f2e58 CallWindowProcW 36104->36105 36106 30f2e47 CallWindowProcW 36104->36106 36105->36103 36106->36103 36108 30f0c07 36107->36108 36109 30f435a CallWindowProcW 36108->36109 36110 30f4309 36108->36110 36109->36110 36110->36087 36112 30f2e69 36111->36112 36117 30f42a0 36111->36117 36112->36094 36115 30f2e69 36114->36115 36116 30f42a0 CallWindowProcW 36114->36116 36115->36094 36116->36115 36118 30f0bfc CallWindowProcW 36117->36118 36119 30f42aa 36118->36119 36119->36112 36163 5c290da 36165 5c2918a 36163->36165 36166 5c2909c 36163->36166 36164 5c2925c 36165->36164 36169 5c2aac3 36165->36169 36186 5c2aad0 36165->36186 36170 5c2aaa0 36169->36170 36171 5c2aaca 36169->36171 36170->36164 36183 5c2ab0e 36171->36183 36202 5c2b0e3 36171->36202 36207 5c2b27c 36171->36207 36212 5c2b07c 36171->36212 36216 5c2aef3 36171->36216 36221 5c2b30d 36171->36221 36226 5c2b4ad 36171->36226 36231 5c2b82f 36171->36231 36237 5c2b1ce 36171->36237 36242 5c2b008 36171->36242 36247 5c2af88 36171->36247 36252 5c2b105 36171->36252 36256 5c2b6c6 36171->36256 36260 5c2b1e1 36171->36260 36183->36164 36187 5c2aaea 36186->36187 36188 5c2b0e3 2 API calls 36187->36188 36189 5c2b1e1 2 API calls 36187->36189 36190 5c2b6c6 2 API calls 36187->36190 36191 5c2b105 2 API calls 36187->36191 36192 5c2af88 2 API calls 36187->36192 36193 5c2b008 2 API calls 36187->36193 36194 5c2b1ce 2 API calls 36187->36194 36195 5c2b82f 2 API calls 36187->36195 36196 5c2b4ad 2 API calls 36187->36196 36197 5c2b30d 2 API calls 36187->36197 36198 5c2aef3 2 API calls 36187->36198 36199 5c2ab0e 36187->36199 36200 5c2b07c 2 API calls 36187->36200 36201 5c2b27c 2 API calls 36187->36201 36188->36199 36189->36199 36190->36199 36191->36199 36192->36199 36193->36199 36194->36199 36195->36199 36196->36199 36197->36199 36198->36199 36199->36164 36200->36199 36201->36199 36203 5c2b0ec 36202->36203 36264 5c289f0 36203->36264 36268 5c289f8 36203->36268 36204 5c2b79b 36272 5c28ae0 36207->36272 36276 5c28ae8 36207->36276 36208 5c2b22a 36208->36207 36209 5c2b045 36208->36209 36209->36183 36280 5c28860 36212->36280 36284 5c28858 36212->36284 36213 5c2afe2 36217 5c2aefd 36216->36217 36218 5c2afc3 36217->36218 36288 5c28c80 36217->36288 36292 5c28c74 36217->36292 36218->36218 36222 5c2b333 36221->36222 36296 5c287b0 36222->36296 36300 5c287a8 36222->36300 36223 5c2b269 36227 5c2b4b3 36226->36227 36229 5c289f0 WriteProcessMemory 36227->36229 36230 5c289f8 WriteProcessMemory 36227->36230 36228 5c2b505 36229->36228 36230->36228 36232 5c2b4e4 36231->36232 36233 5c2b83d 36231->36233 36235 5c289f0 WriteProcessMemory 36232->36235 36236 5c289f8 WriteProcessMemory 36232->36236 36234 5c2b505 36235->36234 36236->36234 36238 5c2b1db 36237->36238 36240 5c287b0 ResumeThread 36238->36240 36241 5c287a8 ResumeThread 36238->36241 36239 5c2b269 36240->36239 36241->36239 36243 5c2af9b 36242->36243 36244 5c2afc3 36242->36244 36243->36244 36245 5c28c80 CreateProcessA 36243->36245 36246 5c28c74 CreateProcessA 36243->36246 36244->36244 36245->36244 36246->36244 36248 5c2af95 36247->36248 36250 5c28c80 CreateProcessA 36248->36250 36251 5c28c74 CreateProcessA 36248->36251 36249 5c2afc3 36249->36249 36250->36249 36251->36249 36304 5c2bc68 36252->36304 36310 5c2bc78 36252->36310 36253 5c2afee 36253->36183 36258 5c289f0 WriteProcessMemory 36256->36258 36259 5c289f8 WriteProcessMemory 36256->36259 36257 5c2b6f4 36257->36183 36258->36257 36259->36257 36315 5c28930 36260->36315 36319 5c28938 36260->36319 36261 5c2b14f 36261->36260 36265 5c28a40 WriteProcessMemory 36264->36265 36267 5c28a97 36265->36267 36267->36204 36269 5c28a40 WriteProcessMemory 36268->36269 36271 5c28a97 36269->36271 36271->36204 36273 5c28b33 ReadProcessMemory 36272->36273 36275 5c28b77 36273->36275 36275->36208 36277 5c28b33 ReadProcessMemory 36276->36277 36279 5c28b77 36277->36279 36279->36208 36281 5c288a5 Wow64SetThreadContext 36280->36281 36283 5c288ed 36281->36283 36283->36213 36285 5c288a5 Wow64SetThreadContext 36284->36285 36287 5c288ed 36285->36287 36287->36213 36289 5c28d09 36288->36289 36289->36289 36290 5c28e6e CreateProcessA 36289->36290 36291 5c28ecb 36290->36291 36293 5c28d09 36292->36293 36293->36293 36294 5c28e6e CreateProcessA 36293->36294 36295 5c28ecb 36294->36295 36297 5c287f0 ResumeThread 36296->36297 36299 5c28821 36297->36299 36299->36223 36301 5c287b2 ResumeThread 36300->36301 36303 5c28821 36301->36303 36303->36223 36305 5c2bc73 36304->36305 36306 5c2bc34 36304->36306 36308 5c28860 Wow64SetThreadContext 36305->36308 36309 5c28858 Wow64SetThreadContext 36305->36309 36306->36253 36307 5c2bca3 36307->36253 36308->36307 36309->36307 36311 5c2bc8d 36310->36311 36313 5c28860 Wow64SetThreadContext 36311->36313 36314 5c28858 Wow64SetThreadContext 36311->36314 36312 5c2bca3 36312->36253 36313->36312 36314->36312 36316 5c28978 VirtualAllocEx 36315->36316 36318 5c289b5 36316->36318 36318->36261 36320 5c28978 VirtualAllocEx 36319->36320 36322 5c289b5 36320->36322 36322->36261 36120 1444668 36121 144467a 36120->36121 36122 1444686 36121->36122 36124 1444779 36121->36124 36125 144479d 36124->36125 36129 1444888 36125->36129 36133 1444878 36125->36133 36131 14448af 36129->36131 36130 144498c 36131->36130 36137 144449c 36131->36137 36135 14448af 36133->36135 36134 144498c 36134->36134 36135->36134 36136 144449c CreateActCtxA 36135->36136 36136->36134 36138 1445918 CreateActCtxA 36137->36138 36140 14459db 36138->36140 36323 144ad38 36324 144ad39 36323->36324 36328 144ae30 36324->36328 36333 144ae21 36324->36333 36325 144ad47 36329 144ae64 36328->36329 36330 144ae41 36328->36330 36329->36325 36330->36329 36331 144b068 GetModuleHandleW 36330->36331 36332 144b095 36331->36332 36332->36325 36334 144ae64 36333->36334 36335 144ae41 36333->36335 36334->36325 36335->36334 36336 144b068 GetModuleHandleW 36335->36336 36337 144b095 36336->36337 36337->36325 36338 144d0b8 36339 144d0fe GetCurrentProcess 36338->36339 36341 144d150 GetCurrentThread 36339->36341 36342 144d149 36339->36342 36343 144d18d GetCurrentProcess 36341->36343 36344 144d186 36341->36344 36342->36341 36345 144d1c3 36343->36345 36344->36343 36346 144d1eb GetCurrentThreadId 36345->36346 36347 144d21c 36346->36347 36141 30f6a60 36142 30f6a8d 36141->36142 36143 30f6c9c 36142->36143 36146 30f9048 36142->36146 36152 30f9058 36142->36152 36147 30f9058 36146->36147 36151 30f907c 36147->36151 36159 30f7d24 36147->36159 36149 30f90a0 36150 30f7d24 GetCurrentThreadId 36149->36150 36150->36151 36151->36143 36153 30f907c 36152->36153 36154 30f9083 36152->36154 36153->36143 36155 30f7d24 GetCurrentThreadId 36154->36155 36158 30f90aa 36154->36158 36156 30f90a0 36155->36156 36157 30f7d24 GetCurrentThreadId 36156->36157 36157->36158 36158->36143 36160 30f7d2f 36159->36160 36161 30f93bf GetCurrentThreadId 36160->36161 36162 30f93aa 36160->36162 36161->36162 36162->36149 36348 30f1cf0 36349 30f1d58 CreateWindowExW 36348->36349 36351 30f1e14 36349->36351

                                                              Executed Functions

                                                              Function 0144D0A8 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 296 144d0a8-144d147 GetCurrentProcess 301 144d150-144d184 GetCurrentThread 296->301 302 144d149-144d14f 296->302 303 144d186-144d18c 301->303 304 144d18d-144d1c1 GetCurrentProcess 301->304 302->301 303->304 305 144d1c3-144d1c9 304->305 306 144d1ca-144d1e5 call 144d287 304->306 305->306 310 144d1eb-144d21a GetCurrentThreadId 306->310 311 144d223-144d285 310->311 312 144d21c-144d222 310->312 312->311
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0144D136
                                                              • GetCurrentThread.KERNEL32 ref: 0144D173
                                                              • GetCurrentProcess.KERNEL32 ref: 0144D1B0
                                                              • GetCurrentThreadId.KERNEL32 ref: 0144D209
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1346577346.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_1440000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: cd47b25545f5362d41a02baad7b4ee3492871b51db6a48b6040398b078572510
                                                              • Instruction ID: 101a0960229bb0035ecc6887c0672395ed60ab5e1ebdc9107f93d59bb02f23bc
                                                              • Opcode Fuzzy Hash: cd47b25545f5362d41a02baad7b4ee3492871b51db6a48b6040398b078572510
                                                              • Instruction Fuzzy Hash: D35178B0D003498FEB15DFAAD548B9EBBF1EF88310F24849AE419A7360DB349845CF65
                                                              Function 0144D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 319 144d0b8-144d147 GetCurrentProcess 323 144d150-144d184 GetCurrentThread 319->323 324 144d149-144d14f 319->324 325 144d186-144d18c 323->325 326 144d18d-144d1c1 GetCurrentProcess 323->326 324->323 325->326 327 144d1c3-144d1c9 326->327 328 144d1ca-144d1e5 call 144d287 326->328 327->328 332 144d1eb-144d21a GetCurrentThreadId 328->332 333 144d223-144d285 332->333 334 144d21c-144d222 332->334 334->333
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0144D136
                                                              • GetCurrentThread.KERNEL32 ref: 0144D173
                                                              • GetCurrentProcess.KERNEL32 ref: 0144D1B0
                                                              • GetCurrentThreadId.KERNEL32 ref: 0144D209
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1346577346.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_1440000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 524316b3e6cd30a495f95e928ad9a2ba3b7e63680fcbc94a6f1f623267715877
                                                              • Instruction ID: c751b7bbbe76e6ac98548ef8bea2f1dfc90e887eb743861d8df37d43ad2622e4
                                                              • Opcode Fuzzy Hash: 524316b3e6cd30a495f95e928ad9a2ba3b7e63680fcbc94a6f1f623267715877
                                                              • Instruction Fuzzy Hash: C05156B0D003098FEB14DFAAD548BAEBBF1EF88310F20845AE419A7360DB349845CF65
                                                              Function 05C28C74 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 897 5c28c74-5c28d15 899 5c28d17-5c28d21 897->899 900 5c28d4e-5c28d6e 897->900 899->900 901 5c28d23-5c28d25 899->901 905 5c28d70-5c28d7a 900->905 906 5c28da7-5c28dd6 900->906 903 5c28d27-5c28d31 901->903 904 5c28d48-5c28d4b 901->904 907 5c28d33 903->907 908 5c28d35-5c28d44 903->908 904->900 905->906 910 5c28d7c-5c28d7e 905->910 914 5c28dd8-5c28de2 906->914 915 5c28e0f-5c28ec9 CreateProcessA 906->915 907->908 908->908 909 5c28d46 908->909 909->904 911 5c28d80-5c28d8a 910->911 912 5c28da1-5c28da4 910->912 916 5c28d8e-5c28d9d 911->916 917 5c28d8c 911->917 912->906 914->915 918 5c28de4-5c28de6 914->918 928 5c28ed2-5c28f58 915->928 929 5c28ecb-5c28ed1 915->929 916->916 919 5c28d9f 916->919 917->916 920 5c28de8-5c28df2 918->920 921 5c28e09-5c28e0c 918->921 919->912 923 5c28df6-5c28e05 920->923 924 5c28df4 920->924 921->915 923->923 925 5c28e07 923->925 924->923 925->921 939 5c28f5a-5c28f5e 928->939 940 5c28f68-5c28f6c 928->940 929->928 939->940 941 5c28f60 939->941 942 5c28f6e-5c28f72 940->942 943 5c28f7c-5c28f80 940->943 941->940 942->943 944 5c28f74 942->944 945 5c28f82-5c28f86 943->945 946 5c28f90-5c28f94 943->946 944->943 945->946 947 5c28f88 945->947 948 5c28fa6-5c28fad 946->948 949 5c28f96-5c28f9c 946->949 947->946 950 5c28fc4 948->950 951 5c28faf-5c28fbe 948->951 949->948 953 5c28fc5 950->953 951->950 953->953
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05C28EB6
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1395377242.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_5c20000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: bd3f4cb2ef09b777f7ed07a593c96508cc32f9774149c33c475c83cdba566931
                                                              • Instruction ID: c458f3f91768d08a86b5ae4959838dee871133c51282f9b3dddc484a95cd7c2e
                                                              • Opcode Fuzzy Hash: bd3f4cb2ef09b777f7ed07a593c96508cc32f9774149c33c475c83cdba566931
                                                              • Instruction Fuzzy Hash: C0914E71D0472A9FEF24CFA9C841BEDBBB2BF44310F148569E805A7280DB749A85CF91
                                                              Function 05C28C80 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 954 5c28c80-5c28d15 956 5c28d17-5c28d21 954->956 957 5c28d4e-5c28d6e 954->957 956->957 958 5c28d23-5c28d25 956->958 962 5c28d70-5c28d7a 957->962 963 5c28da7-5c28dd6 957->963 960 5c28d27-5c28d31 958->960 961 5c28d48-5c28d4b 958->961 964 5c28d33 960->964 965 5c28d35-5c28d44 960->965 961->957 962->963 967 5c28d7c-5c28d7e 962->967 971 5c28dd8-5c28de2 963->971 972 5c28e0f-5c28ec9 CreateProcessA 963->972 964->965 965->965 966 5c28d46 965->966 966->961 968 5c28d80-5c28d8a 967->968 969 5c28da1-5c28da4 967->969 973 5c28d8e-5c28d9d 968->973 974 5c28d8c 968->974 969->963 971->972 975 5c28de4-5c28de6 971->975 985 5c28ed2-5c28f58 972->985 986 5c28ecb-5c28ed1 972->986 973->973 976 5c28d9f 973->976 974->973 977 5c28de8-5c28df2 975->977 978 5c28e09-5c28e0c 975->978 976->969 980 5c28df6-5c28e05 977->980 981 5c28df4 977->981 978->972 980->980 982 5c28e07 980->982 981->980 982->978 996 5c28f5a-5c28f5e 985->996 997 5c28f68-5c28f6c 985->997 986->985 996->997 998 5c28f60 996->998 999 5c28f6e-5c28f72 997->999 1000 5c28f7c-5c28f80 997->1000 998->997 999->1000 1001 5c28f74 999->1001 1002 5c28f82-5c28f86 1000->1002 1003 5c28f90-5c28f94 1000->1003 1001->1000 1002->1003 1004 5c28f88 1002->1004 1005 5c28fa6-5c28fad 1003->1005 1006 5c28f96-5c28f9c 1003->1006 1004->1003 1007 5c28fc4 1005->1007 1008 5c28faf-5c28fbe 1005->1008 1006->1005 1010 5c28fc5 1007->1010 1008->1007 1010->1010
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05C28EB6
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1395377242.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_5c20000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 1f73b4e109c09ba30001dad81deccfb5ed31d1e35bc88d52a85b5f0623175ae1
                                                              • Instruction ID: b29288c91974b24287afbc42083e86355d952a9a8167636e249bac200390b5dc
                                                              • Opcode Fuzzy Hash: 1f73b4e109c09ba30001dad81deccfb5ed31d1e35bc88d52a85b5f0623175ae1
                                                              • Instruction Fuzzy Hash: B2914F71D047299FEF24DF69C841BEDBBB2BF44310F148569E809A7280DB749A85CF91
                                                              Function 0144AE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1011 144ae30-144ae3f 1012 144ae41-144ae4e call 1449838 1011->1012 1013 144ae6b-144ae6f 1011->1013 1020 144ae64 1012->1020 1021 144ae50 1012->1021 1014 144ae71-144ae7b 1013->1014 1015 144ae83-144aec4 1013->1015 1014->1015 1022 144aec6-144aece 1015->1022 1023 144aed1-144aedf 1015->1023 1020->1013 1066 144ae56 call 144b0c8 1021->1066 1067 144ae56 call 144b0b8 1021->1067 1022->1023 1024 144aee1-144aee6 1023->1024 1025 144af03-144af05 1023->1025 1028 144aef1 1024->1028 1029 144aee8-144aeef call 144a814 1024->1029 1027 144af08-144af0f 1025->1027 1026 144ae5c-144ae5e 1026->1020 1030 144afa0-144b060 1026->1030 1031 144af11-144af19 1027->1031 1032 144af1c-144af23 1027->1032 1034 144aef3-144af01 1028->1034 1029->1034 1061 144b062-144b065 1030->1061 1062 144b068-144b093 GetModuleHandleW 1030->1062 1031->1032 1035 144af25-144af2d 1032->1035 1036 144af30-144af39 call 144a824 1032->1036 1034->1027 1035->1036 1042 144af46-144af4b 1036->1042 1043 144af3b-144af43 1036->1043 1044 144af4d-144af54 1042->1044 1045 144af69-144af6d 1042->1045 1043->1042 1044->1045 1047 144af56-144af66 call 144a834 call 144a844 1044->1047 1048 144af73-144af76 1045->1048 1047->1045 1051 144af78-144af96 1048->1051 1052 144af99-144af9f 1048->1052 1051->1052 1061->1062 1063 144b095-144b09b 1062->1063 1064 144b09c-144b0b0 1062->1064 1063->1064 1066->1026 1067->1026
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0144B086
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1346577346.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_1440000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 1a4caf8b694e059ffa64462e3607343913b9849474febe1c035ecd1e8365136b
                                                              • Instruction ID: 61ce0b292268fd640f3aa30b932ca4c0a174bd4504e8909df61bc2ee7c57d488
                                                              • Opcode Fuzzy Hash: 1a4caf8b694e059ffa64462e3607343913b9849474febe1c035ecd1e8365136b
                                                              • Instruction Fuzzy Hash: D4813770A00B058FE724DF2AD55475ABBF1FF88214F20892ED49AD7B60D735E846CB91
                                                              Function 030F1CE5 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1068 30f1ce5-30f1d56 1070 30f1d58-30f1d5e 1068->1070 1071 30f1d61-30f1d68 1068->1071 1070->1071 1072 30f1d6a-30f1d70 1071->1072 1073 30f1d73-30f1dab 1071->1073 1072->1073 1074 30f1db3-30f1e12 CreateWindowExW 1073->1074 1075 30f1e1b-30f1e53 1074->1075 1076 30f1e14-30f1e1a 1074->1076 1080 30f1e55-30f1e58 1075->1080 1081 30f1e60 1075->1081 1076->1075 1080->1081 1082 30f1e61 1081->1082 1082->1082
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 030F1E02
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1357403069.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_30f0000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 564aa9ed6b1997c39f41d17cd38ea7fbbf3123816b4c5f603ffd009823985400
                                                              • Instruction ID: 456046fe3801c1bc173491b18e7463071e133a8d407f0a1953d56e775c89eb4f
                                                              • Opcode Fuzzy Hash: 564aa9ed6b1997c39f41d17cd38ea7fbbf3123816b4c5f603ffd009823985400
                                                              • Instruction Fuzzy Hash: 2D51BCB1D00349DFDB14CF9AC884ADEFBB6BF48310F64812AE818AB250D7719945CF90
                                                              Function 030F1CF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1083 30f1cf0-30f1d56 1084 30f1d58-30f1d5e 1083->1084 1085 30f1d61-30f1d68 1083->1085 1084->1085 1086 30f1d6a-30f1d70 1085->1086 1087 30f1d73-30f1e12 CreateWindowExW 1085->1087 1086->1087 1089 30f1e1b-30f1e53 1087->1089 1090 30f1e14-30f1e1a 1087->1090 1094 30f1e55-30f1e58 1089->1094 1095 30f1e60 1089->1095 1090->1089 1094->1095 1096 30f1e61 1095->1096 1096->1096
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 030F1E02
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1357403069.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_30f0000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 642c34406380404b6c6807e3bc59584d9778003044b023254b512fc2d27d7bda
                                                              • Instruction ID: d153ca15179d78ce10b8442bd3b697c5e3dd8ea3d871be6fb1ef9da8538a2a00
                                                              • Opcode Fuzzy Hash: 642c34406380404b6c6807e3bc59584d9778003044b023254b512fc2d27d7bda
                                                              • Instruction Fuzzy Hash: DC41ACB1D00309DFDB14CF9AC884ADEFBB6BF48310F64812AE918AB250D7759845CF90
                                                              Function 030F0BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 030F4381
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1357403069.00000000030F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_30f0000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID:
                                                              • API String ID: 2714655100-0
                                                              • Opcode ID: bd9c155c78b89d75f93f4c8ea13f4a487f20d543030703abea9cfafac6fd77df
                                                              • Instruction ID: a2eb1cdb1a8f95c14c6256ec65ed962c5f343283c1cfd005459f2ba5da4d7ef9
                                                              • Opcode Fuzzy Hash: bd9c155c78b89d75f93f4c8ea13f4a487f20d543030703abea9cfafac6fd77df
                                                              • Instruction Fuzzy Hash: 9E4118B49003098FDB14CF96C488AABFBF5FB88314F648459D619AB321D774A841CBA4
                                                              Function 0144449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 014459C9
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1346577346.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_1440000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 141ad3bf54d612605fabde86d625843790823d67a28ff827118708f9f34b06a3
                                                              • Instruction ID: 3f25b42419e9caf19c582f95d1111abb9ca19e0176a01a86f512289e43e4f9ec
                                                              • Opcode Fuzzy Hash: 141ad3bf54d612605fabde86d625843790823d67a28ff827118708f9f34b06a3
                                                              • Instruction Fuzzy Hash: 3641E371C0071DCBEB24DFAAC84478EBBF5BF49314F20816AD509AB251DB756946CF90
                                                              Function 0144590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 014459C9
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1346577346.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_1440000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 5f1508721ded24c05b5d9fdfb1fab60f4c28e85b0e683816ac29857b08760d43
                                                              • Instruction ID: d558febe02251cbe184c988dd372b07b132b3a473221b00219866842acfd0102
                                                              • Opcode Fuzzy Hash: 5f1508721ded24c05b5d9fdfb1fab60f4c28e85b0e683816ac29857b08760d43
                                                              • Instruction Fuzzy Hash: D541F2B1C00719CFEB24DFAAC88478EBBF5BF48314F20806AD409AB251DB755946CF90
                                                              Function 05C289F0 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05C28A88
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1395377242.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_5c20000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 161c97f75c2d1906cc3170bd52777a193b64c6d55daada78693162a3d957a9c3
                                                              • Instruction ID: a2ded7cab43d02c9076c7829352a302330474078c4fde61895cdb232600a29a3
                                                              • Opcode Fuzzy Hash: 161c97f75c2d1906cc3170bd52777a193b64c6d55daada78693162a3d957a9c3
                                                              • Instruction Fuzzy Hash: FE212571D003199FDB10CFA9C881BDEBBF1FB48310F508829E919A7241CB789945CBA0
                                                              Function 05C289F8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05C28A88
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1395377242.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_5c20000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: d9331499560db00e3abac79d993313af00d71377f8d14d580a7c54d26f10367e
                                                              • Instruction ID: f2841a5e4d738d4ebf31826cceed1cd50b82e09e269c4639a1c2cdbbb9f3ed45
                                                              • Opcode Fuzzy Hash: d9331499560db00e3abac79d993313af00d71377f8d14d580a7c54d26f10367e
                                                              • Instruction Fuzzy Hash: DA211571D00319DFDB10DFAAC881BDEBBF5FB48310F50882AE919A7241CB789951CBA4
                                                              Function 0144D2F8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0144D387
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1346577346.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_1440000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 7807c9b743a80306a0aea858d096021746f1bc278a9622b2411ac3f2ae4d6530
                                                              • Instruction ID: 0a9e21da4dff202365a49d2b7e121c66460a133ecb83501dab28c94f96492925
                                                              • Opcode Fuzzy Hash: 7807c9b743a80306a0aea858d096021746f1bc278a9622b2411ac3f2ae4d6530
                                                              • Instruction Fuzzy Hash: 9F21F4B5D002489FDB10CFAAD985ADEFBF5EB48310F14802AE918A3350C378A941CFA0
                                                              Function 05C28858 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05C288DE
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1395377242.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_5c20000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 9528b57bf9157e2b7b872ba1232ed80b3ed466b961d113412e0ef84b69dd2af9
                                                              • Instruction ID: 82b97bf542eb9d0b5dcaa1efdec5eb72490750cfe98e53584e2ef729b5d13c19
                                                              • Opcode Fuzzy Hash: 9528b57bf9157e2b7b872ba1232ed80b3ed466b961d113412e0ef84b69dd2af9
                                                              • Instruction Fuzzy Hash: 34212571D003098FDB10DFAAC4857AEBBF4BB48324F54842AE819A7240CB789945CFA4
                                                              Function 05C28AE0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C28B68
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1395377242.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_5c20000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 0960cee284fa7e49686fa8463be75c2f101e5a76e35421b0d7f2d14138773df3
                                                              • Instruction ID: c0b5677c13a4b838911f6f06662e4f053e9ae656ba198b3275fdb531931c1b9b
                                                              • Opcode Fuzzy Hash: 0960cee284fa7e49686fa8463be75c2f101e5a76e35421b0d7f2d14138773df3
                                                              • Instruction Fuzzy Hash: 7121F6B1C003599FDB10DFAAC841BDEFBB5FF48310F508429E919A7240C7759541CBA4
                                                              Function 05C28860 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05C288DE
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1395377242.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_5c20000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 4312662046a7fc4bf7d0f0aeaf23b760b439169e269fa37e9168f2fbe6f8334c
                                                              • Instruction ID: 0be06140f9addedb0d41401409b06fc3adcd9773aa9a4fbc134b772a24550c60
                                                              • Opcode Fuzzy Hash: 4312662046a7fc4bf7d0f0aeaf23b760b439169e269fa37e9168f2fbe6f8334c
                                                              • Instruction Fuzzy Hash: B1211571D003098FDB10DFAAC485BAEBBF4FF48324F54842AD959A7640DB789945CFA4
                                                              Function 05C28AE8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05C28B68
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1395377242.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_5c20000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 0f8647e869ac5147a7e5b153f71ff843dd31f845223d6186754c13c136bde12f
                                                              • Instruction ID: b055e257fae42b48411e9e4e01a55682da365eaa954bfbcc33e66b346776bcdc
                                                              • Opcode Fuzzy Hash: 0f8647e869ac5147a7e5b153f71ff843dd31f845223d6186754c13c136bde12f
                                                              • Instruction Fuzzy Hash: 5F21E5B1C003599FDB10DFAAC841BDEBBF5FF48310F50842AE919A7240C7799941CBA4
                                                              Function 0144D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0144D387
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1346577346.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_1440000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 39b35f1d2bfe0dfb3716c8e4b063717701612d4905d4837177cfb47c6cb01a38
                                                              • Instruction ID: 9bdf7b5ee9bcb60c023f1634125fa73381369a1ee819a74a699eb9e6210f4350
                                                              • Opcode Fuzzy Hash: 39b35f1d2bfe0dfb3716c8e4b063717701612d4905d4837177cfb47c6cb01a38
                                                              • Instruction Fuzzy Hash: 9A21E4B5D003089FDB10CF9AD884ADEFBF4EB48320F14801AE918A3350C374A941CFA0
                                                              Function 05C28930 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05C289A6
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1395377242.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_5c20000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: a7f42406fcb00d68dcbb97b5415f07850ffa8be147f9a3678c11e3599500550a
                                                              • Instruction ID: e44b8b0ba202e9d22da6dc6ae2d76e893abe4335496699253c6190dec1f42109
                                                              • Opcode Fuzzy Hash: a7f42406fcb00d68dcbb97b5415f07850ffa8be147f9a3678c11e3599500550a
                                                              • Instruction Fuzzy Hash: DB114471C003098FDB20DFAAC845BDEBFF5EB88320F108819E929A7250CB359941CFA1
                                                              Function 05C28938 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05C289A6
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1395377242.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_5c20000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: a2d6ef48e3a55a723035dd96f743058b3b9db33da04f5fa7c646c3905d3c8e5d
                                                              • Instruction ID: b7b1b5cef6bcdfbddac50ddf869e6b2ce8846b9c1afb59416a5777baeacff014
                                                              • Opcode Fuzzy Hash: a2d6ef48e3a55a723035dd96f743058b3b9db33da04f5fa7c646c3905d3c8e5d
                                                              • Instruction Fuzzy Hash: 7A112671C003499FDB20DFAAC845BDEBBF5EB88320F148819E915A7250CB759941CFA1
                                                              Function 05C287A8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1395377242.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_5c20000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 5d3a80179d1f0f5050cd1ef149bc638cd7e4f01fdb5d7663df9f7f8aa739c7a4
                                                              • Instruction ID: c8e617966593ab76a06a390022192970a45cc02414f7a9740ded3498096d0943
                                                              • Opcode Fuzzy Hash: 5d3a80179d1f0f5050cd1ef149bc638cd7e4f01fdb5d7663df9f7f8aa739c7a4
                                                              • Instruction Fuzzy Hash: 45115B71C003488FDB24DFAAC4457EEFBF5EB88320F20892AD429A7280CB355541CF90
                                                              Function 05C287B0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1395377242.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_5c20000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 07dce974f43d148b8dce26ca7f9c8b59ee96b0616d7fb1c3243baac5f9f258b1
                                                              • Instruction ID: 7642b48fe27e0f9c4bdfc6bf775a6bc33005cdf1ea4ebefde00ef75203ee15d2
                                                              • Opcode Fuzzy Hash: 07dce974f43d148b8dce26ca7f9c8b59ee96b0616d7fb1c3243baac5f9f258b1
                                                              • Instruction Fuzzy Hash: CD113AB1D003498FDB20DFAAC44579EFBF5EB48320F148429D519A7640CB756941CFA4
                                                              Function 0144B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0144B086
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1346577346.0000000001440000.00000040.00000800.00020000.00000000.sdmp, Offset: 01440000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_1440000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 4237f847defbb196f2c74ba25fec9002198471149fa5c5c8b582ab8bf532e6b2
                                                              • Instruction ID: 75675ee3b81167a5442ce2fed589d4159944bae718c49ac2e111f10144a2330a
                                                              • Opcode Fuzzy Hash: 4237f847defbb196f2c74ba25fec9002198471149fa5c5c8b582ab8bf532e6b2
                                                              • Instruction Fuzzy Hash: D911D2B5C007498FDB20DF9AD444A9EFBF4EB48220F10842AD569A7250C375A546CFA1
                                                              Function 05C270D4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 05C2BF9D
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1395377242.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_5c20000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: d9862d5bccf5f254a4ee07c59c29a848274a0cbc34f94de0abdc7c46b60aed8a
                                                              • Instruction ID: aebca27bf00adbe801f4d772a926ada45a1ccef4f436309bd661e91ab8c79bed
                                                              • Opcode Fuzzy Hash: d9862d5bccf5f254a4ee07c59c29a848274a0cbc34f94de0abdc7c46b60aed8a
                                                              • Instruction Fuzzy Hash: 4C1106B9804349DFDB10DF9AD945BDEFBF8EB48324F108419E514A7240C375A944CFA5
                                                              Function 05C2BF38 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 05C2BF9D
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.1395377242.0000000005C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_5c20000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 5d3df459bb165232096a815f7a1fbc60fdc13368c9017cd7aba16811b7394aba
                                                              • Instruction ID: 1db6b444953060abb6d463fc6e630bc7d0672ad6f752568bc7775962c27bdd82
                                                              • Opcode Fuzzy Hash: 5d3df459bb165232096a815f7a1fbc60fdc13368c9017cd7aba16811b7394aba
                                                              • Instruction Fuzzy Hash: 1011F5B98043499FDB10DF9AD845BDEFFF4EB48320F10881AE919A7240C375A945CFA1

                                                              Execution Graph

                                                              Execution Coverage:13.6%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:25
                                                              Total number of Limit Nodes:6
                                                              execution_graph 25921 f10b4d 25922 f10aea 25921->25922 25923 f1084e 25921->25923 25923->25921 25924 f1091b 25923->25924 25927 f11380 25923->25927 25932 f11488 25923->25932 25928 f11390 25927->25928 25929 f11480 25928->25929 25930 f11488 2 API calls 25928->25930 25938 f17eb0 25928->25938 25929->25923 25930->25928 25934 f11396 25932->25934 25935 f11493 25932->25935 25933 f11480 25933->25923 25934->25933 25936 f17eb0 2 API calls 25934->25936 25937 f11488 2 API calls 25934->25937 25935->25923 25936->25934 25937->25934 25939 f17eba 25938->25939 25940 f17ed4 25939->25940 25943 669fa18 25939->25943 25947 669fa0a 25939->25947 25940->25928 25945 669fa2d 25943->25945 25944 669fc42 25944->25940 25945->25944 25946 669fc58 GlobalMemoryStatusEx GlobalMemoryStatusEx 25945->25946 25946->25945 25949 669fa2d 25947->25949 25948 669fc42 25948->25940 25949->25948 25950 669fc58 GlobalMemoryStatusEx GlobalMemoryStatusEx 25949->25950 25950->25949

                                                              Executed Functions

                                                              Function 06693040 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 131 6693040-6693061 132 6693063-6693066 131->132 133 669306c-669308b 132->133 134 6693807-669380a 132->134 143 669308d-6693090 133->143 144 66930a4-66930ae 133->144 135 669380c-669382b 134->135 136 6693830-6693832 134->136 135->136 137 6693839-669383c 136->137 138 6693834 136->138 137->132 141 6693842-669384b 137->141 138->137 143->144 146 6693092-66930a2 143->146 149 66930b4-66930c3 144->149 146->149 257 66930c5 call 6693859 149->257 258 66930c5 call 6693860 149->258 150 66930ca-66930cf 151 66930dc-66933b9 150->151 152 66930d1-66930d7 150->152 173 66937f9-6693806 151->173 174 66933bf-669346e 151->174 152->141 183 6693470-6693495 174->183 184 6693497 174->184 186 66934a0-66934b3 183->186 184->186 188 66934b9-66934db 186->188 189 66937e0-66937ec 186->189 188->189 192 66934e1-66934eb 188->192 189->174 190 66937f2 189->190 190->173 192->189 193 66934f1-66934fc 192->193 193->189 194 6693502-66935d8 193->194 206 66935da-66935dc 194->206 207 66935e6-6693616 194->207 206->207 211 6693618-669361a 207->211 212 6693624-6693630 207->212 211->212 213 6693690-6693694 212->213 214 6693632-6693636 212->214 215 669369a-66936d6 213->215 216 66937d1-66937da 213->216 214->213 217 6693638-6693662 214->217 227 66936d8-66936da 215->227 228 66936e4-66936f2 215->228 216->189 216->194 224 6693670-669368d 217->224 225 6693664-6693666 217->225 224->213 225->224 227->228 231 6693709-6693714 228->231 232 66936f4-66936ff 228->232 236 669372c-669373d 231->236 237 6693716-669371c 231->237 232->231 235 6693701 232->235 235->231 241 669373f-6693745 236->241 242 6693755-6693761 236->242 238 669371e 237->238 239 6693720-6693722 237->239 238->236 239->236 243 6693749-669374b 241->243 244 6693747 241->244 246 6693779-66937ca 242->246 247 6693763-6693769 242->247 243->242 244->242 246->216 248 669376b 247->248 249 669376d-669376f 247->249 248->246 249->246 257->150 258->150
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-2069967915
                                                              • Opcode ID: 90f56a2c8a058258c213d62f5310da1bfef4f09370256ab2e1bc21cadd1198cf
                                                              • Instruction ID: cc505a80e453cfda549aef4dd187ed94b7f61bfcaf46725fb8be8067223e5919
                                                              • Opcode Fuzzy Hash: 90f56a2c8a058258c213d62f5310da1bfef4f09370256ab2e1bc21cadd1198cf
                                                              • Instruction Fuzzy Hash: 07321E35E10719CBDB14EF75D85069DF7B6FF89300F2086AAD409AB354EB70A986CB90
                                                              Function 06697D68 Relevance: 3.0, Strings: 2, Instructions: 476COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 973 6697d68-6697d86 974 6697d88-6697d8b 973->974 975 6697d8d-6697d9b 974->975 976 6697da2-6697da5 974->976 982 6697d9d 975->982 983 6697e0e-6697e24 975->983 977 6697da7-6697dc1 976->977 978 6697dc6-6697dc9 976->978 977->978 980 6697dcb-6697dd5 978->980 981 6697dd6-6697dd9 978->981 985 6697ddb-6697df7 981->985 986 6697dfc-6697dfe 981->986 982->976 992 6697e2a-6697e33 983->992 993 669803f-6698049 983->993 985->986 987 6697e00 986->987 988 6697e05-6697e08 986->988 987->988 988->974 988->983 995 6697e39-6697e56 992->995 996 669804a-669807f 992->996 1005 669802c-6698039 995->1005 1006 6697e5c-6697e84 995->1006 999 6698081-6698084 996->999 1000 66980a7-66980aa 999->1000 1001 6698086-66980a2 999->1001 1003 66982df-66982e2 1000->1003 1004 66980b0-66980bf 1000->1004 1001->1000 1008 66982e8-66982f4 1003->1008 1009 669838d-669838f 1003->1009 1015 66980de-6698122 1004->1015 1016 66980c1-66980dc 1004->1016 1005->992 1005->993 1006->1005 1023 6697e8a-6697e93 1006->1023 1017 66982ff-6698301 1008->1017 1011 6698391 1009->1011 1012 6698396-6698399 1009->1012 1011->1012 1012->999 1018 669839f-66983a8 1012->1018 1030 6698128-6698139 1015->1030 1031 66982b3-66982c9 1015->1031 1016->1015 1020 6698319-669831d 1017->1020 1021 6698303-6698309 1017->1021 1027 669832b 1020->1027 1028 669831f-6698329 1020->1028 1025 669830b 1021->1025 1026 669830d-669830f 1021->1026 1023->996 1032 6697e99-6697eb5 1023->1032 1025->1020 1026->1020 1029 6698330-6698332 1027->1029 1028->1029 1033 6698343-669837c 1029->1033 1034 6698334-6698337 1029->1034 1041 669813f-669815c 1030->1041 1042 669829e-66982ad 1030->1042 1031->1003 1043 6697ebb-6697ee5 1032->1043 1044 669801a-6698026 1032->1044 1033->1004 1055 6698382-669838c 1033->1055 1034->1018 1041->1042 1052 6698162-6698258 call 6696590 1041->1052 1042->1030 1042->1031 1057 6697eeb-6697f13 1043->1057 1058 6698010-6698015 1043->1058 1044->1005 1044->1023 1106 669825a-6698264 1052->1106 1107 6698266 1052->1107 1057->1058 1064 6697f19-6697f47 1057->1064 1058->1044 1064->1058 1070 6697f4d-6697f56 1064->1070 1070->1058 1071 6697f5c-6697f8e 1070->1071 1079 6697f99-6697fb5 1071->1079 1080 6697f90-6697f94 1071->1080 1079->1044 1082 6697fb7-669800e call 6696590 1079->1082 1080->1058 1081 6697f96 1080->1081 1081->1079 1082->1044 1108 669826b-669826d 1106->1108 1107->1108 1108->1042 1109 669826f-6698274 1108->1109 1110 6698282 1109->1110 1111 6698276-6698280 1109->1111 1112 6698287-6698289 1110->1112 1111->1112 1112->1042 1113 669828b-6698297 1112->1113 1113->1042
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q
                                                              • API String ID: 0-3126353813
                                                              • Opcode ID: 477e65eae196ad268ca6cb81b9c3e4087ab31f5d0dd76f7c0cc13f027ae74cb0
                                                              • Instruction ID: 0b21c068d572cdc38d3a80c4ae838013260b322af4717145934152fe60ff746c
                                                              • Opcode Fuzzy Hash: 477e65eae196ad268ca6cb81b9c3e4087ab31f5d0dd76f7c0cc13f027ae74cb0
                                                              • Instruction Fuzzy Hash: CD028A30B002158FDB54DBB9D890AAEBBE6FF85310F148929D805DB395DB35ED46CBA0
                                                              Function 06692349 Relevance: 1.0, Instructions: 1010COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8f8f79bcba1f9570689ec720d87f26bcb6d98bb89b54e35f81343bd9ce8bec0
                                                              • Instruction ID: 9590d2d25b8d0a120322585ccf26351a559462b3b1ee86c5529fef721af8832f
                                                              • Opcode Fuzzy Hash: e8f8f79bcba1f9570689ec720d87f26bcb6d98bb89b54e35f81343bd9ce8bec0
                                                              • Instruction Fuzzy Hash: 9B927830E102049FDB64CB68C598B6DBBFAEF45314F5484A9D809EB355DB31ED86CBA0
                                                              Function 066965E0 Relevance: .8, Instructions: 816COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f5a05005a2e9568124ccec7847b503e04b3e6aa098ee7a86086721c50455e289
                                                              • Instruction ID: 321f5b0574db33a4f065a48c94a20a7d08d5e66d74ace8395347d8fb620f544e
                                                              • Opcode Fuzzy Hash: f5a05005a2e9568124ccec7847b503e04b3e6aa098ee7a86086721c50455e289
                                                              • Instruction Fuzzy Hash: 27629C34A002048FEF54DB68D594BADBBF6EF88314F148469E806DB354DB75ED46CBA0
                                                              Function 06695588 Relevance: .6, Instructions: 611COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 603e8a0c284efe1485a521ffcc2c2fae2ce05cd4cb7c3b21d560ed3bec0ab6ca
                                                              • Instruction ID: b0dc64c360b00c377c0792c96bba0c80d2616a4d11873531ef1c20aefdee478c
                                                              • Opcode Fuzzy Hash: 603e8a0c284efe1485a521ffcc2c2fae2ce05cd4cb7c3b21d560ed3bec0ab6ca
                                                              • Instruction Fuzzy Hash: FB22E331F002149FDF65DB68C5807AEBBBAEF85320F248469D856EB355CA35DD42CBA0
                                                              Function 0669B20F Relevance: .6, Instructions: 574COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d0ca75308a21ca768af65ca5d6fd48c5771b0670d4f014e57f5bc8c33d2221d4
                                                              • Instruction ID: 6bbc48b3869a77b574576ab10ebb76d4fe1f5debb7317cf910fad30c18ed454f
                                                              • Opcode Fuzzy Hash: d0ca75308a21ca768af65ca5d6fd48c5771b0670d4f014e57f5bc8c33d2221d4
                                                              • Instruction Fuzzy Hash: E0225330E102099FEF64DB69E4847AFB7F6EB85310F248526E815DB395DA34EC42CB61
                                                              Function 0669ACB8 Relevance: 12.9, Strings: 10, Instructions: 407COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 669acb8-669acd6 1 669acd8-669acdb 0->1 2 669acdd-669ace2 1->2 3 669ace5-669ace8 1->3 2->3 4 669ad0b-669ad0e 3->4 5 669acea-669ad06 3->5 6 669ad1f-669ad22 4->6 7 669ad10-669ad14 4->7 5->4 11 669ad3c-669ad3f 6->11 12 669ad24-669ad37 6->12 9 669ad1a 7->9 10 669aee4-669aeee 7->10 9->6 13 669ad4f-669ad52 11->13 14 669ad41-669ad4a 11->14 12->11 15 669ad58-669ad5b 13->15 16 669aed5-669aede 13->16 14->13 19 669ad5d-669ad66 15->19 20 669ad75-669ad78 15->20 16->10 16->19 21 669ad6c-669ad70 19->21 22 669aeef-669af01 19->22 23 669ad7a-669ad87 20->23 24 669ad8c-669ad8e 20->24 21->20 30 669af03-669af26 22->30 31 669af64-669af6c 22->31 23->24 25 669ad90 24->25 26 669ad95-669ad98 24->26 25->26 26->1 29 669ad9e-669adc2 26->29 40 669adc8-669add7 29->40 41 669aed2 29->41 35 669af28-669af2b 30->35 42 669af6d-669af71 31->42 43 669b15f-669b172 31->43 38 669af31-669af6c 35->38 39 669b194-669b197 35->39 38->43 50 669af72-669af7e 38->50 44 669b199 call 669b20f 39->44 45 669b1a6-669b1a9 39->45 56 669add9-669addf 40->56 57 669adef-669ae2a call 6696590 40->57 41->16 42->50 49 669b174 43->49 55 669b19f-669b1a1 44->55 47 669b1ab-669b1af 45->47 48 669b1ba-669b1bd 45->48 47->38 51 669b1b5 47->51 53 669b1ca-669b1cd 48->53 54 669b1bf-669b1c9 48->54 61 669b175 49->61 64 669af9e-669afe2 50->64 65 669af80-669af99 50->65 51->48 58 669b1cf-669b1eb 53->58 59 669b1f0-669b1f2 53->59 55->45 62 669ade1 56->62 63 669ade3-669ade5 56->63 81 669ae2c-669ae32 57->81 82 669ae42-669ae59 57->82 58->59 66 669b1f9-669b1fc 59->66 67 669b1f4 59->67 61->61 62->57 63->57 86 669affe-669b03d 64->86 87 669afe4-669aff6 64->87 65->49 66->35 70 669b202-669b20c 66->70 67->66 84 669ae34 81->84 85 669ae36-669ae38 81->85 94 669ae5b-669ae61 82->94 95 669ae71-669ae82 82->95 84->82 85->82 91 669b043-669b11e call 6696590 86->91 92 669b124-669b139 86->92 87->86 91->92 92->43 99 669ae63 94->99 100 669ae65-669ae67 94->100 104 669ae9a-669aecb 95->104 105 669ae84-669ae8a 95->105 99->95 100->95 104->41 106 669ae8c 105->106 107 669ae8e-669ae90 105->107 106->104 107->104
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: XM$XM$$q$$q$$q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-4055301323
                                                              • Opcode ID: 84467906c2c080dd37d4857f7fa00a866b869623e88ee579a5b512b4d9f629c9
                                                              • Instruction ID: 55987e1a55da3c7c146afb931ce18a2d46558fcb36f571f01572afb7e2bdd43e
                                                              • Opcode Fuzzy Hash: 84467906c2c080dd37d4857f7fa00a866b869623e88ee579a5b512b4d9f629c9
                                                              • Instruction Fuzzy Hash: DFE15E30E003498FDF65DBA8D8406AEB7F6FF85311F208529E805AB355DB75AC46CBA1
                                                              Function 0669B630 Relevance: 8.0, Strings: 6, Instructions: 475COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 259 669b630-669b650 260 669b652-669b655 259->260 261 669b66f-669b672 260->261 262 669b657-669b65e 260->262 265 669b682-669b685 261->265 266 669b674-669b67d 261->266 263 669b9d3-669ba0e 262->263 264 669b664-669b66a 262->264 274 669ba10-669ba13 263->274 264->261 267 669b68c-669b68f 265->267 268 669b687-669b689 265->268 266->265 269 669b69c-669b69f 267->269 270 669b691-669b697 267->270 268->267 272 669b770-669b771 269->272 273 669b6a5-669b6a8 269->273 270->269 279 669b776-669b779 272->279 275 669b6aa-669b6b3 273->275 276 669b6c5-669b6c8 273->276 277 669ba19-669ba41 274->277 278 669bc7f-669bc82 274->278 275->263 280 669b6b9-669b6c0 275->280 283 669b6d8-669b6db 276->283 284 669b6ca-669b6d3 276->284 333 669ba4b-669ba8f 277->333 334 669ba43-669ba46 277->334 281 669bca5-669bca7 278->281 282 669bc84-669bca0 278->282 285 669b77b-669b7c9 call 6696590 279->285 286 669b7ce-669b7d1 279->286 280->276 290 669bca9 281->290 291 669bcae-669bcb1 281->291 282->281 288 669b6eb-669b6ee 283->288 289 669b6dd-669b6e6 283->289 284->283 285->286 292 669b810-669b813 286->292 293 669b7d3-669b7e8 286->293 298 669b708-669b70b 288->298 299 669b6f0-669b6f6 288->299 289->288 290->291 291->274 300 669bcb7-669bcc0 291->300 295 669b852-669b855 292->295 296 669b815-669b82a 292->296 293->263 311 669b7ee-669b80b 293->311 305 669b87f-669b882 295->305 306 669b857-669b85e 295->306 296->263 323 669b830-669b84d 296->323 307 669b71a-669b71d 298->307 308 669b70d-669b713 298->308 299->263 304 669b6fc-669b703 299->304 304->298 313 669b8a5-669b8a8 305->313 314 669b884-669b8a0 305->314 306->263 317 669b864-669b874 306->317 309 669b72f-669b732 307->309 310 669b71f-669b72a 307->310 308->299 318 669b715 308->318 319 669b749-669b74c 309->319 320 669b734-669b73b 309->320 310->309 311->292 321 669b8ca-669b8cd 313->321 322 669b8aa-669b8c5 313->322 314->313 337 669b87a 317->337 338 669b947-669b94e 317->338 318->307 331 669b74e-669b753 319->331 332 669b756-669b759 319->332 320->263 330 669b741-669b744 320->330 335 669b8cf-669b8d2 321->335 336 669b8d7-669b8da 321->336 322->321 323->295 330->319 331->332 342 669b75b-669b761 332->342 343 669b766-669b769 332->343 372 669ba95-669ba9e 333->372 373 669bc74-669bc7e 333->373 334->300 335->336 340 669b8dc-669b8df 336->340 341 669b92e-669b937 336->341 337->305 338->263 352 669b954-669b964 338->352 346 669b8e1-669b8e5 340->346 347 669b8f0-669b8f3 340->347 341->275 350 669b93d 341->350 342->343 343->308 351 669b76b-669b76e 343->351 346->289 354 669b8eb 346->354 355 669b903-669b906 347->355 356 669b8f5-669b8fe 347->356 357 669b942-669b945 350->357 351->272 351->279 352->272 363 669b96a 352->363 354->347 355->272 360 669b90c-669b90f 355->360 356->355 357->338 362 669b96f-669b972 357->362 366 669b929-669b92c 360->366 367 669b911-669b918 360->367 364 669b984-669b987 362->364 365 669b974 362->365 363->362 364->272 369 669b98d-669b990 364->369 374 669b97c-669b97f 365->374 366->341 366->357 367->263 370 669b91e-669b924 367->370 375 669b992-669b999 369->375 376 669b9b6-669b9b8 369->376 370->366 377 669bc6a-669bc6f 372->377 378 669baa4-669bb10 call 6696590 372->378 374->364 375->263 379 669b99b-669b9ab 375->379 381 669b9ba 376->381 382 669b9bf-669b9c2 376->382 377->373 393 669bc0a-669bc1f 378->393 394 669bb16-669bb1b 378->394 379->306 387 669b9b1 379->387 381->382 382->260 383 669b9c8-669b9d2 382->383 387->376 393->377 395 669bb1d-669bb23 394->395 396 669bb37 394->396 398 669bb29-669bb2b 395->398 399 669bb25-669bb27 395->399 400 669bb39-669bb3f 396->400 401 669bb35 398->401 399->401 402 669bb41-669bb47 400->402 403 669bb54-669bb61 400->403 401->400 404 669bb4d 402->404 405 669bbf5-669bc04 402->405 410 669bb79-669bb86 403->410 411 669bb63-669bb69 403->411 404->403 406 669bb88-669bb95 404->406 407 669bbbc-669bbc9 404->407 405->393 405->394 417 669bbad-669bbba 406->417 418 669bb97-669bb9d 406->418 419 669bbcb-669bbd1 407->419 420 669bbe1-669bbee 407->420 410->405 414 669bb6b 411->414 415 669bb6d-669bb6f 411->415 414->410 415->410 417->405 423 669bb9f 418->423 424 669bba1-669bba3 418->424 421 669bbd3 419->421 422 669bbd5-669bbd7 419->422 420->405 421->420 422->420 423->417 424->417
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-2069967915
                                                              • Opcode ID: ed92ff044fe3ea39078c41366f5860d5c483ef742934c651dc74965a3005d029
                                                              • Instruction ID: d6309a4370f77bea6caa145c7611aaf806b79d5eddedadba27b041fa7bb1c284
                                                              • Opcode Fuzzy Hash: ed92ff044fe3ea39078c41366f5860d5c483ef742934c651dc74965a3005d029
                                                              • Instruction Fuzzy Hash: 92027E30E102098FDF64DB69E4847AEB7F6EB85310F24856AE805DB355DB70EC46CBA1
                                                              Function 06699138 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 427 6699138-669915d 428 669915f-6699162 427->428 429 6699168-669917d 428->429 430 6699a20-6699a23 428->430 437 669917f-6699185 429->437 438 6699195-66991ab 429->438 431 6699a49-6699a4b 430->431 432 6699a25-6699a44 430->432 433 6699a4d 431->433 434 6699a52-6699a55 431->434 432->431 433->434 434->428 436 6699a5b-6699a65 434->436 440 6699189-669918b 437->440 441 6699187 437->441 444 66991b6-66991b8 438->444 440->438 441->438 445 66991ba-66991c0 444->445 446 66991d0-6699241 444->446 447 66991c2 445->447 448 66991c4-66991c6 445->448 457 669926d-6699289 446->457 458 6699243-6699266 446->458 447->446 448->446 463 669928b-66992ae 457->463 464 66992b5-66992d0 457->464 458->457 463->464 469 66992fb-6699316 464->469 470 66992d2-66992f4 464->470 475 6699318-6699334 469->475 476 669933b-6699349 469->476 470->469 475->476 477 6699359-66993d3 476->477 478 669934b-6699354 476->478 484 6699420-6699435 477->484 485 66993d5-66993f3 477->485 478->436 484->430 489 669940f-669941e 485->489 490 66993f5-6699404 485->490 489->484 489->485 490->489
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q
                                                              • API String ID: 0-4102054182
                                                              • Opcode ID: 70f83e7258136eeb679d13be185ee4b9e91f05dafbb6a4f93f287a22c77bc89c
                                                              • Instruction ID: 877c424953394364e36c00144a8c2ec220aad20dc466986ce65f36509e81099f
                                                              • Opcode Fuzzy Hash: 70f83e7258136eeb679d13be185ee4b9e91f05dafbb6a4f93f287a22c77bc89c
                                                              • Instruction Fuzzy Hash: CF912130F102199FDB54DB69D850B6E7BEAFF89300F148569D819EB348EE70DD428BA1
                                                              Function 0669CF28 Relevance: 4.5, Strings: 3, Instructions: 798COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 493 669cf28-669cf43 494 669cf45-669cf48 493->494 495 669cf4a-669cf8c 494->495 496 669cf91-669cf94 494->496 495->496 497 669cf9a-669cf9d 496->497 498 669d414-669d420 496->498 501 669cf9f-669cfae 497->501 502 669cfe6-669cfe9 497->502 499 669d122-669d131 498->499 500 669d426-669d713 498->500 506 669d140-669d14c 499->506 507 669d133-669d138 499->507 706 669d719-669d71f 500->706 707 669d93a-669d944 500->707 508 669cfbd-669cfc9 501->508 509 669cfb0-669cfb5 501->509 504 669cfeb-669d02d 502->504 505 669d032-669d035 502->505 504->505 513 669d07e-669d081 505->513 514 669d037-669d079 505->514 510 669d152-669d164 506->510 511 669d945-669d97e 506->511 507->506 508->511 515 669cfcf-669cfe1 508->515 509->508 530 669d169-669d16c 510->530 529 669d980-669d983 511->529 518 669d083-669d09f 513->518 519 669d0a4-669d0a7 513->519 514->513 515->502 518->519 524 669d0a9-669d0eb 519->524 525 669d0f0-669d0f3 519->525 524->525 532 669d0fd-669d100 525->532 533 669d0f5-669d0fa 525->533 537 669d985-669d9a1 529->537 538 669d9a6-669d9a9 529->538 539 669d17b-669d17e 530->539 540 669d16e-669d170 530->540 541 669d11d-669d120 532->541 542 669d102-669d118 532->542 533->532 537->538 550 669d9b8-669d9bb 538->550 551 669d9ab call 669da9d 538->551 548 669d180-669d1c2 539->548 549 669d1c7-669d1ca 539->549 545 669d411 540->545 546 669d176 540->546 541->499 541->530 542->541 545->498 546->539 548->549 557 669d1cc-669d20e 549->557 558 669d213-669d216 549->558 553 669d9bd-669d9e9 550->553 554 669d9ee-669d9f0 550->554 562 669d9b1-669d9b3 551->562 553->554 563 669d9f2 554->563 564 669d9f7-669d9fa 554->564 557->558 565 669d218-669d21a 558->565 566 669d225-669d228 558->566 562->550 563->564 564->529 572 669d9fc-669da0b 564->572 573 669d2cf-669d2d8 565->573 574 669d220 565->574 575 669d22a-669d26c 566->575 576 669d271-669d274 566->576 596 669da0d-669da70 call 6696590 572->596 597 669da72-669da87 572->597 580 669d2da-669d2df 573->580 581 669d2e7-669d2f3 573->581 574->566 575->576 583 669d2bd-669d2bf 576->583 584 669d276-669d2b8 576->584 580->581 589 669d2f9-669d30d 581->589 590 669d404-669d409 581->590 586 669d2c1 583->586 587 669d2c6-669d2c9 583->587 584->583 586->587 587->494 587->573 589->545 607 669d313-669d325 589->607 590->545 596->597 615 669da88 597->615 622 669d349-669d34b 607->622 623 669d327-669d32d 607->623 615->615 632 669d355-669d361 622->632 625 669d32f 623->625 626 669d331-669d33d 623->626 630 669d33f-669d347 625->630 626->630 630->632 640 669d36f 632->640 641 669d363-669d36d 632->641 643 669d374-669d376 640->643 641->643 643->545 645 669d37c-669d398 call 6696590 643->645 653 669d39a-669d39f 645->653 654 669d3a7-669d3b3 645->654 653->654 654->590 656 669d3b5-669d402 654->656 656->545 708 669d72e-669d737 706->708 709 669d721-669d726 706->709 708->511 710 669d73d-669d750 708->710 709->708 712 669d92a-669d934 710->712 713 669d756-669d75c 710->713 712->706 712->707 714 669d76b-669d774 713->714 715 669d75e-669d763 713->715 714->511 716 669d77a-669d79b 714->716 715->714 719 669d7aa-669d7b3 716->719 720 669d79d-669d7a2 716->720 719->511 721 669d7b9-669d7d6 719->721 720->719 721->712 724 669d7dc-669d7e2 721->724 724->511 725 669d7e8-669d801 724->725 727 669d91d-669d924 725->727 728 669d807-669d82e 725->728 727->712 727->724 728->511 731 669d834-669d83e 728->731 731->511 732 669d844-669d85b 731->732 734 669d86a-669d885 732->734 735 669d85d-669d868 732->735 734->727 740 669d88b-669d8a4 call 6696590 734->740 735->734 744 669d8b3-669d8bc 740->744 745 669d8a6-669d8ab 740->745 744->511 746 669d8c2-669d916 744->746 745->744 746->727
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q
                                                              • API String ID: 0-3067366958
                                                              • Opcode ID: cd840b25136ff942dcf5e0c2fcc6a881a40b6af5d29e29d7e1fced998c8adda4
                                                              • Instruction ID: 9540f276ac25b9f18f4dcb54274ebf5bfbc9073dbeffe8467326bd932a778932
                                                              • Opcode Fuzzy Hash: cd840b25136ff942dcf5e0c2fcc6a881a40b6af5d29e29d7e1fced998c8adda4
                                                              • Instruction Fuzzy Hash: DC626B34A007158FDB65EF68D590A5EB7A2FF84304B208A28D4059F369DB71FD4BCB91
                                                              Function 06694B50 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 886 6694b50-6694b74 888 6694b76-6694b79 886->888 889 6695258-669525b 888->889 890 6694b7f-6694c77 888->890 891 669525d-6695277 889->891 892 669527c-669527e 889->892 910 6694cfa-6694d01 890->910 911 6694c7d-6694cca call 66953f8 890->911 891->892 893 6695280 892->893 894 6695285-6695288 892->894 893->894 894->888 897 669528e-669529b 894->897 912 6694d85-6694d8e 910->912 913 6694d07-6694d77 910->913 924 6694cd0-6694cec 911->924 912->897 930 6694d79 913->930 931 6694d82 913->931 927 6694cee 924->927 928 6694cf7-6694cf8 924->928 927->928 928->910 930->931 931->912
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: fq$XPq$\Oq
                                                              • API String ID: 0-132346853
                                                              • Opcode ID: 0e549a0178a8b97b91e4b81183e09098c2dcd05dc42eaa7c471930afbc8af3c2
                                                              • Instruction ID: 1aab4060d17a46870024dcfa00c007422425b2dbad934c370a4184c091bf4a06
                                                              • Opcode Fuzzy Hash: 0e549a0178a8b97b91e4b81183e09098c2dcd05dc42eaa7c471930afbc8af3c2
                                                              • Instruction Fuzzy Hash: 33615F34F002189FEF549BA9C8157AEBAF6FF88300F208529D506EB395DF758D458BA0
                                                              Function 00F1EB38 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 934 f1eb38-f1eb40 935 f1eb42-f1eb53 934->935 936 f1eaff-f1eb18 call f1eb38 934->936 938 f1eb55-f1eb7c 935->938 939 f1eb7d-f1eb93 935->939 940 f1eb1e-f1eb22 936->940 964 f1eb95 call f1ec20 939->964 965 f1eb95 call f1eb38 939->965 943 f1eb24-f1eb29 940->943 944 f1eb2b-f1eb2e 940->944 945 f1eb31-f1eb33 943->945 944->945 946 f1eb9a-f1eb9c 947 f1eba2-f1ec01 946->947 948 f1eb9e-f1eba1 946->948 955 f1ec03-f1ec06 947->955 956 f1ec07-f1ec94 GlobalMemoryStatusEx 947->956 960 f1ec96-f1ec9c 956->960 961 f1ec9d-f1ecc5 956->961 960->961 964->946 965->946
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2488776167.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_f10000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: {/3a
                                                              • API String ID: 0-1622527394
                                                              • Opcode ID: 669a4b2ec84e30c85c50630afb9dbc3967dfbbce7b5a19280a0e456691eb2645
                                                              • Instruction ID: aa7ab6d175d7cc485efc19c08ee56af13a2f1d7beed73ea3a09b96344a4b06a5
                                                              • Opcode Fuzzy Hash: 669a4b2ec84e30c85c50630afb9dbc3967dfbbce7b5a19280a0e456691eb2645
                                                              • Instruction Fuzzy Hash: 97513332D043899FDB14DF79D8047DABBF6AF85320F04856AD845A7282DB789885CBE1
                                                              Function 00F1EC20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 967 f1ec20-f1ec94 GlobalMemoryStatusEx 969 f1ec96-f1ec9c 967->969 970 f1ec9d-f1ecc5 967->970 969->970
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 00F1EC87
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2488776167.0000000000F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_f10000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID: {/3a
                                                              • API String ID: 1890195054-1622527394
                                                              • Opcode ID: 2be079b95d6c37cf2df309b34dfecc58b1bc39d42e6b54d1e1c7ecf319ac09d9
                                                              • Instruction ID: d33fb3844c2546341a26329ac7dfd88e0c6a62620dd5614b05816e0a5ec4ff07
                                                              • Opcode Fuzzy Hash: 2be079b95d6c37cf2df309b34dfecc58b1bc39d42e6b54d1e1c7ecf319ac09d9
                                                              • Instruction Fuzzy Hash: D111F3B1C0065A9BDB10DF9AC945BDEFBF4AF48320F15812AE818A7240D778A945CFE5
                                                              Function 06699127 Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q
                                                              • API String ID: 0-3126353813
                                                              • Opcode ID: 79a8db366fbc3982b6cef6cfcebdef63900848ac9203acefa69221f209365843
                                                              • Instruction ID: 81765b486fa5104164d4667d6e52e990e2609d2e451a5770c20fc5af2e5f7311
                                                              • Opcode Fuzzy Hash: 79a8db366fbc3982b6cef6cfcebdef63900848ac9203acefa69221f209365843
                                                              • Instruction Fuzzy Hash: A6512F30B102049FDB54DBB9D851B6E7BEAFB89300F148569D819DB398EA70DD42CBA1
                                                              Function 06694B40 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: XPq
                                                              • API String ID: 0-1601936878
                                                              • Opcode ID: 7b335067b46d5f811caa9b7d010ed74e64ff0ec32f54060ccd9d38e7aa41a1da
                                                              • Instruction ID: 2af62fba4850ee9f1ab4f04eda4939c5b5d4bc188581cc247eb82447751519db
                                                              • Opcode Fuzzy Hash: 7b335067b46d5f811caa9b7d010ed74e64ff0ec32f54060ccd9d38e7aa41a1da
                                                              • Instruction Fuzzy Hash: 31418231B002189FEB459BB9C815B9EBBF7FF88300F248529E505AB395DB758C06CB90
                                                              Function 0669DA9D Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PHq
                                                              • API String ID: 0-3820536768
                                                              • Opcode ID: ffe5de81cc2eac30016ce891be4e95da36eb0d2841921297e43f9d08afbaea07
                                                              • Instruction ID: 848d75b9ae7c113a56ce73b4e9d9696b9c9a2fe4348e8806ea01b4f5929c365a
                                                              • Opcode Fuzzy Hash: ffe5de81cc2eac30016ce891be4e95da36eb0d2841921297e43f9d08afbaea07
                                                              • Instruction Fuzzy Hash: 2E418F70E007099FDF65DFA5C4906AEBBB6BF85300F244539D806EB344DB70A946CBA1
                                                              Function 066921D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PHq
                                                              • API String ID: 0-3820536768
                                                              • Opcode ID: 42332424b69cafd818ae133b1fce5e4ba86dbff26e935185231b12d09bfc55ea
                                                              • Instruction ID: c0e9c97dacf23409326fb5c05bd5b42a0d62fd09104e82b71c00f6ec345124cf
                                                              • Opcode Fuzzy Hash: 42332424b69cafd818ae133b1fce5e4ba86dbff26e935185231b12d09bfc55ea
                                                              • Instruction Fuzzy Hash: 0631E130B202049FDF58AB75D46476E3BEAAB89300F244539D806DB385DE35DD06CBA5
                                                              Function 06693859 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: {/3a
                                                              • API String ID: 0-1622527394
                                                              • Opcode ID: f0c8d237e4c3bcfd816eb238cc0b7223a437b921a1c49a40f9726abe38ccd00d
                                                              • Instruction ID: b2a617633196253772e40297d8f0b0c8c9142727225da8408c0e7a0731a1f56c
                                                              • Opcode Fuzzy Hash: f0c8d237e4c3bcfd816eb238cc0b7223a437b921a1c49a40f9726abe38ccd00d
                                                              • Instruction Fuzzy Hash: CB2127B5C00219AFCB10DF9AD985ADEFFB8FB48310F10812AE918A7340C3756544CFA5
                                                              Function 06693860 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: {/3a
                                                              • API String ID: 0-1622527394
                                                              • Opcode ID: f93c3c95109ec89b40844e0a2b289c49849897d345178afb2a89863d9b64820f
                                                              • Instruction ID: c1247ef7891eb6b76a6f1570d95c776a290cbee6df7317fae014c27064b9dc0a
                                                              • Opcode Fuzzy Hash: f93c3c95109ec89b40844e0a2b289c49849897d345178afb2a89863d9b64820f
                                                              • Instruction Fuzzy Hash: B911CFB5D01259AFCB10DF9AD985ADEFBB8FB48310F10812AE918A7340C375A944CFA5
                                                              Function 066982DE Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q
                                                              • API String ID: 0-1301096350
                                                              • Opcode ID: 7fc043e8ab4d466cc2fa4817b3fb8a746e83efd515cae692f0a7e7422f4f3dd1
                                                              • Instruction ID: 8562bdce47f711f921f83e3daa84be2e0f5a00a7e74bc9c931c4937a98447065
                                                              • Opcode Fuzzy Hash: 7fc043e8ab4d466cc2fa4817b3fb8a746e83efd515cae692f0a7e7422f4f3dd1
                                                              • Instruction Fuzzy Hash: 7BF03036A14205DBDF6459F6E940268736CEB42254B14496EDD00C7254D776DE12CAB1
                                                              Function 0669C170 Relevance: .6, Instructions: 650COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 34665af960024985957832c3d776b784523ab21245e55562498edbe96018273a
                                                              • Instruction ID: 857697c43218eb334e559aaa8dcc2c443a515580422fea118979a461ea670e04
                                                              • Opcode Fuzzy Hash: 34665af960024985957832c3d776b784523ab21245e55562498edbe96018273a
                                                              • Instruction Fuzzy Hash: 7D327234B002059FDF64DB68D890BAEBBB6FB89310F108529D805EB355DB35ED46CBA1
                                                              Function 066961E0 Relevance: .2, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 84900eed77ac7bf1bac67ba11c717836281400af3c8cbc93a85a062c9576c76b
                                                              • Instruction ID: 2e8c0e9f535e483a1806581cd76b82d85e146f3f1a30df5671633a4a18772ef9
                                                              • Opcode Fuzzy Hash: 84900eed77ac7bf1bac67ba11c717836281400af3c8cbc93a85a062c9576c76b
                                                              • Instruction Fuzzy Hash: CF617271F002214BEF549B7DC88065EBADBAFC4614B194439D80AEB364DEB5ED4287D2
                                                              Function 06694280 Relevance: .2, Instructions: 226COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a14256f546f6172c11b58ac4cc2784fdd631ae1f40c2e1732bab0d66ff7cdd8f
                                                              • Instruction ID: dbd94687a853491ead8d0459d73dcc8b7b37167afb2ae0679bf840f63f0bdd65
                                                              • Opcode Fuzzy Hash: a14256f546f6172c11b58ac4cc2784fdd631ae1f40c2e1732bab0d66ff7cdd8f
                                                              • Instruction Fuzzy Hash: 2D812D30B102098FDF54DBB9D4507AEBBE7AF89300F148529D909EB349EE75DC468BA1
                                                              Function 066945A0 Relevance: .2, Instructions: 223COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 85cad1e7ba335caa135c3148bbcbf121aa412a5a2a3cee3038ec40a1da01dbf6
                                                              • Instruction ID: d7266172773b7efe437e91ebe4bc2f7bea7a4ae06d3a319a8f6979ff873c2675
                                                              • Opcode Fuzzy Hash: 85cad1e7ba335caa135c3148bbcbf121aa412a5a2a3cee3038ec40a1da01dbf6
                                                              • Instruction Fuzzy Hash: 60912034E102198FDF60DF64C890B9DBBB1FF85310F208695D549BB355DB70A986CB91
                                                              Function 066945B8 Relevance: .2, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c564f94fca69d01ede2cc2555635fbde8dc4e302b8617bbcbde2e418271d8d75
                                                              • Instruction ID: cb208fe97dc4a959f81304c91681627066dc9c0a9e8a7a1d401b2cfa7c113714
                                                              • Opcode Fuzzy Hash: c564f94fca69d01ede2cc2555635fbde8dc4e302b8617bbcbde2e418271d8d75
                                                              • Instruction Fuzzy Hash: 41914E34E102198BDF64DF68C880B9DB7B1FF89310F208699D549BB355DB70AA86CF90
                                                              Function 0669EEF0 Relevance: .2, Instructions: 209COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7501da745d399a57d22e8e2b369333c59648a510d96f23e3147bcb180bc32bb8
                                                              • Instruction ID: 5e6144fd4f4b89284996babe4749edc278cb20b77b965ebcccdfb0e104891a97
                                                              • Opcode Fuzzy Hash: 7501da745d399a57d22e8e2b369333c59648a510d96f23e3147bcb180bc32bb8
                                                              • Instruction Fuzzy Hash: 13814D70A002089FDF54DBA8D980A9EBBFAFF88314F158529E405EB355DB35ED46CB50
                                                              Function 0669EF00 Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4a8189b712a2c4a554d5cd2c543b9ab008183fde2de499f18f4d8dbcc929fa57
                                                              • Instruction ID: 88fa9381e69e8327ad17f1ca31f27e9be3de4c2e5a8fe24b6277e3e241708072
                                                              • Opcode Fuzzy Hash: 4a8189b712a2c4a554d5cd2c543b9ab008183fde2de499f18f4d8dbcc929fa57
                                                              • Instruction Fuzzy Hash: 1A713C70E002089FDB54EBA8D990A9EBBFAFF88314F158429E405EB355DB35ED46CB50
                                                              Function 0669FC58 Relevance: .2, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf3eb64a7bf32b347ab5f3e94aa8ad19ced17943478dfcb55ead5826790cfb18
                                                              • Instruction ID: e329c93baa21b480994a27a862163413bb71b386a67d2a3dd2852863267f2d94
                                                              • Opcode Fuzzy Hash: bf3eb64a7bf32b347ab5f3e94aa8ad19ced17943478dfcb55ead5826790cfb18
                                                              • Instruction Fuzzy Hash: C451F531E00204DFDF54ABB8E4546AEBBB6FB84315F118839E906D7351DB35895AC7A0
                                                              Function 0669FA0A Relevance: .2, Instructions: 167COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: de4a9805615837194fada53acf546ae4cf501ea9a111d3b7bfc300f55f0bfd2b
                                                              • Instruction ID: c1fa1456f5fb5b490f3488121371e364268f605474f32bc1a7851b40b45c6099
                                                              • Opcode Fuzzy Hash: de4a9805615837194fada53acf546ae4cf501ea9a111d3b7bfc300f55f0bfd2b
                                                              • Instruction Fuzzy Hash: 94519730F102148FEF646A68D89476F769FE78D310F21442AE80AC73A5CB78DC4397A1
                                                              Function 0669FA18 Relevance: .2, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bfa97c300290bccc8f291f5c9f42365b6473e05fa24c4a79cec0df0cb0959c42
                                                              • Instruction ID: 29100e1133bf9c1056ca302ae5fd101df8d974875ae51c32119b7264c0b57042
                                                              • Opcode Fuzzy Hash: bfa97c300290bccc8f291f5c9f42365b6473e05fa24c4a79cec0df0cb0959c42
                                                              • Instruction Fuzzy Hash: 8551B430F102149BFF646A68D894B2F365FD78D350F21442AE80BC73A9CA78DC4397A2
                                                              Function 066953F8 Relevance: .1, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fcb019079264a0a84fb4649600ce50746336c2c8678e8c01066f96405672868e
                                                              • Instruction ID: a687ced1ad5b971445fed432df8d946c3a3e7fa39cf11c55c3fc852d2b76d0da
                                                              • Opcode Fuzzy Hash: fcb019079264a0a84fb4649600ce50746336c2c8678e8c01066f96405672868e
                                                              • Instruction Fuzzy Hash: 0441A031E006098FDF71CFA9C880AAFFBB6FB44310F10492AE556D7611D730E9568BA1
                                                              Function 0669D950 Relevance: .1, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4413f439cc000ee3e57102289c5c3f75cb3fd2e7f302a776566c9a86bf697a6e
                                                              • Instruction ID: 08d7912cfb606b8c7ef4605dccb051ddf342df55d298a57c357f6ec4d77a176e
                                                              • Opcode Fuzzy Hash: 4413f439cc000ee3e57102289c5c3f75cb3fd2e7f302a776566c9a86bf697a6e
                                                              • Instruction Fuzzy Hash: 4B317030E1075A8FDF25DF68D890A9EBBB6EF85304F144929D805EB344EB71F9468B90
                                                              Function 06692081 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a5857ccb24abdb950e48c52b59ee89e750be331e64d4d0c0934662b3c9635ae
                                                              • Instruction ID: 6007944ae07cf3ca9277365a665829b6a3b3f12971ca3cedde2b10638da89def
                                                              • Opcode Fuzzy Hash: 2a5857ccb24abdb950e48c52b59ee89e750be331e64d4d0c0934662b3c9635ae
                                                              • Instruction Fuzzy Hash: F6318F30E102059FDB59CF64D8646AEB7BAFF89300F108429E906EB344DB31EE46CB50
                                                              Function 06692090 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 213b67899349489ef2c33940e8cde5d4166f36fd48cbaa722f1d144dae9a1f01
                                                              • Instruction ID: 2b2ff0be4154aa5a9b307112e5cbcbf259c083c6b9f0f8865d41a8abbd3c6c1f
                                                              • Opcode Fuzzy Hash: 213b67899349489ef2c33940e8cde5d4166f36fd48cbaa722f1d144dae9a1f01
                                                              • Instruction Fuzzy Hash: C7316034E106059BDF59CF64D86469FB7BAFF89300F108529EA06E7344DB71AD86CB50
                                                              Function 06693A80 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f37fddadd1aa9db73a0a31a53d06a132118fd05f2ab349836771748e4cca8e64
                                                              • Instruction ID: 92c285eef6a93505bb1af64e9e48aa1c528060555de63fa5fa7b12b826f40ce7
                                                              • Opcode Fuzzy Hash: f37fddadd1aa9db73a0a31a53d06a132118fd05f2ab349836771748e4cca8e64
                                                              • Instruction Fuzzy Hash: B1215A75E002189FDF45DFA9D880AEEBBF9EB48310F148126EA05E7355E731D8428BA0
                                                              Function 06693A90 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0a6398369a2ed8ea378579f0b994923f44b26b5077b398b1ec2f846f29d11317
                                                              • Instruction ID: 413efffc4de4466ae230802be92567a3e595e5f9152c5b96aa9b091390464f93
                                                              • Opcode Fuzzy Hash: 0a6398369a2ed8ea378579f0b994923f44b26b5077b398b1ec2f846f29d11317
                                                              • Instruction Fuzzy Hash: C2216975E002189FDF54DF6AD880AAEBBF5EB48310F108029EA05E7354E771D842CBA0
                                                              Function 00E3D030 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2488073249.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_e3d000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 43e30e64aaac6c0a7258ebc2a700ee26e1191fb2376bf64fd179bb509cb22d42
                                                              • Instruction ID: c1796751b463ac591901570c413d4a394e350378d1dcd47b17fb7020a9700406
                                                              • Opcode Fuzzy Hash: 43e30e64aaac6c0a7258ebc2a700ee26e1191fb2376bf64fd179bb509cb22d42
                                                              • Instruction Fuzzy Hash: 9B210371608304DFDB18DF10ED88B26BFA6EB84718F20C569D8091A282C336D847CE62
                                                              Function 00E3D005 Relevance: .1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2488073249.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_e3d000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c2f3f0d3e3a8b6d10ae779bc3cb82b0f45f039f1e76739ea2f500fd37d307320
                                                              • Instruction ID: 972f2a51093a75d07e1d470f4ab428bf08bd2a4a68f147a657f103b545d6beda
                                                              • Opcode Fuzzy Hash: c2f3f0d3e3a8b6d10ae779bc3cb82b0f45f039f1e76739ea2f500fd37d307320
                                                              • Instruction Fuzzy Hash: 81215C7150D3C09FCB07CB24D994711BF71AF46214F29C5EBD8898F2A7C23A980ACB62
                                                              Function 06693BA0 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 56233022221fcf5f2dc3a3ea5a74fb635e22310c2b63a7928b2a4a37d704daf7
                                                              • Instruction ID: 3b5275e50a93d1a50235332c85723099d78092cdf485d8b224032a984f0fd729
                                                              • Opcode Fuzzy Hash: 56233022221fcf5f2dc3a3ea5a74fb635e22310c2b63a7928b2a4a37d704daf7
                                                              • Instruction Fuzzy Hash: F9116131B045288FDF989A69D8546AF77AFEBC8310F008579D916E7344EE65DC0287E1
                                                              Function 066941E2 Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b25f7a1d826d2b8b94b035679e241c43f76eaeff1f2bc3da4e699557506864e1
                                                              • Instruction ID: 21b20179644176ae9e913a0ec9e3993c53af3cff37f62298c94b129f08cacfe8
                                                              • Opcode Fuzzy Hash: b25f7a1d826d2b8b94b035679e241c43f76eaeff1f2bc3da4e699557506864e1
                                                              • Instruction Fuzzy Hash: B501F130B042101FDB6592BDD810B6BA7DFEBCA320F10847AE50ACB355DD65CC4343A1
                                                              Function 0669A2F0 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c4c18949e47d15dd3062a7d6ca53dfdea092146ebfdc4f0a191ffbe4465528ea
                                                              • Instruction ID: 150ff6c3a812f93bba65443b708bf4a4bef0c0f5c2b41241f9a9e89b423a0718
                                                              • Opcode Fuzzy Hash: c4c18949e47d15dd3062a7d6ca53dfdea092146ebfdc4f0a191ffbe4465528ea
                                                              • Instruction Fuzzy Hash: 9201B535B145105FCBA196BCD861BAF77E9EB8B320B108869E40ECB385DA15DC0387D1
                                                              Function 06693B8F Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 85bd9601774c1fa3c1731c20a4ef9683d209f7f038621e342ab80d8220817752
                                                              • Instruction ID: 67895ee2c30606abce18de2d4306a72128b16db808236addb1f0e15357b80d7f
                                                              • Opcode Fuzzy Hash: 85bd9601774c1fa3c1731c20a4ef9683d209f7f038621e342ab80d8220817752
                                                              • Instruction Fuzzy Hash: 2E01D632B045145BDF9595ADDC106EF7BAF9BC9320F04407AE915E7344EF50880687E1
                                                              Function 0669F171 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ac01970dd0dfd36b18a652be62c9809d66e8bcc70092299fd26ad3b0668779a3
                                                              • Instruction ID: 48ba6ac1b08d592abed524eaf403b9a9958df9aca1b303e37aea42eb47655494
                                                              • Opcode Fuzzy Hash: ac01970dd0dfd36b18a652be62c9809d66e8bcc70092299fd26ad3b0668779a3
                                                              • Instruction Fuzzy Hash: A101DE31B001114FCFA5963DD891B2EBBE6EB8A310F15896AE80ACB342DA20DC0347E1
                                                              Function 066941F0 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7c0981a2807a2b1c3e2f2435c032848b7f75b1b643bb09349e07a19120ec22c4
                                                              • Instruction ID: 63c10be58cfe287c428d1fecc487f52beb194b27c631978e203a703a8e783de5
                                                              • Opcode Fuzzy Hash: 7c0981a2807a2b1c3e2f2435c032848b7f75b1b643bb09349e07a19120ec22c4
                                                              • Instruction Fuzzy Hash: D2016931B101200BEFA895AEE454B2BA6DFEBC9720F20883AE50AC7354ED65DC4347A5
                                                              Function 0669F180 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 402ca5e9c6ee69040f13aba4d9c162697f65c8b4f72e1e1a9da58485f2548ca5
                                                              • Instruction ID: a4a62e9695f820d3831437cba351a0e0dfe3312f54c792d639b28f9d7b59ab17
                                                              • Opcode Fuzzy Hash: 402ca5e9c6ee69040f13aba4d9c162697f65c8b4f72e1e1a9da58485f2548ca5
                                                              • Instruction Fuzzy Hash: EE018C75B105210BDFA8957DE854B2F66DAEBCA720F218829E90EC7344EE25DC0347E1
                                                              Function 0669A300 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8087a7c724b6c99e2b54cdfbd94e4368eb56e500e013bfb394c17de829ac6a9e
                                                              • Instruction ID: c1ecbf7520292938f02620b9096f56133b0f3d94f2343472e5c444385ba18d4e
                                                              • Opcode Fuzzy Hash: 8087a7c724b6c99e2b54cdfbd94e4368eb56e500e013bfb394c17de829ac6a9e
                                                              • Instruction Fuzzy Hash: 80018134B101104FDBA49ABDE450B2F73D9EB8A320F108829E90EC7344E925DC028790
                                                              Function 06696461 Relevance: .0, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 007d1d13133178242a1f88b0707c3b6a392dad5618b9044b68eda080a6072d91
                                                              • Instruction ID: 71f40abf27c43ce3e558f006b7dd8cc9cd3023e18138bdebe90f9e5bcdf25d34
                                                              • Opcode Fuzzy Hash: 007d1d13133178242a1f88b0707c3b6a392dad5618b9044b68eda080a6072d91
                                                              • Instruction Fuzzy Hash: A3E09B71D553087BEF50CEF4C915696775ED702624F20C465DC04CB341E272DD1186B1

                                                              Non-executed Functions

                                                              Function 06697688 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-1298971921
                                                              • Opcode ID: 05b247cfac913e8eaf647d8db8b6096d9a97dfffb1667bdbf99b49f02c2f120e
                                                              • Instruction ID: 46cf1f70c190af7ec574d14b0c868d1ce2a8d07ca81935676d08b2e2682accbd
                                                              • Opcode Fuzzy Hash: 05b247cfac913e8eaf647d8db8b6096d9a97dfffb1667bdbf99b49f02c2f120e
                                                              • Instruction Fuzzy Hash: F5122C30E10219CFDB68DB65D854A9DBBB6FF88301F208569D80AAB355DB30DD86CF90
                                                              Function 0669A920 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-3886557441
                                                              • Opcode ID: 1ea332c91e3a8b62334a7a6cff4ede07d44d1092cd7874ce2992513f09e8b779
                                                              • Instruction ID: caf07d196b4e743e62d6fb77e8b81938150017d28c021888bd70a213e3df8dcc
                                                              • Opcode Fuzzy Hash: 1ea332c91e3a8b62334a7a6cff4ede07d44d1092cd7874ce2992513f09e8b779
                                                              • Instruction Fuzzy Hash: 40915D30E00209DFEF64EBA5D955BAE77FAEF44304F108529E802AB354DB749D46CBA0
                                                              Function 06697088 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-2069967915
                                                              • Opcode ID: 08fe7379f91dba4abdcb01363115bb84cc5ab1c2d439d7e4ae4e276846747ee9
                                                              • Instruction ID: 0c4b4a5e0d2227f332865f41f1418442cf8a32c7a1389f50338050df1bf7e790
                                                              • Opcode Fuzzy Hash: 08fe7379f91dba4abdcb01363115bb84cc5ab1c2d439d7e4ae4e276846747ee9
                                                              • Instruction Fuzzy Hash: 7FF13030A10208CFDB55EBA5D455A6E7BB6FF84301F248529D8059B369DF75EC83CBA0
                                                              Function 066983C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q
                                                              • API String ID: 0-4102054182
                                                              • Opcode ID: 734d25b611b720587c9039ab2859435c8f00379e3274deb83767b45c4267a2d2
                                                              • Instruction ID: 68487629f50dc10ec0a0d3291d7fbeeb09e8bfee5bd176631558ad265827c183
                                                              • Opcode Fuzzy Hash: 734d25b611b720587c9039ab2859435c8f00379e3274deb83767b45c4267a2d2
                                                              • Instruction Fuzzy Hash: 0FB14C30A10218CFDB64EBA5D8446AEB7B6FF85300F24896DD806DB355DB75EC82CB90
                                                              Function 066987D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LRq$LRq$$q$$q
                                                              • API String ID: 0-2204215535
                                                              • Opcode ID: 420c81e21f911fbc595e64bdd1f10f1e780026b1602e36edf3272d77c9b7a121
                                                              • Instruction ID: 851e65c43043a8d0646bc948befd5bee202d0f7ef57f00c8441f9e1b8851397e
                                                              • Opcode Fuzzy Hash: 420c81e21f911fbc595e64bdd1f10f1e780026b1602e36edf3272d77c9b7a121
                                                              • Instruction Fuzzy Hash: B5518330B002019FDB58EB79D941B6E77EAFF85304B14896DE806DB355DA31EC46CBA1
                                                              Function 0669ACA8 Relevance: 5.2, Strings: 4, Instructions: 164COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2527887682.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_6690000_lC7L7oBBMC.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q
                                                              • API String ID: 0-4102054182
                                                              • Opcode ID: 88edb332c391a39c65490eab70fcc052949aba7939ba485cfdc4602f8111ca38
                                                              • Instruction ID: b6d995a81827017e2f5b5b7e9d60cc7c8de31965a5531418b9c47ae15bc418ad
                                                              • Opcode Fuzzy Hash: 88edb332c391a39c65490eab70fcc052949aba7939ba485cfdc4602f8111ca38
                                                              • Instruction Fuzzy Hash: 2651C134E102449FDF65EBA4D8806AEB7FAEF88311F24452AEC059B355DB35DC46CBA0

                                                              Execution Graph

                                                              Execution Coverage:8.9%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:218
                                                              Total number of Limit Nodes:9
                                                              execution_graph 26735 73f916f 26737 73f9175 26735->26737 26736 73f925c 26737->26736 26741 73fab2e 26737->26741 26758 73faad0 26737->26758 26773 73faac2 26737->26773 26743 73faabc 26741->26743 26745 73fab31 26741->26745 26742 73faaa0 26742->26736 26743->26742 26789 73faf88 26743->26789 26794 73fb07c 26743->26794 26798 73fb27c 26743->26798 26802 73fb4ad 26743->26802 26806 73fb30d 26743->26806 26811 73fb1ce 26743->26811 26816 73fb82f 26743->26816 26821 73fb1e1 26743->26821 26825 73faef3 26743->26825 26830 73fb0e3 26743->26830 26834 73fb105 26743->26834 26839 73fb6c6 26743->26839 26744 73fab0e 26744->26736 26745->26736 26759 73faaea 26758->26759 26761 73fb82f WriteProcessMemory 26759->26761 26762 73fb1ce 2 API calls 26759->26762 26763 73fb30d 2 API calls 26759->26763 26764 73fb4ad WriteProcessMemory 26759->26764 26765 73fb27c ReadProcessMemory 26759->26765 26766 73fb07c 2 API calls 26759->26766 26767 73faf88 2 API calls 26759->26767 26768 73fb6c6 WriteProcessMemory 26759->26768 26769 73fb105 3 API calls 26759->26769 26770 73fb0e3 WriteProcessMemory 26759->26770 26771 73faef3 2 API calls 26759->26771 26772 73fb1e1 2 API calls 26759->26772 26760 73fab0e 26760->26736 26761->26760 26762->26760 26763->26760 26764->26760 26765->26760 26766->26760 26767->26760 26768->26760 26769->26760 26770->26760 26771->26760 26772->26760 26774 73faaa0 26773->26774 26775 73faaca 26773->26775 26774->26736 26777 73fb82f WriteProcessMemory 26775->26777 26778 73fb1ce 2 API calls 26775->26778 26779 73fb30d 2 API calls 26775->26779 26780 73fb4ad WriteProcessMemory 26775->26780 26781 73fb27c ReadProcessMemory 26775->26781 26782 73fb07c 2 API calls 26775->26782 26783 73faf88 2 API calls 26775->26783 26784 73fb6c6 WriteProcessMemory 26775->26784 26785 73fb105 3 API calls 26775->26785 26786 73fb0e3 WriteProcessMemory 26775->26786 26787 73faef3 2 API calls 26775->26787 26788 73fb1e1 2 API calls 26775->26788 26776 73fab0e 26776->26736 26777->26776 26778->26776 26779->26776 26780->26776 26781->26776 26782->26776 26783->26776 26784->26776 26785->26776 26786->26776 26787->26776 26788->26776 26790 73faf95 26789->26790 26842 73f8c7d 26790->26842 26846 73f8c80 26790->26846 26850 73f8858 26794->26850 26854 73f8860 26794->26854 26795 73fafe2 26858 73f8ae8 26798->26858 26800 73fb045 26800->26744 26803 73fb4b3 26802->26803 26862 73f89f8 26803->26862 26807 73fb333 26806->26807 26866 73f87a8 26807->26866 26870 73f87b0 26807->26870 26808 73fb269 26812 73fb1db 26811->26812 26813 73fb269 26812->26813 26814 73f87a8 ResumeThread 26812->26814 26815 73f87b0 ResumeThread 26812->26815 26814->26813 26815->26813 26817 73fb83d 26816->26817 26818 73fb4e4 26816->26818 26820 73f89f8 WriteProcessMemory 26818->26820 26819 73fb505 26820->26819 26874 73f893a 26821->26874 26878 73f8938 26821->26878 26822 73fb14f 26822->26821 26826 73faefd 26825->26826 26827 73fafc3 26826->26827 26828 73f8c7d CreateProcessA 26826->26828 26829 73f8c80 CreateProcessA 26826->26829 26827->26744 26828->26827 26829->26827 26831 73fb0ec 26830->26831 26833 73f89f8 WriteProcessMemory 26831->26833 26832 73fb79b 26833->26832 26882 73fbc28 26834->26882 26892 73fbc68 26834->26892 26900 73fbc78 26834->26900 26835 73fafee 26835->26744 26841 73f89f8 WriteProcessMemory 26839->26841 26840 73fb6f4 26841->26840 26843 73f8c80 CreateProcessA 26842->26843 26845 73f8ecb 26843->26845 26845->26845 26847 73f8d09 CreateProcessA 26846->26847 26849 73f8ecb 26847->26849 26849->26849 26851 73f8862 Wow64SetThreadContext 26850->26851 26853 73f88ed 26851->26853 26853->26795 26855 73f88a5 Wow64SetThreadContext 26854->26855 26857 73f88ed 26855->26857 26857->26795 26859 73f8b33 ReadProcessMemory 26858->26859 26861 73f8b77 26859->26861 26861->26798 26861->26800 26863 73f8a40 WriteProcessMemory 26862->26863 26865 73f8a97 26863->26865 26867 73f87b2 ResumeThread 26866->26867 26869 73f8821 26867->26869 26869->26808 26871 73f87f0 ResumeThread 26870->26871 26873 73f8821 26871->26873 26873->26808 26875 73f8978 VirtualAllocEx 26874->26875 26877 73f89b5 26875->26877 26877->26822 26879 73f8978 VirtualAllocEx 26878->26879 26881 73f89b5 26879->26881 26881->26822 26883 73fbc33 26882->26883 26884 73fbc71 26882->26884 26883->26835 26885 73fbc77 26884->26885 26889 73fbcb0 26884->26889 26890 73f8858 Wow64SetThreadContext 26885->26890 26891 73f8860 Wow64SetThreadContext 26885->26891 26886 73fbca3 26886->26835 26887 73fbc5b 26887->26835 26889->26887 26905 73f70d4 26889->26905 26890->26886 26891->26886 26893 73fbc77 26892->26893 26897 73fbcb0 26892->26897 26898 73f8858 Wow64SetThreadContext 26893->26898 26899 73f8860 Wow64SetThreadContext 26893->26899 26894 73fbca3 26894->26835 26895 73fbc5b 26895->26835 26896 73f70d4 PostMessageW 26896->26897 26897->26895 26897->26896 26898->26894 26899->26894 26901 73fbc8d 26900->26901 26903 73f8858 Wow64SetThreadContext 26901->26903 26904 73f8860 Wow64SetThreadContext 26901->26904 26902 73fbca3 26902->26835 26903->26902 26904->26902 26906 73fbf40 PostMessageW 26905->26906 26907 73fbfac 26906->26907 26907->26889 26634 1864668 26635 186467a 26634->26635 26636 1864686 26635->26636 26640 1864779 26635->26640 26645 1863e1c 26636->26645 26638 18646a5 26641 186479d 26640->26641 26649 1864888 26641->26649 26653 1864878 26641->26653 26646 1863e27 26645->26646 26661 1865c1c 26646->26661 26648 1866ff0 26648->26638 26650 18648af 26649->26650 26651 186498c 26650->26651 26657 186449c 26650->26657 26655 18648af 26653->26655 26654 186498c 26655->26654 26656 186449c CreateActCtxA 26655->26656 26656->26654 26658 1865918 CreateActCtxA 26657->26658 26660 18659db 26658->26660 26662 1865c27 26661->26662 26665 1865c3c 26662->26665 26664 1867095 26664->26648 26666 1865c47 26665->26666 26669 1865c6c 26666->26669 26668 186717a 26668->26664 26670 1865c77 26669->26670 26673 1865c9c 26670->26673 26672 186726d 26672->26668 26674 1865ca7 26673->26674 26676 1868653 26674->26676 26681 186ad00 26674->26681 26685 186a9d0 26674->26685 26689 186aa08 26674->26689 26675 1868691 26675->26672 26676->26675 26693 186cdf0 26676->26693 26698 186ad27 26681->26698 26702 186ad38 26681->26702 26682 186ad16 26682->26676 26686 186a99c 26685->26686 26686->26685 26688 186aa3b 26686->26688 26710 1868331 GetModuleHandleW 26686->26710 26688->26676 26690 186aa23 26689->26690 26692 186aa3b 26690->26692 26711 1868331 GetModuleHandleW 26690->26711 26692->26676 26694 186ce11 26693->26694 26695 186ce35 26694->26695 26712 186cfa0 26694->26712 26716 186cf8f 26694->26716 26695->26675 26699 186ad38 26698->26699 26705 186ae30 26699->26705 26700 186ad47 26700->26682 26704 186ae30 GetModuleHandleW 26702->26704 26703 186ad47 26703->26682 26704->26703 26706 186ae64 26705->26706 26707 186ae41 26705->26707 26706->26700 26707->26706 26708 186b068 GetModuleHandleW 26707->26708 26709 186b095 26708->26709 26709->26700 26710->26688 26711->26692 26713 186cfad 26712->26713 26714 186cfe7 26713->26714 26720 186c8d8 26713->26720 26714->26695 26717 186cfad 26716->26717 26718 186cfe7 26717->26718 26719 186c8d8 GetModuleHandleW 26717->26719 26718->26695 26719->26718 26721 186c8e3 26720->26721 26723 186d8f8 26721->26723 26724 186ca04 26721->26724 26723->26723 26725 186ca0f 26724->26725 26726 1865c9c GetModuleHandleW 26725->26726 26727 186d967 26726->26727 26730 186ca14 26727->26730 26729 186d990 26729->26723 26731 186ca1f 26730->26731 26732 186dc54 GetModuleHandleW 26731->26732 26734 186ef09 26731->26734 26733 186ef04 26732->26733 26733->26729 26734->26729 26908 186d0b8 26909 186d0fe 26908->26909 26913 186d298 26909->26913 26916 186d287 26909->26916 26910 186d1eb 26914 186d2c6 26913->26914 26919 186c9a0 26913->26919 26914->26910 26917 186c9a0 DuplicateHandle 26916->26917 26918 186d2c6 26917->26918 26918->26910 26920 186d300 DuplicateHandle 26919->26920 26921 186d396 26920->26921 26921->26914

                                                              Executed Functions

                                                              Function 073F8C7D Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 433 73f8c7d-73f8d15 436 73f8d4e-73f8d6e 433->436 437 73f8d17-73f8d21 433->437 444 73f8da7-73f8dd6 436->444 445 73f8d70-73f8d7a 436->445 437->436 438 73f8d23-73f8d25 437->438 439 73f8d48-73f8d4b 438->439 440 73f8d27-73f8d31 438->440 439->436 442 73f8d35-73f8d44 440->442 443 73f8d33 440->443 442->442 446 73f8d46 442->446 443->442 453 73f8e0f-73f8ec9 CreateProcessA 444->453 454 73f8dd8-73f8de2 444->454 445->444 447 73f8d7c-73f8d7e 445->447 446->439 448 73f8da1-73f8da4 447->448 449 73f8d80-73f8d8a 447->449 448->444 451 73f8d8e-73f8d9d 449->451 452 73f8d8c 449->452 451->451 455 73f8d9f 451->455 452->451 465 73f8ecb-73f8ed1 453->465 466 73f8ed2-73f8f58 453->466 454->453 456 73f8de4-73f8de6 454->456 455->448 458 73f8e09-73f8e0c 456->458 459 73f8de8-73f8df2 456->459 458->453 460 73f8df6-73f8e05 459->460 461 73f8df4 459->461 460->460 463 73f8e07 460->463 461->460 463->458 465->466 476 73f8f5a-73f8f5e 466->476 477 73f8f68-73f8f6c 466->477 476->477 478 73f8f60 476->478 479 73f8f6e-73f8f72 477->479 480 73f8f7c-73f8f80 477->480 478->477 479->480 483 73f8f74 479->483 481 73f8f82-73f8f86 480->481 482 73f8f90-73f8f94 480->482 481->482 484 73f8f88 481->484 485 73f8fa6-73f8fad 482->485 486 73f8f96-73f8f9c 482->486 483->480 484->482 487 73f8faf-73f8fbe 485->487 488 73f8fc4 485->488 486->485 487->488 490 73f8fc5 488->490 490->490
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073F8EB6
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1382401064.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_73f0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: f02095491575a833d9c2c2fcbc8b182e94fa9f5dcf127cd1cea312932d01cb21
                                                              • Instruction ID: a75da53d0b4c1f68b7c483997d0399901bc6ccbc1e6a29f7ac76c6c52efc73e2
                                                              • Opcode Fuzzy Hash: f02095491575a833d9c2c2fcbc8b182e94fa9f5dcf127cd1cea312932d01cb21
                                                              • Instruction Fuzzy Hash: D7914AB1D0131ADFEF24CF68C840BEDBBB2BF59350F14856AE908A6240DB749985CF91
                                                              Function 073F8C80 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 491 73f8c80-73f8d15 493 73f8d4e-73f8d6e 491->493 494 73f8d17-73f8d21 491->494 501 73f8da7-73f8dd6 493->501 502 73f8d70-73f8d7a 493->502 494->493 495 73f8d23-73f8d25 494->495 496 73f8d48-73f8d4b 495->496 497 73f8d27-73f8d31 495->497 496->493 499 73f8d35-73f8d44 497->499 500 73f8d33 497->500 499->499 503 73f8d46 499->503 500->499 510 73f8e0f-73f8ec9 CreateProcessA 501->510 511 73f8dd8-73f8de2 501->511 502->501 504 73f8d7c-73f8d7e 502->504 503->496 505 73f8da1-73f8da4 504->505 506 73f8d80-73f8d8a 504->506 505->501 508 73f8d8e-73f8d9d 506->508 509 73f8d8c 506->509 508->508 512 73f8d9f 508->512 509->508 522 73f8ecb-73f8ed1 510->522 523 73f8ed2-73f8f58 510->523 511->510 513 73f8de4-73f8de6 511->513 512->505 515 73f8e09-73f8e0c 513->515 516 73f8de8-73f8df2 513->516 515->510 517 73f8df6-73f8e05 516->517 518 73f8df4 516->518 517->517 520 73f8e07 517->520 518->517 520->515 522->523 533 73f8f5a-73f8f5e 523->533 534 73f8f68-73f8f6c 523->534 533->534 535 73f8f60 533->535 536 73f8f6e-73f8f72 534->536 537 73f8f7c-73f8f80 534->537 535->534 536->537 540 73f8f74 536->540 538 73f8f82-73f8f86 537->538 539 73f8f90-73f8f94 537->539 538->539 541 73f8f88 538->541 542 73f8fa6-73f8fad 539->542 543 73f8f96-73f8f9c 539->543 540->537 541->539 544 73f8faf-73f8fbe 542->544 545 73f8fc4 542->545 543->542 544->545 547 73f8fc5 545->547 547->547
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073F8EB6
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1382401064.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_73f0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 630367b0569d5ae89f00e81bb4f13b0d8f7e929a044e395453c24647600e2c64
                                                              • Instruction ID: e2864a4ddc89abcd0ed6d66188f7c163f0cd7af7d0e26593f303ade0d7581afa
                                                              • Opcode Fuzzy Hash: 630367b0569d5ae89f00e81bb4f13b0d8f7e929a044e395453c24647600e2c64
                                                              • Instruction Fuzzy Hash: AB9139B1D0171ACFEF24CFA8C840BDDBBB2BF49350F14856AE918A6240DB749985CF91
                                                              Function 0186AE30 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 548 186ae30-186ae3f 549 186ae41-186ae4e call 1869838 548->549 550 186ae6b-186ae6f 548->550 557 186ae64 549->557 558 186ae50 549->558 552 186ae83-186aec4 550->552 553 186ae71-186ae7b 550->553 559 186aec6-186aece 552->559 560 186aed1-186aedf 552->560 553->552 557->550 605 186ae56 call 186b11c 558->605 606 186ae56 call 186b0b8 558->606 607 186ae56 call 186b0c8 558->607 559->560 561 186af03-186af05 560->561 562 186aee1-186aee6 560->562 567 186af08-186af0f 561->567 564 186aef1 562->564 565 186aee8-186aeef call 186a814 562->565 563 186ae5c-186ae5e 563->557 566 186afa0-186b01c 563->566 569 186aef3-186af01 564->569 565->569 598 186b01e-186b046 566->598 599 186b048-186b060 566->599 570 186af11-186af19 567->570 571 186af1c-186af23 567->571 569->567 570->571 572 186af25-186af2d 571->572 573 186af30-186af39 call 186a824 571->573 572->573 579 186af46-186af4b 573->579 580 186af3b-186af43 573->580 581 186af4d-186af54 579->581 582 186af69-186af6d 579->582 580->579 581->582 584 186af56-186af66 call 186a834 call 186a844 581->584 587 186af73-186af76 582->587 584->582 588 186af78-186af96 587->588 589 186af99-186af9f 587->589 588->589 598->599 600 186b062-186b065 599->600 601 186b068-186b093 GetModuleHandleW 599->601 600->601 602 186b095-186b09b 601->602 603 186b09c-186b0b0 601->603 602->603 605->563 606->563 607->563
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0186B086
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1347375098.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1860000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: ecbe3d9645cfb5489d5b68a19d2f0a35a827dd3e4762c85bb4f07d83e1286183
                                                              • Instruction ID: 4a9c970295b45b5cb9e8107c299b55b9e71061ac9990b23e898a1e079d696fe6
                                                              • Opcode Fuzzy Hash: ecbe3d9645cfb5489d5b68a19d2f0a35a827dd3e4762c85bb4f07d83e1286183
                                                              • Instruction Fuzzy Hash: E9816AB0A00B058FDB28DF69D44075ABBF5FF88304F00892DD04AEBA50D775E946CB91
                                                              Function 0186449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 716 186449c-18659d9 CreateActCtxA 719 18659e2-1865a3c 716->719 720 18659db-18659e1 716->720 727 1865a3e-1865a41 719->727 728 1865a4b-1865a4f 719->728 720->719 727->728 729 1865a60 728->729 730 1865a51-1865a5d 728->730 731 1865a61 729->731 730->729 731->731
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 018659C9
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1347375098.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1860000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 54bba506f72ea44d8ef8f3da5bb466feafd126d04dcc845e11520585c51d36ee
                                                              • Instruction ID: f4f270318b0f102427d9a8453c2a1b42cda29f78d66d12341b5b1eb09e29da2c
                                                              • Opcode Fuzzy Hash: 54bba506f72ea44d8ef8f3da5bb466feafd126d04dcc845e11520585c51d36ee
                                                              • Instruction Fuzzy Hash: 3A41E471C0071DCBDB24DFA9C884B8DBBF5BF49314F60816AD408AB251DB756A46CF90
                                                              Function 0186590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 733 186590c-1865910 734 186591c-18659d9 CreateActCtxA 733->734 736 18659e2-1865a3c 734->736 737 18659db-18659e1 734->737 744 1865a3e-1865a41 736->744 745 1865a4b-1865a4f 736->745 737->736 744->745 746 1865a60 745->746 747 1865a51-1865a5d 745->747 748 1865a61 746->748 747->746 748->748
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 018659C9
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1347375098.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1860000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: a769c1348fe6b4d2e8bdb5cb5d0a6d55add9634d068ea2452e23f269f7a8adf1
                                                              • Instruction ID: 4d67d4bea34148eff2dea304e4b2e4bf5c191ced9021bf1e1c547a021bae02f9
                                                              • Opcode Fuzzy Hash: a769c1348fe6b4d2e8bdb5cb5d0a6d55add9634d068ea2452e23f269f7a8adf1
                                                              • Instruction Fuzzy Hash: 8141E271C0072DCBEB24DFA9C884B8DBBF5BF49314F20816AD408AB250DB756A46CF90
                                                              Function 073F89F8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 750 73f89f8-73f8a46 752 73f8a48-73f8a54 750->752 753 73f8a56-73f8a95 WriteProcessMemory 750->753 752->753 755 73f8a9e-73f8ace 753->755 756 73f8a97-73f8a9d 753->756 756->755
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073F8A88
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1382401064.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_73f0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 996d87698fe43ff67a7f1df3af9a1d5285abf52dd9979e8d5dc67fb551d97a73
                                                              • Instruction ID: 47a02a79f6cf4a6b1abaef73df756cca7ad604d668b9d009c8647717ad17101a
                                                              • Opcode Fuzzy Hash: 996d87698fe43ff67a7f1df3af9a1d5285abf52dd9979e8d5dc67fb551d97a73
                                                              • Instruction Fuzzy Hash: 052113B59013099FDB14DFAAC885BDEBBF5FF48310F50882AE918A7240D7789945CBA4
                                                              Function 0186D2F8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 760 186d2f8-186d2fc 761 186d342-186d394 DuplicateHandle 760->761 762 186d2fe-186d33f 760->762 763 186d396-186d39c 761->763 764 186d39d-186d3ba 761->764 762->761 763->764
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0186D2C6,?,?,?,?,?), ref: 0186D387
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1347375098.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1860000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: bdb702458034eaac63510d12e3dd6020b77383594f91f120d371ba61bfdb8425
                                                              • Instruction ID: 35ad296391e95bd440ec66fff1fa39d6ae0c7d73a526a5ad81c8530fa6375397
                                                              • Opcode Fuzzy Hash: bdb702458034eaac63510d12e3dd6020b77383594f91f120d371ba61bfdb8425
                                                              • Instruction Fuzzy Hash: A12123B5D003499FDB21CFA9D984ADEBBF5AB09320F14855AE968A7250D338A941CF60
                                                              Function 073F8858 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 767 73f8858-73f88ab 770 73f88ad-73f88b9 767->770 771 73f88bb-73f88eb Wow64SetThreadContext 767->771 770->771 773 73f88ed-73f88f3 771->773 774 73f88f4-73f8924 771->774 773->774
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073F88DE
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1382401064.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_73f0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 055f889aad9d1a17356d679e3068a063f2233b0b54a36338bba832643f68f544
                                                              • Instruction ID: 2659bc07652caf684d779990abf3c1dacd3d2b7d9d6735cc42606d0be454f29b
                                                              • Opcode Fuzzy Hash: 055f889aad9d1a17356d679e3068a063f2233b0b54a36338bba832643f68f544
                                                              • Instruction Fuzzy Hash: 09215C71D003098FDB14DFAAC4857EEBBF1AF48320F10852AD529A7280CB789945CF94
                                                              Function 0186C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 778 186c9a0-186d394 DuplicateHandle 780 186d396-186d39c 778->780 781 186d39d-186d3ba 778->781 780->781
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0186D2C6,?,?,?,?,?), ref: 0186D387
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1347375098.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1860000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: b452550e606896b960e7872bb93ec5a2d08f22a32dc50846159b1c0216b53116
                                                              • Instruction ID: ae3457736623e991c657076cc33ffb155960aeec41bdc457d9a40f6c4ab916ad
                                                              • Opcode Fuzzy Hash: b452550e606896b960e7872bb93ec5a2d08f22a32dc50846159b1c0216b53116
                                                              • Instruction Fuzzy Hash: 5821E6B5D00348EFDB10CF9AD984ADEBBF9EB48310F14841AE958A7350D374A954CFA4
                                                              Function 073F8AE8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073F8B68
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1382401064.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_73f0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: d0f53133a12a1e3f85b4f1e7532548c78832b249013644382597d7e357e29f89
                                                              • Instruction ID: 22b72ec22eb821ce3aa3335f41f4fe958e608ec425bc7564c54000ae99b03923
                                                              • Opcode Fuzzy Hash: d0f53133a12a1e3f85b4f1e7532548c78832b249013644382597d7e357e29f89
                                                              • Instruction Fuzzy Hash: C32114B1C003499FDB10DFAAC881BEEBBF5FF48310F50842AE919A7240C7399941CBA4
                                                              Function 073F8860 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073F88DE
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1382401064.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_73f0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 3dd0589c064b2a370ea3afe8b666232692b18c0c5d0b5dee4474539ea819b0d3
                                                              • Instruction ID: 0c207efffc7729319b07183cfc6cdde4b6f38e27368daed33173ab2a2d599197
                                                              • Opcode Fuzzy Hash: 3dd0589c064b2a370ea3afe8b666232692b18c0c5d0b5dee4474539ea819b0d3
                                                              • Instruction Fuzzy Hash: 142138B1D003098FDB14DFAAC4857EEBBF4EF48310F54842AD559A7240DB789945CFA4
                                                              Function 073F8938 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073F89A6
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1382401064.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_73f0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: ac605768f8df31e307916a6779ba38744d29064f6d404fb2b4a83829e55c6136
                                                              • Instruction ID: 5728f36e9f28cb3d08f2a0b8826ef79d42610d3424e2371d4a080e600bcb4739
                                                              • Opcode Fuzzy Hash: ac605768f8df31e307916a6779ba38744d29064f6d404fb2b4a83829e55c6136
                                                              • Instruction Fuzzy Hash: 001144718003099FDB20DFAAC844BDEBBF5AB88320F108819E919A7250CB35A940CFA1
                                                              Function 073F87A8 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1382401064.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_73f0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 9fec1465e994ee3f62b979372833be8540d0327c073b93e0022a5d5a100575a5
                                                              • Instruction ID: 01bbd837d7d700ee43f72be1f28d757c5f5599804df130d3339e6912df8ba23e
                                                              • Opcode Fuzzy Hash: 9fec1465e994ee3f62b979372833be8540d0327c073b93e0022a5d5a100575a5
                                                              • Instruction Fuzzy Hash: FF114CB1D003498FDB24DFAAC8457EEBBF5EF88320F248919D569A7240CB355545CF94
                                                              Function 073F893A Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073F89A6
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1382401064.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_73f0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 19f4c33114179e27cfca0d590bef90d2bf43744afbeb6ca1ec92b8e1941355cd
                                                              • Instruction ID: f61c96e00e9ce1a09d8d9076474008b45eb0b283107eff974a738ad81203ce40
                                                              • Opcode Fuzzy Hash: 19f4c33114179e27cfca0d590bef90d2bf43744afbeb6ca1ec92b8e1941355cd
                                                              • Instruction Fuzzy Hash: 62112675D003499FDB24DFAAC844BEEBBF5AF88310F148819E959A7250C7359941CFA1
                                                              Function 073F87B0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1382401064.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_73f0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 1c6aecd4b2ab1d7763bce45b537ae3d58e9a9d2a02a04fd729e985864be15e8c
                                                              • Instruction ID: 291efd18a7e2de35f8ae38cfe836334bfe9915e72f35ceebc82ee911cfad08ab
                                                              • Opcode Fuzzy Hash: 1c6aecd4b2ab1d7763bce45b537ae3d58e9a9d2a02a04fd729e985864be15e8c
                                                              • Instruction Fuzzy Hash: A61128B1D003498FDB24DFAAC4457DEFBF5EB48320F148419D519A7240CB79A945CFA4
                                                              Function 073FBF38 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 073FBF9D
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1382401064.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_73f0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 6f480fa54ae596cf9b0b0109b529622cb628192d31c08c36cf8ea8fd65a5d73b
                                                              • Instruction ID: 80c2b40bcbd095094baa748d62657a6ecab02c6ceb0ba50ec5ba34f096bc5632
                                                              • Opcode Fuzzy Hash: 6f480fa54ae596cf9b0b0109b529622cb628192d31c08c36cf8ea8fd65a5d73b
                                                              • Instruction Fuzzy Hash: 1911D6B5800359DFDB10DF9AD945BDEFBF8EB48320F10841AE958A7240D375A984CFA1
                                                              Function 073F70D4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 073FBF9D
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1382401064.00000000073F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_73f0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: a4af4b77c9b42a7963084f511a1acf1941da86b9443746584e7b43b3f02ccb65
                                                              • Instruction ID: e6407d3dfda6405b94e0ef22dc929cdfe5653ed662a33f143261dcbd025a6893
                                                              • Opcode Fuzzy Hash: a4af4b77c9b42a7963084f511a1acf1941da86b9443746584e7b43b3f02ccb65
                                                              • Instruction Fuzzy Hash: 3211F2B5804349DFDB20DF9AD885BDEFBF8EB48320F10841AE919A7240C375A944CFA1
                                                              Function 0186B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0186B086
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1347375098.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_1860000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 35dec446862f7f04ddffd0e4802738e003b485e3d1891e7344715a1a1a72b833
                                                              • Instruction ID: a015a6cb73c7930d297186a2dd9876eac243504ed6f0f3b38dfd9fc78e07806a
                                                              • Opcode Fuzzy Hash: 35dec446862f7f04ddffd0e4802738e003b485e3d1891e7344715a1a1a72b833
                                                              • Instruction Fuzzy Hash: 531102B5D003498FDB20DF9AC444A9EFBF8AB48314F10841AD528A7210D379A645CFA1
                                                              Function 0160D1FC Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1346700854.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_160d000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bead1278633639af3d71db82a9049d2e9d41eb5bebb4675bb90b08df81cab66d
                                                              • Instruction ID: 188af1168aee8a080e6186d438df0db8e2c8dedde6a1904f65baa29ee633d09f
                                                              • Opcode Fuzzy Hash: bead1278633639af3d71db82a9049d2e9d41eb5bebb4675bb90b08df81cab66d
                                                              • Instruction Fuzzy Hash: 6F21C471504340DFDB1ADF94DDC4B27BB65FB88324F24C669EA050A286C336D417CBA1
                                                              Function 0160D3D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1346700854.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_160d000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 93e8564e022874ae9ccb42de16c94fbfad200ec9fdbfe3b8d8952b7c4d1b742b
                                                              • Instruction ID: 7c6f5ceb9344f38cb84260f128cce7c61e43fa90611da9deaf6c018e2f775c1f
                                                              • Opcode Fuzzy Hash: 93e8564e022874ae9ccb42de16c94fbfad200ec9fdbfe3b8d8952b7c4d1b742b
                                                              • Instruction Fuzzy Hash: 7A21F471504204DFDB1ADF94D9C0B5BBB65FB94324F20C269E9090B396C336E456CAA2
                                                              Function 0161D1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1346934232.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_161d000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf3eabf21e5353c42b7950e6b684ebc836f20867b76c4ce6192d93a3d21d4023
                                                              • Instruction ID: 12fefe44ddbdd3e2dd36b2cad49da9aac9a6dc0ed0e60b86ef9e10c0c7634c7f
                                                              • Opcode Fuzzy Hash: cf3eabf21e5353c42b7950e6b684ebc836f20867b76c4ce6192d93a3d21d4023
                                                              • Instruction Fuzzy Hash: 23212571604200EFDB05DF94D9C8B55BBA1FB84324F28C66DDA094B35AC336D407CA61
                                                              Function 0161D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1346934232.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_161d000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bd7a39921acad71a27da74b14f22fed9e1fd287980efecbe0ef775f94bfdf892
                                                              • Instruction ID: bcf1660afd318829ec6716543eddebca6f9a74ecbe593ad6c2548200277a45ee
                                                              • Opcode Fuzzy Hash: bd7a39921acad71a27da74b14f22fed9e1fd287980efecbe0ef775f94bfdf892
                                                              • Instruction Fuzzy Hash: 64212275604300DFDB15DF54DDC8B16BB61EB84315F28C5ADD80A0B38AC33AD847CA62
                                                              Function 0161D006 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1346934232.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_161d000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8ffe435ad62ae9cb861b432095fd38155d7f825aadd9d7836bdb057ccd59a7c5
                                                              • Instruction ID: 8bf9a04ec12e8f1a5d2ea5ce556bb9d81c84b3206f2201ef24b7193c789c0d41
                                                              • Opcode Fuzzy Hash: 8ffe435ad62ae9cb861b432095fd38155d7f825aadd9d7836bdb057ccd59a7c5
                                                              • Instruction Fuzzy Hash: 5A21AE755093808FCB03CF64D994B15BF71EB46214F28C5EAD8498F6A7C33A980ACB62
                                                              Function 0160D1F7 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1346700854.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_160d000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
                                                              • Instruction ID: fa05805adb889d8eb47908e87029cc2f509deaffaecc702f306184edc233c8d6
                                                              • Opcode Fuzzy Hash: 6fa0a9b6888ab601070468a7c49be392b44274aed9e91ce62da6c30ec0883e0c
                                                              • Instruction Fuzzy Hash: 9E21AF76504240DFDB0ACF94D9C4B56BF72FB84324F24C6A9DD490B696C33AD426CBA1
                                                              Function 0160D3D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1346700854.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_160d000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction ID: 92df6f73ed0695e0f324e75200224b8d84902cba7d810680ce7c77cf2cd23c33
                                                              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction Fuzzy Hash: EB11DF76504240DFCB06CF84D9C0B56BF72FB84324F24C2A9D8090B297C33AE456CBA1
                                                              Function 0161D1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1346934232.000000000161D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0161D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_161d000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction ID: 437c6b9390fd744d1b5d8b2ae16ecc977cd872cefb196a20bc12e7c7ed9f914e
                                                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction Fuzzy Hash: 8311BB75504280DFCB06CF58C9C4B55BBA2FB84324F28C6ADD9494B7AAC33AD40ACB61
                                                              Function 0160D759 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1346700854.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_160d000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 86d5ddb8740317e17041f3c5bc05c86ca289cb97debdaba8a2917bdb0d16d880
                                                              • Instruction ID: ca27d6d224026b4c668a21983e784a9be156b87db3819e77f7db94c4244f9438
                                                              • Opcode Fuzzy Hash: 86d5ddb8740317e17041f3c5bc05c86ca289cb97debdaba8a2917bdb0d16d880
                                                              • Instruction Fuzzy Hash: CC01F7310083809EE7264AD5CC84B77FF98DF41221F18C65AED180A3C6C3789845CAB2
                                                              Function 0160D758 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000015.00000002.1346700854.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_21_2_160d000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bb68d78513618e35e521c13da1492c9614127145612832a29d0e985d3a31e44d
                                                              • Instruction ID: 34d5f51098b55fea9a882e484142038c493f1e898273a408aa2b120b2f0d0267
                                                              • Opcode Fuzzy Hash: bb68d78513618e35e521c13da1492c9614127145612832a29d0e985d3a31e44d
                                                              • Instruction Fuzzy Hash: D4F0C231008380AEE7258A4ACC84B63FFA8EF41734F18C55AED180A3C7C379A844CAB1

                                                              Execution Graph

                                                              Execution Coverage:10.4%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:258
                                                              Total number of Limit Nodes:11
                                                              execution_graph 30676 7563e74 30678 7563e7d 30676->30678 30677 756405a 30678->30677 30683 7565240 30678->30683 30702 756529e 30678->30702 30722 7565230 30678->30722 30679 756420e 30684 756525a 30683->30684 30741 75657b3 30684->30741 30746 75656b4 30684->30746 30751 75658d6 30684->30751 30755 7565ae9 30684->30755 30759 75656c8 30684->30759 30764 7565e88 30684->30764 30768 7565a2a 30684->30768 30773 7565f4a 30684->30773 30778 7565c2d 30684->30778 30787 756564e 30684->30787 30792 7565825 30684->30792 30797 7565ba6 30684->30797 30805 7565b66 30684->30805 30810 7565819 30684->30810 30815 7565f18 30684->30815 30819 756585e 30684->30819 30685 756527e 30685->30679 30703 75652a1 30702->30703 30704 756522c 30702->30704 30706 75658d6 2 API calls 30704->30706 30707 75656b4 2 API calls 30704->30707 30708 75657b3 2 API calls 30704->30708 30709 756585e 2 API calls 30704->30709 30710 7565f18 2 API calls 30704->30710 30711 7565819 2 API calls 30704->30711 30712 7565b66 2 API calls 30704->30712 30713 7565ba6 4 API calls 30704->30713 30714 7565825 2 API calls 30704->30714 30715 756564e 2 API calls 30704->30715 30716 7565c2d 4 API calls 30704->30716 30717 7565f4a 2 API calls 30704->30717 30718 7565a2a 2 API calls 30704->30718 30719 7565e88 2 API calls 30704->30719 30720 75656c8 2 API calls 30704->30720 30721 7565ae9 2 API calls 30704->30721 30705 756527e 30705->30679 30706->30705 30707->30705 30708->30705 30709->30705 30710->30705 30711->30705 30712->30705 30713->30705 30714->30705 30715->30705 30716->30705 30717->30705 30718->30705 30719->30705 30720->30705 30721->30705 30723 7565240 30722->30723 30725 75658d6 2 API calls 30723->30725 30726 75656b4 2 API calls 30723->30726 30727 75657b3 2 API calls 30723->30727 30728 756585e 2 API calls 30723->30728 30729 7565f18 2 API calls 30723->30729 30730 7565819 2 API calls 30723->30730 30731 7565b66 2 API calls 30723->30731 30732 7565ba6 4 API calls 30723->30732 30733 7565825 2 API calls 30723->30733 30734 756564e 2 API calls 30723->30734 30735 7565c2d 4 API calls 30723->30735 30736 7565f4a 2 API calls 30723->30736 30737 7565a2a 2 API calls 30723->30737 30738 7565e88 2 API calls 30723->30738 30739 75656c8 2 API calls 30723->30739 30740 7565ae9 2 API calls 30723->30740 30724 756527e 30724->30679 30725->30724 30726->30724 30727->30724 30728->30724 30729->30724 30730->30724 30731->30724 30732->30724 30733->30724 30734->30724 30735->30724 30736->30724 30737->30724 30738->30724 30739->30724 30740->30724 30742 75657b9 30741->30742 30824 7566418 30742->30824 30829 7566408 30742->30829 30743 756608d 30747 7565652 30746->30747 30842 75639ed 30747->30842 30846 75639f8 30747->30846 30850 7566308 30751->30850 30855 75662f8 30751->30855 30752 75658ee 30752->30685 30868 7563770 30755->30868 30872 7563769 30755->30872 30756 7565b0d 30760 75656cc 30759->30760 30762 75639ed CreateProcessA 30760->30762 30763 75639f8 CreateProcessA 30760->30763 30761 75656ff 30761->30685 30762->30761 30763->30761 30766 7563770 WriteProcessMemory 30764->30766 30767 7563769 WriteProcessMemory 30764->30767 30765 7565e87 30765->30764 30766->30765 30767->30765 30769 7565a3f 30768->30769 30876 7563860 30769->30876 30880 7563858 30769->30880 30770 756572a 30770->30685 30774 7565f4e 30773->30774 30775 7565e87 30773->30775 30776 7563770 WriteProcessMemory 30775->30776 30777 7563769 WriteProcessMemory 30775->30777 30776->30775 30777->30775 30779 7565ba5 30778->30779 30780 75657d1 30779->30780 30785 75635d0 Wow64SetThreadContext 30779->30785 30786 75635d8 Wow64SetThreadContext 30779->30786 30781 7565d4f 30780->30781 30783 7566418 2 API calls 30780->30783 30784 7566408 2 API calls 30780->30784 30781->30685 30782 756608d 30783->30782 30784->30782 30785->30780 30786->30780 30788 756565c 30787->30788 30790 75639ed CreateProcessA 30788->30790 30791 75639f8 CreateProcessA 30788->30791 30789 75656ff 30789->30685 30790->30789 30791->30789 30793 756583f 30792->30793 30795 7566418 2 API calls 30793->30795 30796 7566408 2 API calls 30793->30796 30794 756608d 30795->30794 30796->30794 30803 75635d0 Wow64SetThreadContext 30797->30803 30804 75635d8 Wow64SetThreadContext 30797->30804 30798 75657d1 30799 7565d4f 30798->30799 30801 7566418 2 API calls 30798->30801 30802 7566408 2 API calls 30798->30802 30799->30685 30800 756608d 30801->30800 30802->30800 30803->30798 30804->30798 30806 7565875 30805->30806 30807 7565896 30805->30807 30808 7563770 WriteProcessMemory 30806->30808 30809 7563769 WriteProcessMemory 30806->30809 30807->30685 30808->30807 30809->30807 30811 7565d55 30810->30811 30884 75636b0 30811->30884 30888 75636a8 30811->30888 30812 7565d73 30816 7565e87 30815->30816 30817 7563770 WriteProcessMemory 30816->30817 30818 7563769 WriteProcessMemory 30816->30818 30817->30816 30818->30816 30820 7565864 30819->30820 30822 7563770 WriteProcessMemory 30820->30822 30823 7563769 WriteProcessMemory 30820->30823 30821 7565896 30821->30685 30822->30821 30823->30821 30825 756642d 30824->30825 30834 7563520 30825->30834 30838 7563528 30825->30838 30826 7566440 30826->30743 30830 756642d 30829->30830 30832 7563520 ResumeThread 30830->30832 30833 7563528 ResumeThread 30830->30833 30831 7566440 30831->30743 30832->30831 30833->30831 30835 7563568 ResumeThread 30834->30835 30837 7563599 30835->30837 30837->30826 30839 7563568 ResumeThread 30838->30839 30841 7563599 30839->30841 30841->30826 30843 75639f6 CreateProcessA 30842->30843 30845 7563c43 30843->30845 30845->30845 30847 7563a81 CreateProcessA 30846->30847 30849 7563c43 30847->30849 30849->30849 30851 756631d 30850->30851 30860 75635d0 30851->30860 30864 75635d8 30851->30864 30852 7566333 30852->30752 30856 7566308 30855->30856 30858 75635d0 Wow64SetThreadContext 30856->30858 30859 75635d8 Wow64SetThreadContext 30856->30859 30857 7566333 30857->30752 30858->30857 30859->30857 30861 75635d8 Wow64SetThreadContext 30860->30861 30863 7563665 30861->30863 30863->30852 30865 756361d Wow64SetThreadContext 30864->30865 30867 7563665 30865->30867 30867->30852 30869 75637b8 WriteProcessMemory 30868->30869 30871 756380f 30869->30871 30871->30756 30873 75637b8 WriteProcessMemory 30872->30873 30875 756380f 30873->30875 30875->30756 30877 75638ab ReadProcessMemory 30876->30877 30879 75638ef 30877->30879 30879->30770 30881 75638ab ReadProcessMemory 30880->30881 30883 75638ef 30881->30883 30883->30770 30885 75636f0 VirtualAllocEx 30884->30885 30887 756372d 30885->30887 30887->30812 30889 75636f0 VirtualAllocEx 30888->30889 30891 756372d 30889->30891 30891->30812 30892 11dd6a8 DuplicateHandle 30893 11dd73e 30892->30893 30894 5451cf0 30895 5451d58 CreateWindowExW 30894->30895 30897 5451e14 30895->30897 30897->30897 30898 7566460 30899 75665eb 30898->30899 30901 7566486 30898->30901 30901->30899 30902 75624b0 30901->30902 30903 75666e0 PostMessageW 30902->30903 30904 756674c 30903->30904 30904->30901 30598 117d01c 30599 117d034 30598->30599 30600 117d08e 30599->30600 30604 545115c 30599->30604 30613 5451ea8 30599->30613 30617 5452c08 30599->30617 30607 5451167 30604->30607 30605 5452c79 30642 5451284 30605->30642 30607->30605 30608 5452c69 30607->30608 30626 5452d90 30608->30626 30631 5452da0 30608->30631 30636 5452e6c 30608->30636 30609 5452c77 30614 5451ece 30613->30614 30615 545115c CallWindowProcW 30614->30615 30616 5451eef 30615->30616 30616->30600 30618 5452c18 30617->30618 30619 5452c79 30618->30619 30621 5452c69 30618->30621 30620 5451284 CallWindowProcW 30619->30620 30622 5452c77 30620->30622 30623 5452d90 CallWindowProcW 30621->30623 30624 5452da0 CallWindowProcW 30621->30624 30625 5452e6c CallWindowProcW 30621->30625 30623->30622 30624->30622 30625->30622 30628 5452da0 30626->30628 30627 5452e40 30627->30609 30646 5452e52 30628->30646 30650 5452e58 30628->30650 30633 5452db4 30631->30633 30632 5452e40 30632->30609 30634 5452e52 CallWindowProcW 30633->30634 30635 5452e58 CallWindowProcW 30633->30635 30634->30632 30635->30632 30637 5452e2a 30636->30637 30638 5452e7a 30636->30638 30640 5452e52 CallWindowProcW 30637->30640 30641 5452e58 CallWindowProcW 30637->30641 30639 5452e40 30639->30609 30640->30639 30641->30639 30643 545128f 30642->30643 30644 545435a CallWindowProcW 30643->30644 30645 5454309 30643->30645 30644->30645 30645->30609 30647 5452e58 30646->30647 30648 5452e69 30647->30648 30653 5454291 30647->30653 30648->30627 30651 5452e69 30650->30651 30652 5454291 CallWindowProcW 30650->30652 30651->30627 30652->30651 30654 5451284 CallWindowProcW 30653->30654 30655 54542aa 30654->30655 30655->30648 30905 7563eea 30907 7563ef0 30905->30907 30906 7563eba 30907->30906 30909 7565240 12 API calls 30907->30909 30910 7565230 12 API calls 30907->30910 30911 756529e 12 API calls 30907->30911 30908 756420e 30909->30908 30910->30908 30911->30908 30656 11d47d0 30657 11d47d9 30656->30657 30658 11d47df 30657->30658 30660 11d48c9 30657->30660 30661 11d48ed 30660->30661 30664 11d4de0 30661->30664 30666 11d4e07 30664->30666 30665 11d4ee4 30666->30665 30668 11d4a2c 30666->30668 30669 11d5e70 CreateActCtxA 30668->30669 30671 11d5f33 30669->30671 30671->30671 30672 11db3c0 30673 11db408 GetModuleHandleW 30672->30673 30674 11db402 30672->30674 30675 11db435 30673->30675 30674->30673 30912 11dd460 30913 11dd4a6 GetCurrentProcess 30912->30913 30915 11dd4f8 GetCurrentThread 30913->30915 30916 11dd4f1 30913->30916 30917 11dd52e 30915->30917 30918 11dd535 GetCurrentProcess 30915->30918 30916->30915 30917->30918 30919 11dd56b 30918->30919 30920 11dd593 GetCurrentThreadId 30919->30920 30921 11dd5c4 30920->30921

                                                              Executed Functions

                                                              Function 011DD460 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 263 11dd460-11dd4ef GetCurrentProcess 267 11dd4f8-11dd52c GetCurrentThread 263->267 268 11dd4f1-11dd4f7 263->268 269 11dd52e-11dd534 267->269 270 11dd535-11dd569 GetCurrentProcess 267->270 268->267 269->270 272 11dd56b-11dd571 270->272 273 11dd572-11dd58a 270->273 272->273 284 11dd58d call 11dd62f 273->284 285 11dd58d call 11dd641 273->285 276 11dd593-11dd5c2 GetCurrentThreadId 277 11dd5cb-11dd62d 276->277 278 11dd5c4-11dd5ca 276->278 278->277 284->276 285->276
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 011DD4DE
                                                              • GetCurrentThread.KERNEL32 ref: 011DD51B
                                                              • GetCurrentProcess.KERNEL32 ref: 011DD558
                                                              • GetCurrentThreadId.KERNEL32 ref: 011DD5B1
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1373276047.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_11d0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 703ce539ca980113fa07cda5914d9ef7b6ed22454b388173ac163b5c30401b9b
                                                              • Instruction ID: b9996bfb070b31fc8a4c460130219dca4147111b705d3003359b867159a09ff3
                                                              • Opcode Fuzzy Hash: 703ce539ca980113fa07cda5914d9ef7b6ed22454b388173ac163b5c30401b9b
                                                              • Instruction Fuzzy Hash: 395154B0D003098FDB29DFAAD548B9EBBF1AF48314F20C469E419A7390DB34A945CB65
                                                              Function 075639ED Relevance: 1.8, APIs: 1, Instructions: 254processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 389 75639ed-7563a8d 393 7563ac6-7563ae6 389->393 394 7563a8f-7563a99 389->394 399 7563b1f-7563b4e 393->399 400 7563ae8-7563af2 393->400 394->393 395 7563a9b-7563a9d 394->395 397 7563ac0-7563ac3 395->397 398 7563a9f-7563aa9 395->398 397->393 401 7563aad-7563abc 398->401 402 7563aab 398->402 410 7563b87-7563c41 CreateProcessA 399->410 411 7563b50-7563b5a 399->411 400->399 403 7563af4-7563af6 400->403 401->401 404 7563abe 401->404 402->401 405 7563af8-7563b02 403->405 406 7563b19-7563b1c 403->406 404->397 408 7563b06-7563b15 405->408 409 7563b04 405->409 406->399 408->408 412 7563b17 408->412 409->408 422 7563c43-7563c49 410->422 423 7563c4a-7563cd0 410->423 411->410 413 7563b5c-7563b5e 411->413 412->406 415 7563b60-7563b6a 413->415 416 7563b81-7563b84 413->416 417 7563b6e-7563b7d 415->417 418 7563b6c 415->418 416->410 417->417 419 7563b7f 417->419 418->417 419->416 422->423 433 7563cd2-7563cd6 423->433 434 7563ce0-7563ce4 423->434 433->434 435 7563cd8 433->435 436 7563ce6-7563cea 434->436 437 7563cf4-7563cf8 434->437 435->434 436->437 438 7563cec 436->438 439 7563cfa-7563cfe 437->439 440 7563d08-7563d0c 437->440 438->437 439->440 441 7563d00 439->441 442 7563d1e-7563d25 440->442 443 7563d0e-7563d14 440->443 441->440 444 7563d27-7563d36 442->444 445 7563d3c 442->445 443->442 444->445 447 7563d3d 445->447 447->447
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07563C2E
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1401771861.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_7560000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 2999705a86f83e85b372f88fc4b489a6e1e4e3de48d59ed509c56dfce125162e
                                                              • Instruction ID: 202548465ee21055d24d17bc8c9119352b6875e37c5761ee7f9b74bddba745b6
                                                              • Opcode Fuzzy Hash: 2999705a86f83e85b372f88fc4b489a6e1e4e3de48d59ed509c56dfce125162e
                                                              • Instruction Fuzzy Hash: 7FA16DB1D0031ADFEB24CF68C845BEDBBB2BF44314F04816AE809A7290DB759985CF91
                                                              Function 075639F8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 448 75639f8-7563a8d 450 7563ac6-7563ae6 448->450 451 7563a8f-7563a99 448->451 456 7563b1f-7563b4e 450->456 457 7563ae8-7563af2 450->457 451->450 452 7563a9b-7563a9d 451->452 454 7563ac0-7563ac3 452->454 455 7563a9f-7563aa9 452->455 454->450 458 7563aad-7563abc 455->458 459 7563aab 455->459 467 7563b87-7563c41 CreateProcessA 456->467 468 7563b50-7563b5a 456->468 457->456 460 7563af4-7563af6 457->460 458->458 461 7563abe 458->461 459->458 462 7563af8-7563b02 460->462 463 7563b19-7563b1c 460->463 461->454 465 7563b06-7563b15 462->465 466 7563b04 462->466 463->456 465->465 469 7563b17 465->469 466->465 479 7563c43-7563c49 467->479 480 7563c4a-7563cd0 467->480 468->467 470 7563b5c-7563b5e 468->470 469->463 472 7563b60-7563b6a 470->472 473 7563b81-7563b84 470->473 474 7563b6e-7563b7d 472->474 475 7563b6c 472->475 473->467 474->474 476 7563b7f 474->476 475->474 476->473 479->480 490 7563cd2-7563cd6 480->490 491 7563ce0-7563ce4 480->491 490->491 492 7563cd8 490->492 493 7563ce6-7563cea 491->493 494 7563cf4-7563cf8 491->494 492->491 493->494 495 7563cec 493->495 496 7563cfa-7563cfe 494->496 497 7563d08-7563d0c 494->497 495->494 496->497 498 7563d00 496->498 499 7563d1e-7563d25 497->499 500 7563d0e-7563d14 497->500 498->497 501 7563d27-7563d36 499->501 502 7563d3c 499->502 500->499 501->502 504 7563d3d 502->504 504->504
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07563C2E
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1401771861.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_7560000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 0cb68e2475d9dddf92c2f1955a3efe3e757eb9e0863f7bea8be90a8747e9bc84
                                                              • Instruction ID: 29bc2c62464e02b3d2383bd7608a47100436a8f04ca9fdfccd96d53705996e06
                                                              • Opcode Fuzzy Hash: 0cb68e2475d9dddf92c2f1955a3efe3e757eb9e0863f7bea8be90a8747e9bc84
                                                              • Instruction Fuzzy Hash: 6E916EB1D0031ACFEB24CF69C845BEDBBB2BF44314F14816AE809A7290DB759985CF91
                                                              Function 05451CED Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 505 5451ced-5451d56 506 5451d61-5451d68 505->506 507 5451d58-5451d5e 505->507 508 5451d73-5451dab 506->508 509 5451d6a-5451d70 506->509 507->506 510 5451db3-5451e12 CreateWindowExW 508->510 509->508 511 5451e14-5451e1a 510->511 512 5451e1b-5451e53 510->512 511->512 516 5451e55-5451e58 512->516 517 5451e60 512->517 516->517 518 5451e61 517->518 518->518
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05451E02
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1398513851.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_5450000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 9927303276ba3a7f3a3f677ae1957bf9b0ad8526c56051e37a1eaa853c38a543
                                                              • Instruction ID: a19e3062aad964116e2758d3ff635813707d03fee06921a37cfb96e6566dcde3
                                                              • Opcode Fuzzy Hash: 9927303276ba3a7f3a3f677ae1957bf9b0ad8526c56051e37a1eaa853c38a543
                                                              • Instruction Fuzzy Hash: 1451C1B1D00359DFDB14CF9AC884ADEBFB2BF48310F64812AE819AB211D7759845CF90
                                                              Function 05451CF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 519 5451cf0-5451d56 520 5451d61-5451d68 519->520 521 5451d58-5451d5e 519->521 522 5451d73-5451e12 CreateWindowExW 520->522 523 5451d6a-5451d70 520->523 521->520 525 5451e14-5451e1a 522->525 526 5451e1b-5451e53 522->526 523->522 525->526 530 5451e55-5451e58 526->530 531 5451e60 526->531 530->531 532 5451e61 531->532 532->532
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05451E02
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1398513851.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_5450000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 00ee040d5b4534f5c64dd5a23d1725af0c4c64505cd00a88669ab49de55b0681
                                                              • Instruction ID: c986459edb2e2ce829356c9815a83e84b1aec9ff2650bdb0d09bd4d2546f2330
                                                              • Opcode Fuzzy Hash: 00ee040d5b4534f5c64dd5a23d1725af0c4c64505cd00a88669ab49de55b0681
                                                              • Instruction Fuzzy Hash: AB41B0B1D00359DFDB14CF9AC884ADEBBB5FF48310F64812AE819AB211D775A845CF94
                                                              Function 05451284 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 533 5451284-54542fc 536 5454302-5454307 533->536 537 54543ac-54543cc call 545115c 533->537 538 5454309-5454340 536->538 539 545435a-5454392 CallWindowProcW 536->539 544 54543cf-54543dc 537->544 546 5454342-5454348 538->546 547 5454349-5454358 538->547 542 5454394-545439a 539->542 543 545439b-54543aa 539->543 542->543 543->544 546->547 547->544
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 05454381
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1398513851.0000000005450000.00000040.00000800.00020000.00000000.sdmp, Offset: 05450000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_5450000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID:
                                                              • API String ID: 2714655100-0
                                                              • Opcode ID: 50a0865b1a0c244fd3b1adff1fd447a1e9ace1cd61cca23db23a3808608efe85
                                                              • Instruction ID: 61aa477772a6eee059ebfd627473d2f1ac308e1207b804db7c64718be30818b2
                                                              • Opcode Fuzzy Hash: 50a0865b1a0c244fd3b1adff1fd447a1e9ace1cd61cca23db23a3808608efe85
                                                              • Instruction Fuzzy Hash: 88412AB4A003458FCB14CF95C448AABBBF5FF88324F25C459D519AB361D774A841CFA0
                                                              Function 011D4A2C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 550 11d4a2c-11d5f31 CreateActCtxA 553 11d5f3a-11d5f94 550->553 554 11d5f33-11d5f39 550->554 561 11d5f96-11d5f99 553->561 562 11d5fa3-11d5fa7 553->562 554->553 561->562 563 11d5fa9-11d5fb5 562->563 564 11d5fb8 562->564 563->564 566 11d5fb9 564->566 566->566
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 011D5F21
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1373276047.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_11d0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: b38e6962a3506f8a2a263deedc0b8ca0cf161c1b7eb94f365119857a1c9a0f6b
                                                              • Instruction ID: 0271720bc85282d485c65c7349d6b9db8811fe51798b2e8681f6c2eec8ffa027
                                                              • Opcode Fuzzy Hash: b38e6962a3506f8a2a263deedc0b8ca0cf161c1b7eb94f365119857a1c9a0f6b
                                                              • Instruction Fuzzy Hash: 0E41D2B1C00719CBEB28DFA9C84478EBBB6BF48304F20816AD508AB251DB756946CF91
                                                              Function 011D5E6D Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 567 11d5e6d-11d5f31 CreateActCtxA 569 11d5f3a-11d5f94 567->569 570 11d5f33-11d5f39 567->570 577 11d5f96-11d5f99 569->577 578 11d5fa3-11d5fa7 569->578 570->569 577->578 579 11d5fa9-11d5fb5 578->579 580 11d5fb8 578->580 579->580 582 11d5fb9 580->582 582->582
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 011D5F21
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1373276047.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_11d0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 82c205a68a1c4b800ad017e30d3dcdbb8f50fdbf56617b14c48f31920d88c9bf
                                                              • Instruction ID: 0f3785d7578f57621649ff0210cf38b4d00a2ba712c1d784cfa27d7515643e3d
                                                              • Opcode Fuzzy Hash: 82c205a68a1c4b800ad017e30d3dcdbb8f50fdbf56617b14c48f31920d88c9bf
                                                              • Instruction Fuzzy Hash: 7541E2B1C00719CFEB28DFA9C844BDEBBB6BF48304F20816AD508AB255DB755946CF51
                                                              Function 07563769 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 583 7563769-75637be 585 75637c0-75637cc 583->585 586 75637ce-756380d WriteProcessMemory 583->586 585->586 588 7563816-7563846 586->588 589 756380f-7563815 586->589 589->588
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07563800
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1401771861.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_7560000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 9378bc1a97d3382b9a839c0b327bf6daa9057a769230a96f482262fb42b5748e
                                                              • Instruction ID: 1393874cd53c8619b66a49999b462f3a0e20dad2f8e3fd9f819d03bbec8ab526
                                                              • Opcode Fuzzy Hash: 9378bc1a97d3382b9a839c0b327bf6daa9057a769230a96f482262fb42b5748e
                                                              • Instruction Fuzzy Hash: CF217AB5D003499FDB10CFA9C885BDEBBF1FF48310F50842AE959A3240C7789945CBA0
                                                              Function 07563770 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 604 7563770-75637be 606 75637c0-75637cc 604->606 607 75637ce-756380d WriteProcessMemory 604->607 606->607 609 7563816-7563846 607->609 610 756380f-7563815 607->610 610->609
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07563800
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1401771861.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_7560000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 8a95dcc88855b1385a14fafca266be8ff9302bc1cd0774e3493aab0eabb86e32
                                                              • Instruction ID: 0f3103ff8cfe721e5f0081e628124f2cf079a4751830916d7554544e414ede4e
                                                              • Opcode Fuzzy Hash: 8a95dcc88855b1385a14fafca266be8ff9302bc1cd0774e3493aab0eabb86e32
                                                              • Instruction Fuzzy Hash: 752166B5D003199FDB10CFAAC885BDEBBF5FF48310F50842AE919A7240C7789940CBA4
                                                              Function 075635D0 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 593 75635d0-7563623 596 7563625-7563631 593->596 597 7563633-7563663 Wow64SetThreadContext 593->597 596->597 599 7563665-756366b 597->599 600 756366c-756369c 597->600 599->600
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07563656
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1401771861.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_7560000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: e6e275d19e10e773a6743c0200811bfccb6e41e31b4aa777c391b7fad8eabf8d
                                                              • Instruction ID: 31fd32b4b00f1e00dfc0f06fc34ba88a21ca6e95d55114a271d8d73e0115933b
                                                              • Opcode Fuzzy Hash: e6e275d19e10e773a6743c0200811bfccb6e41e31b4aa777c391b7fad8eabf8d
                                                              • Instruction Fuzzy Hash: 602157B1D003499FDB20DFAAC485BEEBBF4EB48220F54842AD419A7740CB789945CFA5
                                                              Function 07563858 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075638E0
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1401771861.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_7560000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 01a784e0e6bef9e8c31be62eb9f997a060c62328383195a1044ef4918eb27148
                                                              • Instruction ID: 9f1a7777f3d09977cf46952ee99eb1727a25974af9172f4a8b65897d6580f44f
                                                              • Opcode Fuzzy Hash: 01a784e0e6bef9e8c31be62eb9f997a060c62328383195a1044ef4918eb27148
                                                              • Instruction Fuzzy Hash: 92214AB5C003599FDB10DFAAC841BEEBBF1FF48310F50842AE959A7240D7399905CBA5
                                                              Function 075635D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07563656
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1401771861.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_7560000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: bf579864139688e79a6605b408ab33843919937ca12237e0c0685f2f712902cf
                                                              • Instruction ID: 1c141cd813c6adf2ada90d9ba734f0626a338a9791da889bd30b95b24387023b
                                                              • Opcode Fuzzy Hash: bf579864139688e79a6605b408ab33843919937ca12237e0c0685f2f712902cf
                                                              • Instruction Fuzzy Hash: 6E2134B1D003499FDB20DFAAC485BEEBBF4AB48220F54842AD519A7240DB789945CFA4
                                                              Function 07563860 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 075638E0
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1401771861.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_7560000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: bbb8d61d7f4cc9ddce5d11d2309886bcb2b062c35ced484430e36237219b2377
                                                              • Instruction ID: ddd0a04b0c41b3c55a7fe8d9d0a78a10d8ba9c771fc772cf935e133b06b158ae
                                                              • Opcode Fuzzy Hash: bbb8d61d7f4cc9ddce5d11d2309886bcb2b062c35ced484430e36237219b2377
                                                              • Instruction Fuzzy Hash: 522128B1C003599FDB10DFAAC845BDEBBF5FF48310F50842AE919A7240D7399901CBA4
                                                              Function 011DD6A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011DD72F
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1373276047.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_11d0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: ff53eb47481cfb3c0c0f966622eb137f96d948ca23f10f61aae8975e77872d3b
                                                              • Instruction ID: 2dafc0fc38557c4c0d4d18c265ed5a0f5d65baf538fe3d5ec5fd7ed635f57c0c
                                                              • Opcode Fuzzy Hash: ff53eb47481cfb3c0c0f966622eb137f96d948ca23f10f61aae8975e77872d3b
                                                              • Instruction Fuzzy Hash: F321E4B5D002489FDB10CF9AD984ADEBBF4EB48310F14801AE914A3350D375A940CF64
                                                              Function 075636A8 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0756371E
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1401771861.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_7560000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 83927b798f1a04abb0e8fb2c0fc21c8601c16dceca7e4dabf14fca4026645870
                                                              • Instruction ID: 7a6f8695e4499980003df707f5c433d28b0efe384d1310fd0640f8e36310898c
                                                              • Opcode Fuzzy Hash: 83927b798f1a04abb0e8fb2c0fc21c8601c16dceca7e4dabf14fca4026645870
                                                              • Instruction Fuzzy Hash: 771106B5D002499FDB24DFAAC845BDEBBF5EB48320F148419E519A7250C7759940CBA4
                                                              Function 075636B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0756371E
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1401771861.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_7560000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: b9e21c4fa1c5aae425472034d88ff80a2907117a71816cdc5497dc1c80e5f13d
                                                              • Instruction ID: d7c17e932977aaf3606bafc6a1619e5f2464e4a0306f57c71e22fe35b2286824
                                                              • Opcode Fuzzy Hash: b9e21c4fa1c5aae425472034d88ff80a2907117a71816cdc5497dc1c80e5f13d
                                                              • Instruction Fuzzy Hash: E21126B5D003499FDB20DFAAC845BDEBBF5EB48320F148419E515A7250CB769940CFA4
                                                              Function 07563520 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1401771861.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_7560000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 04d730729393f7cf604da8f73525fe0b3101d8f94eddbb3ba7866f57f613ab0d
                                                              • Instruction ID: 15e206438e638c55bdaf8e25ad7fa22abe3ee9eba43c8ce3bc7f6fc552609a4c
                                                              • Opcode Fuzzy Hash: 04d730729393f7cf604da8f73525fe0b3101d8f94eddbb3ba7866f57f613ab0d
                                                              • Instruction Fuzzy Hash: 681146B1D003598FDB20DFAAC445BEEFBF4AB48224F54841AD519A7240CB79A945CF94
                                                              Function 07563528 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1401771861.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_7560000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 70af15728acc232de4f4fd557ace3ead51be1d211bb882ecf520844aa64bbcf1
                                                              • Instruction ID: 064e4ffae3c1c2444284b294ecf2ba45aaec540f61dea4c2a5d2eda5cf195b8f
                                                              • Opcode Fuzzy Hash: 70af15728acc232de4f4fd557ace3ead51be1d211bb882ecf520844aa64bbcf1
                                                              • Instruction Fuzzy Hash: 1F1136B1D003598FDB20DFAAC4457DEFBF5EB88320F64841AD519A7240DB79A941CFA4
                                                              Function 011DB3C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 011DB426
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1373276047.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_11d0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: a6ac7c5ccf292f512b11a2982cf34ef3dcbb62a658a29123ce66827313c13e5b
                                                              • Instruction ID: 245806d861c0cd3581e178af9850019b37ddbd273bc086ca11939c53ae1feb73
                                                              • Opcode Fuzzy Hash: a6ac7c5ccf292f512b11a2982cf34ef3dcbb62a658a29123ce66827313c13e5b
                                                              • Instruction Fuzzy Hash: 1D110FB5C003498FDB24DF9AC544A9EFBF4AB89220F15842AD52AB7200D379A545CFA5
                                                              Function 075624B0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0756673D
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1401771861.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_7560000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 0913532091b907f8718b2b43a41123b7a5c60dfffd9e1699e6addcf67b8318f3
                                                              • Instruction ID: fd8c45a7c9ae5456a4bb303c70989c1d1e1dfec58201ceeeaae4f8e8be596dc8
                                                              • Opcode Fuzzy Hash: 0913532091b907f8718b2b43a41123b7a5c60dfffd9e1699e6addcf67b8318f3
                                                              • Instruction Fuzzy Hash: 441103B5800349DFDB20DF9AD889BDEBBF8FB48320F10841AE519A7200D375A944CFA5
                                                              Function 075666D9 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0756673D
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1401771861.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_7560000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 7a5c33a4e1e63654a7c75abbf646e3be5d3531cf2f60772550572b8253763be1
                                                              • Instruction ID: f4916014e18294511756638f327964063dd843b59ec7ae6f4872e0116dd069af
                                                              • Opcode Fuzzy Hash: 7a5c33a4e1e63654a7c75abbf646e3be5d3531cf2f60772550572b8253763be1
                                                              • Instruction Fuzzy Hash: 3C1103B5C00259DFDB20DF9AD885BDEBBF4FB48320F24841AE518A3250D379A944CFA1
                                                              Function 0117D1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1366176870.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_117d000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 79314b2e95e7e4dd2bf5bf59313838b37f7f5c45afe9d3e7cf2904e7f186f9ba
                                                              • Instruction ID: 40c538663e1156160a5944fb6a2546fcff1acceadec8c42ffc3b30842eb03789
                                                              • Opcode Fuzzy Hash: 79314b2e95e7e4dd2bf5bf59313838b37f7f5c45afe9d3e7cf2904e7f186f9ba
                                                              • Instruction Fuzzy Hash: B021C1716042089FDF19DF94E980B15BB75FF84324F24C5ADE9494B352C336D447CA62
                                                              Function 0117D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1366176870.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_117d000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8ef2fdd7280aad932fbc4f73702ea77e485cb0b667b9babee6a1bee56bdb490
                                                              • Instruction ID: 38fc36be03eee5eb5a03bf9da34f7d140ae5ef70ec93dfc397cfb3f947eef1cd
                                                              • Opcode Fuzzy Hash: e8ef2fdd7280aad932fbc4f73702ea77e485cb0b667b9babee6a1bee56bdb490
                                                              • Instruction Fuzzy Hash: 3721CF756042089FDF1ADF54E984B16BB75EB88314F24C5ADD84A4B386C336D847CA62
                                                              Function 0117D006 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1366176870.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_117d000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 65e6b329490fdd23ab6a973cf2686f35c120659b6bb79425574d3bd85bd584b1
                                                              • Instruction ID: b14ba0dedb7034315d0b3fc47a1f318cc67d5dbef1104aa88526bd7196339989
                                                              • Opcode Fuzzy Hash: 65e6b329490fdd23ab6a973cf2686f35c120659b6bb79425574d3bd85bd584b1
                                                              • Instruction Fuzzy Hash: 8F21AE755093848FCB17CF64D990B15BF71EF46214F28C5EAD8498F2A7C33A980ACB62
                                                              Function 0117D1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001E.00000002.1366176870.000000000117D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0117D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_30_2_117d000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction ID: a7d27333c7a3220381dbcc63390631ff9f3f6dce552efd2bcb9a04fc98e7e5a3
                                                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction Fuzzy Hash: B611A975504284DFCB0ACF54D5C0B15BBB2FB84224F28C6A9D8494B396C33AD40ACB62

                                                              Execution Graph

                                                              Execution Coverage:9.1%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:259
                                                              Total number of Limit Nodes:13
                                                              execution_graph 35486 7743e74 35488 7743e7d 35486->35488 35487 774405a 35488->35487 35493 7745240 35488->35493 35512 774529e 35488->35512 35532 7745230 35488->35532 35489 774420e 35494 774525a 35493->35494 35495 774527e 35494->35495 35551 77456b4 35494->35551 35556 7745f4a 35494->35556 35561 7745ae9 35494->35561 35565 77456c8 35494->35565 35570 7745e88 35494->35570 35574 774564e 35494->35574 35579 7745ba6 35494->35579 35587 7745b66 35494->35587 35592 7745a25 35494->35592 35597 7745825 35494->35597 35602 7745c19 35494->35602 35611 7745819 35494->35611 35616 7745f18 35494->35616 35620 774585e 35494->35620 35625 77457b3 35494->35625 35630 77458d6 35494->35630 35495->35489 35513 77452a1 35512->35513 35514 774522c 35512->35514 35515 774527e 35514->35515 35516 77456b4 2 API calls 35514->35516 35517 77458d6 2 API calls 35514->35517 35518 77457b3 2 API calls 35514->35518 35519 774585e 2 API calls 35514->35519 35520 7745f18 2 API calls 35514->35520 35521 7745819 2 API calls 35514->35521 35522 7745c19 4 API calls 35514->35522 35523 7745825 2 API calls 35514->35523 35524 7745a25 2 API calls 35514->35524 35525 7745b66 2 API calls 35514->35525 35526 7745ba6 4 API calls 35514->35526 35527 774564e 2 API calls 35514->35527 35528 7745e88 2 API calls 35514->35528 35529 77456c8 2 API calls 35514->35529 35530 7745ae9 2 API calls 35514->35530 35531 7745f4a 2 API calls 35514->35531 35515->35489 35516->35515 35517->35515 35518->35515 35519->35515 35520->35515 35521->35515 35522->35515 35523->35515 35524->35515 35525->35515 35526->35515 35527->35515 35528->35515 35529->35515 35530->35515 35531->35515 35533 774525a 35532->35533 35534 774527e 35533->35534 35535 77456b4 2 API calls 35533->35535 35536 77458d6 2 API calls 35533->35536 35537 77457b3 2 API calls 35533->35537 35538 774585e 2 API calls 35533->35538 35539 7745f18 2 API calls 35533->35539 35540 7745819 2 API calls 35533->35540 35541 7745c19 4 API calls 35533->35541 35542 7745825 2 API calls 35533->35542 35543 7745a25 2 API calls 35533->35543 35544 7745b66 2 API calls 35533->35544 35545 7745ba6 4 API calls 35533->35545 35546 774564e 2 API calls 35533->35546 35547 7745e88 2 API calls 35533->35547 35548 77456c8 2 API calls 35533->35548 35549 7745ae9 2 API calls 35533->35549 35550 7745f4a 2 API calls 35533->35550 35534->35489 35535->35534 35536->35534 35537->35534 35538->35534 35539->35534 35540->35534 35541->35534 35542->35534 35543->35534 35544->35534 35545->35534 35546->35534 35547->35534 35548->35534 35549->35534 35550->35534 35552 7745652 35551->35552 35634 77439ed 35552->35634 35638 77439f8 35552->35638 35557 7745e87 35556->35557 35558 7745f4e 35556->35558 35642 7743770 35557->35642 35646 7743769 35557->35646 35563 7743770 WriteProcessMemory 35561->35563 35564 7743769 WriteProcessMemory 35561->35564 35562 7745b0d 35563->35562 35564->35562 35566 77456cc 35565->35566 35568 77439ed CreateProcessA 35566->35568 35569 77439f8 CreateProcessA 35566->35569 35567 77456ff 35567->35495 35568->35567 35569->35567 35572 7743770 WriteProcessMemory 35570->35572 35573 7743769 WriteProcessMemory 35570->35573 35571 7745e87 35571->35570 35572->35571 35573->35571 35575 774565c 35574->35575 35577 77439ed CreateProcessA 35575->35577 35578 77439f8 CreateProcessA 35575->35578 35576 77456ff 35576->35495 35577->35576 35578->35576 35650 77435d0 35579->35650 35654 77435d8 35579->35654 35580 7745d4f 35580->35495 35581 77457d1 35581->35580 35658 7746920 35581->35658 35663 7746910 35581->35663 35582 774608d 35588 7745875 35587->35588 35589 7745896 35587->35589 35590 7743770 WriteProcessMemory 35588->35590 35591 7743769 WriteProcessMemory 35588->35591 35589->35495 35590->35589 35591->35589 35593 7745a3f 35592->35593 35676 7743860 35593->35676 35680 7743858 35593->35680 35594 774572a 35594->35495 35598 774583f 35597->35598 35600 7746920 2 API calls 35598->35600 35601 7746910 2 API calls 35598->35601 35599 774608d 35600->35599 35601->35599 35603 7745ba5 35602->35603 35605 77457d1 35603->35605 35607 77435d0 Wow64SetThreadContext 35603->35607 35608 77435d8 Wow64SetThreadContext 35603->35608 35604 7745d4f 35604->35495 35605->35604 35609 7746920 2 API calls 35605->35609 35610 7746910 2 API calls 35605->35610 35606 774608d 35607->35605 35608->35605 35609->35606 35610->35606 35612 7745d55 35611->35612 35684 77436b0 35612->35684 35688 77436a8 35612->35688 35613 7745d73 35617 7745e87 35616->35617 35618 7743770 WriteProcessMemory 35617->35618 35619 7743769 WriteProcessMemory 35617->35619 35618->35617 35619->35617 35621 7745864 35620->35621 35623 7743770 WriteProcessMemory 35621->35623 35624 7743769 WriteProcessMemory 35621->35624 35622 7745896 35622->35495 35623->35622 35624->35622 35626 77457b9 35625->35626 35628 7746920 2 API calls 35626->35628 35629 7746910 2 API calls 35626->35629 35627 774608d 35628->35627 35629->35627 35692 7746308 35630->35692 35697 77462f8 35630->35697 35631 77458ee 35631->35495 35635 77439f6 35634->35635 35635->35635 35636 7743be6 CreateProcessA 35635->35636 35637 7743c43 35636->35637 35639 7743a81 CreateProcessA 35638->35639 35641 7743c43 35639->35641 35643 77437b8 WriteProcessMemory 35642->35643 35645 774380f 35643->35645 35645->35557 35647 7743770 WriteProcessMemory 35646->35647 35649 774380f 35647->35649 35649->35557 35651 77435d8 Wow64SetThreadContext 35650->35651 35653 7743665 35651->35653 35653->35581 35655 774361d Wow64SetThreadContext 35654->35655 35657 7743665 35655->35657 35657->35581 35659 7746935 35658->35659 35668 7743520 35659->35668 35672 7743528 35659->35672 35660 7746948 35660->35582 35664 7746935 35663->35664 35666 7743520 ResumeThread 35664->35666 35667 7743528 ResumeThread 35664->35667 35665 7746948 35665->35582 35666->35665 35667->35665 35669 7743528 ResumeThread 35668->35669 35671 7743599 35669->35671 35671->35660 35673 7743568 ResumeThread 35672->35673 35675 7743599 35673->35675 35675->35660 35677 77438ab ReadProcessMemory 35676->35677 35679 77438ef 35677->35679 35679->35594 35681 7743860 ReadProcessMemory 35680->35681 35683 77438ef 35681->35683 35683->35594 35685 77436f0 VirtualAllocEx 35684->35685 35687 774372d 35685->35687 35687->35613 35689 77436b0 VirtualAllocEx 35688->35689 35691 774372d 35689->35691 35691->35613 35693 774631d 35692->35693 35695 77435d0 Wow64SetThreadContext 35693->35695 35696 77435d8 Wow64SetThreadContext 35693->35696 35694 7746333 35694->35631 35695->35694 35696->35694 35698 774631d 35697->35698 35700 77435d0 Wow64SetThreadContext 35698->35700 35701 77435d8 Wow64SetThreadContext 35698->35701 35699 7746333 35699->35631 35700->35699 35701->35699 35791 7743f15 35793 7743f1e 35791->35793 35792 7743eba 35793->35792 35795 7745240 12 API calls 35793->35795 35796 7745230 12 API calls 35793->35796 35797 774529e 12 API calls 35793->35797 35794 774420e 35795->35794 35796->35794 35797->35794 35755 54eb0d8 35758 54eb1d0 35755->35758 35756 54eb0e7 35759 54eb1e1 35758->35759 35760 54eb204 35758->35760 35759->35760 35761 54eb408 GetModuleHandleW 35759->35761 35760->35756 35762 54eb435 35761->35762 35762->35756 35702 156d01c 35703 156d034 35702->35703 35704 156d08e 35703->35704 35707 5612c08 35703->35707 35716 561115c 35703->35716 35708 5612c18 35707->35708 35709 5612c79 35708->35709 35711 5612c69 35708->35711 35741 5611284 35709->35741 35725 5612da0 35711->35725 35730 5612d90 35711->35730 35735 5612e6c 35711->35735 35712 5612c77 35717 5611167 35716->35717 35718 5612c79 35717->35718 35721 5612c69 35717->35721 35719 5611284 CallWindowProcW 35718->35719 35720 5612c77 35719->35720 35722 5612da0 CallWindowProcW 35721->35722 35723 5612d90 CallWindowProcW 35721->35723 35724 5612e6c CallWindowProcW 35721->35724 35722->35720 35723->35720 35724->35720 35726 5612db4 35725->35726 35745 5612e52 35726->35745 35749 5612e58 35726->35749 35727 5612e40 35727->35712 35731 5612da0 35730->35731 35733 5612e52 CallWindowProcW 35731->35733 35734 5612e58 CallWindowProcW 35731->35734 35732 5612e40 35732->35712 35733->35732 35734->35732 35736 5612e2a 35735->35736 35737 5612e7a 35735->35737 35739 5612e52 CallWindowProcW 35736->35739 35740 5612e58 CallWindowProcW 35736->35740 35738 5612e40 35738->35712 35739->35738 35740->35738 35742 561128f 35741->35742 35743 561435a CallWindowProcW 35742->35743 35744 5614309 35742->35744 35743->35744 35744->35712 35746 5612e58 35745->35746 35747 5612e69 35746->35747 35752 5614291 35746->35752 35747->35727 35750 5612e69 35749->35750 35751 5614291 CallWindowProcW 35749->35751 35750->35727 35751->35750 35753 5611284 CallWindowProcW 35752->35753 35754 56142aa 35753->35754 35754->35747 35763 7746968 35764 7746af3 35763->35764 35766 774698e 35763->35766 35766->35764 35767 7746440 35766->35767 35768 7746be8 PostMessageW 35767->35768 35769 7746c54 35768->35769 35769->35766 35770 54e47d0 35771 54e47d9 35770->35771 35772 54e47df 35771->35772 35774 54e48c9 35771->35774 35775 54e48ed 35774->35775 35779 54e4dd0 35775->35779 35783 54e4de0 35775->35783 35781 54e4de0 35779->35781 35780 54e4ee4 35781->35780 35787 54e4a2c 35781->35787 35784 54e4e07 35783->35784 35785 54e4a2c CreateActCtxA 35784->35785 35786 54e4ee4 35784->35786 35785->35786 35788 54e5e70 CreateActCtxA 35787->35788 35790 54e5f33 35788->35790 35798 54ed460 35799 54ed4a6 35798->35799 35803 54ed62f 35799->35803 35807 54ed640 35799->35807 35800 54ed593 35804 54ed640 35803->35804 35810 54ed238 35804->35810 35808 54ed238 DuplicateHandle 35807->35808 35809 54ed66e 35808->35809 35809->35800 35811 54ed6a8 DuplicateHandle 35810->35811 35812 54ed66e 35811->35812 35812->35800

                                                              Executed Functions

                                                              Function 077439ED Relevance: 1.8, APIs: 1, Instructions: 256processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 409 77439ed-7743a8d 413 7743ac6-7743ae6 409->413 414 7743a8f-7743a99 409->414 421 7743b1f-7743b4e 413->421 422 7743ae8-7743af2 413->422 414->413 415 7743a9b-7743a9d 414->415 416 7743ac0-7743ac3 415->416 417 7743a9f-7743aa9 415->417 416->413 419 7743aad-7743abc 417->419 420 7743aab 417->420 419->419 423 7743abe 419->423 420->419 430 7743b87-7743c41 CreateProcessA 421->430 431 7743b50-7743b5a 421->431 422->421 424 7743af4-7743af6 422->424 423->416 425 7743af8-7743b02 424->425 426 7743b19-7743b1c 424->426 428 7743b04 425->428 429 7743b06-7743b15 425->429 426->421 428->429 429->429 432 7743b17 429->432 442 7743c43-7743c49 430->442 443 7743c4a-7743cd0 430->443 431->430 433 7743b5c-7743b5e 431->433 432->426 435 7743b60-7743b6a 433->435 436 7743b81-7743b84 433->436 437 7743b6c 435->437 438 7743b6e-7743b7d 435->438 436->430 437->438 438->438 440 7743b7f 438->440 440->436 442->443 453 7743ce0-7743ce4 443->453 454 7743cd2-7743cd6 443->454 456 7743cf4-7743cf8 453->456 457 7743ce6-7743cea 453->457 454->453 455 7743cd8 454->455 455->453 458 7743d08-7743d0c 456->458 459 7743cfa-7743cfe 456->459 457->456 460 7743cec 457->460 462 7743d1e-7743d25 458->462 463 7743d0e-7743d14 458->463 459->458 461 7743d00 459->461 460->456 461->458 464 7743d27-7743d36 462->464 465 7743d3c 462->465 463->462 464->465 467 7743d3d 465->467 467->467
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07743C2E
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1403234025.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_7740000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: f7291a66d606d3806936ec0283169c665f9fad12007688615309e8f95cb5e45b
                                                              • Instruction ID: 00b36d20ee0ebb31660b861ff8f1d382e0dc0100d62b60898a4ce4aff9fd0545
                                                              • Opcode Fuzzy Hash: f7291a66d606d3806936ec0283169c665f9fad12007688615309e8f95cb5e45b
                                                              • Instruction Fuzzy Hash: 56A15AB1D0031ACFEB24CF69C841BEDBBB2BB48354F148569E809B7280DB759985CF91
                                                              Function 077439F8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 468 77439f8-7743a8d 470 7743ac6-7743ae6 468->470 471 7743a8f-7743a99 468->471 478 7743b1f-7743b4e 470->478 479 7743ae8-7743af2 470->479 471->470 472 7743a9b-7743a9d 471->472 473 7743ac0-7743ac3 472->473 474 7743a9f-7743aa9 472->474 473->470 476 7743aad-7743abc 474->476 477 7743aab 474->477 476->476 480 7743abe 476->480 477->476 487 7743b87-7743c41 CreateProcessA 478->487 488 7743b50-7743b5a 478->488 479->478 481 7743af4-7743af6 479->481 480->473 482 7743af8-7743b02 481->482 483 7743b19-7743b1c 481->483 485 7743b04 482->485 486 7743b06-7743b15 482->486 483->478 485->486 486->486 489 7743b17 486->489 499 7743c43-7743c49 487->499 500 7743c4a-7743cd0 487->500 488->487 490 7743b5c-7743b5e 488->490 489->483 492 7743b60-7743b6a 490->492 493 7743b81-7743b84 490->493 494 7743b6c 492->494 495 7743b6e-7743b7d 492->495 493->487 494->495 495->495 497 7743b7f 495->497 497->493 499->500 510 7743ce0-7743ce4 500->510 511 7743cd2-7743cd6 500->511 513 7743cf4-7743cf8 510->513 514 7743ce6-7743cea 510->514 511->510 512 7743cd8 511->512 512->510 515 7743d08-7743d0c 513->515 516 7743cfa-7743cfe 513->516 514->513 517 7743cec 514->517 519 7743d1e-7743d25 515->519 520 7743d0e-7743d14 515->520 516->515 518 7743d00 516->518 517->513 518->515 521 7743d27-7743d36 519->521 522 7743d3c 519->522 520->519 521->522 524 7743d3d 522->524 524->524
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07743C2E
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1403234025.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_7740000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 03bf8f51d21a0afb8e5f8b3596338cf3faa6bd6fff31557a98cb45aae3ef7abd
                                                              • Instruction ID: 7a0884315a6d1fa728d4231fc4bbfaffaf810675c9a46568a24be95af910d47a
                                                              • Opcode Fuzzy Hash: 03bf8f51d21a0afb8e5f8b3596338cf3faa6bd6fff31557a98cb45aae3ef7abd
                                                              • Instruction Fuzzy Hash: A39158B1D0031ACFEB24CF69C841BEDBBB2BB48354F148569E809B7280DB759985CF91
                                                              Function 054EB1D0 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 525 54eb1d0-54eb1df 526 54eb20b-54eb20f 525->526 527 54eb1e1-54eb1ee call 54eae84 525->527 529 54eb223-54eb264 526->529 530 54eb211-54eb21b 526->530 534 54eb204 527->534 535 54eb1f0 527->535 536 54eb266-54eb26e 529->536 537 54eb271-54eb27f 529->537 530->529 534->526 583 54eb1f6 call 54eb458 535->583 584 54eb1f6 call 54eb468 535->584 536->537 538 54eb2a3-54eb2a5 537->538 539 54eb281-54eb286 537->539 544 54eb2a8-54eb2af 538->544 541 54eb288-54eb28f call 54eae90 539->541 542 54eb291 539->542 540 54eb1fc-54eb1fe 540->534 543 54eb340-54eb36b 540->543 546 54eb293-54eb2a1 541->546 542->546 562 54eb36c-54eb3b8 543->562 547 54eb2bc-54eb2c3 544->547 548 54eb2b1-54eb2b9 544->548 546->544 549 54eb2c5-54eb2cd 547->549 550 54eb2d0-54eb2d9 call 54eaea0 547->550 548->547 549->550 556 54eb2db-54eb2e3 550->556 557 54eb2e6-54eb2eb 550->557 556->557 558 54eb2ed-54eb2f4 557->558 559 54eb309-54eb316 557->559 558->559 561 54eb2f6-54eb306 call 54eaeb0 call 54eaec0 558->561 565 54eb318-54eb336 559->565 566 54eb339-54eb33f 559->566 561->559 576 54eb3ba-54eb400 562->576 565->566 578 54eb408-54eb433 GetModuleHandleW 576->578 579 54eb402-54eb405 576->579 580 54eb43c-54eb450 578->580 581 54eb435-54eb43b 578->581 579->578 581->580 583->540 584->540
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 054EB426
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1396551823.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_54e0000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 91163ad1a1110120554f1dbcc93068fc89e953787d65a2eb031f04d93b02ed50
                                                              • Instruction ID: bbb4ad702dca4ddf73911994771bebdc4f5e423f52239a0af79cd10b548566c0
                                                              • Opcode Fuzzy Hash: 91163ad1a1110120554f1dbcc93068fc89e953787d65a2eb031f04d93b02ed50
                                                              • Instruction Fuzzy Hash: 8F712570A00B058FD724DF6AD4457AABBF2FF88201F10896ED44ADBB50DB74E849CB91
                                                              Function 05611284 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 601 5611284-56142fc 604 5614302-5614307 601->604 605 56143ac-56143cc call 561115c 601->605 606 5614309-5614340 604->606 607 561435a-5614392 CallWindowProcW 604->607 613 56143cf-56143dc 605->613 614 5614342-5614348 606->614 615 5614349-5614358 606->615 609 5614394-561439a 607->609 610 561439b-56143aa 607->610 609->610 610->613 614->615 615->613
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 05614381
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1400738759.0000000005610000.00000040.00000800.00020000.00000000.sdmp, Offset: 05610000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_5610000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID:
                                                              • API String ID: 2714655100-0
                                                              • Opcode ID: 47bf9d330be23ab0f15f14f8803674cbe2d871af1d5777e5af38d68a600882a4
                                                              • Instruction ID: 6530f7681b1c00ab66f04a75f7936bcc6aad4682e2981e83a06c9dd31402feee
                                                              • Opcode Fuzzy Hash: 47bf9d330be23ab0f15f14f8803674cbe2d871af1d5777e5af38d68a600882a4
                                                              • Instruction Fuzzy Hash: CB415BB4900305CFCB14CF96C448BAABBF6FF88315F298459D419AB321CB34A841CFA4
                                                              Function 054E5E64 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 585 54e5e64-54e5f31 CreateActCtxA 587 54e5f3a-54e5f94 585->587 588 54e5f33-54e5f39 585->588 595 54e5f96-54e5f99 587->595 596 54e5fa3-54e5fa7 587->596 588->587 595->596 597 54e5fb8 596->597 598 54e5fa9-54e5fb5 596->598 600 54e5fb9 597->600 598->597 600->600
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 054E5F21
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1396551823.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_54e0000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: f5c9bb02f5720869ae2960b51e76393ca9bd694de5754a826a5a7a4918928a7d
                                                              • Instruction ID: 5f27d404ee699a2790a703a47fbd1c9b42fcb57196db7d59949ed74e9a40dbc4
                                                              • Opcode Fuzzy Hash: f5c9bb02f5720869ae2960b51e76393ca9bd694de5754a826a5a7a4918928a7d
                                                              • Instruction Fuzzy Hash: 3E41BFB1C00719CFDB24DFA9C8447DEBBB6BF49304F20816AD418AB255DB75594ACF50
                                                              Function 054E4A2C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 618 54e4a2c-54e5f31 CreateActCtxA 621 54e5f3a-54e5f94 618->621 622 54e5f33-54e5f39 618->622 629 54e5f96-54e5f99 621->629 630 54e5fa3-54e5fa7 621->630 622->621 629->630 631 54e5fb8 630->631 632 54e5fa9-54e5fb5 630->632 634 54e5fb9 631->634 632->631 634->634
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 054E5F21
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1396551823.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_54e0000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 4b18d473c8bb75625b65f443864ed50af988b81838942c831008d056232e028f
                                                              • Instruction ID: 3f7754273c4bfdb61591ce9f87de147554e2f88505758b07ebb7081f0788181d
                                                              • Opcode Fuzzy Hash: 4b18d473c8bb75625b65f443864ed50af988b81838942c831008d056232e028f
                                                              • Instruction Fuzzy Hash: 6B41DFB1C00719CBDB24DFA9C844BDEBBF6BF49308F20806AD408AB255DB756946CF90
                                                              Function 07743769 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 635 7743769-77437be 638 77437c0-77437cc 635->638 639 77437ce-774380d WriteProcessMemory 635->639 638->639 641 7743816-7743846 639->641 642 774380f-7743815 639->642 642->641
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07743800
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1403234025.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_7740000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 719fff465f2669e3e4e63f2c4731372ef24b680b8cdfaa2578142826f50e160e
                                                              • Instruction ID: 4923f012f17da19300d55a47953d6b647f5d2b61a7bcd35f1e6cc79c9b31938c
                                                              • Opcode Fuzzy Hash: 719fff465f2669e3e4e63f2c4731372ef24b680b8cdfaa2578142826f50e160e
                                                              • Instruction Fuzzy Hash: 702168B5C003099FDB10CFA9C881BDEBBF5FF48310F108829E958A7240C7789941CBA0
                                                              Function 077435D0 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 646 77435d0-7743623 649 7743625-7743631 646->649 650 7743633-7743663 Wow64SetThreadContext 646->650 649->650 652 7743665-774366b 650->652 653 774366c-774369c 650->653 652->653
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07743656
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1403234025.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_7740000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: ad48d7cffb1320b80d0fce00b763cbaeafc2092100bd545739bc4506fa9bf704
                                                              • Instruction ID: b4bd4ec43158032bbcd82885c40e0d9a59c13312baae9c04fccc9ba6f75cbe80
                                                              • Opcode Fuzzy Hash: ad48d7cffb1320b80d0fce00b763cbaeafc2092100bd545739bc4506fa9bf704
                                                              • Instruction Fuzzy Hash: 452159B1D003099FDB10DFAAC485BEEBBF4EF48224F50842AD419A7380CB789945CFA5
                                                              Function 07743770 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 657 7743770-77437be 659 77437c0-77437cc 657->659 660 77437ce-774380d WriteProcessMemory 657->660 659->660 662 7743816-7743846 660->662 663 774380f-7743815 660->663 663->662
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07743800
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1403234025.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_7740000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 0d2979d798af0dacc7108a63918e7ebfb22a1bf6f66fde1daf60a5ff098d647e
                                                              • Instruction ID: 79179326cdcaa1382cffb767882709c04ed28b522c0687fee48e30520d40e24c
                                                              • Opcode Fuzzy Hash: 0d2979d798af0dacc7108a63918e7ebfb22a1bf6f66fde1daf60a5ff098d647e
                                                              • Instruction Fuzzy Hash: F62125B5D003199FDB10DFAAC885BDEBBF5FF48310F50882AE959A7240C7789944CBA4
                                                              Function 07743858 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 667 7743858-77438ed ReadProcessMemory 671 77438f6-7743926 667->671 672 77438ef-77438f5 667->672 672->671
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077438E0
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1403234025.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_7740000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: c344dfe16df5dea761d76ffcb427b2c346e0eae43ac5d5642e00d57bd10b5199
                                                              • Instruction ID: 43700f78cf83edbab2ccf6c0fe694b4f9f37f43b72ab9cc1d23637e4039d2724
                                                              • Opcode Fuzzy Hash: c344dfe16df5dea761d76ffcb427b2c346e0eae43ac5d5642e00d57bd10b5199
                                                              • Instruction Fuzzy Hash: B42115B5C003499FDB10DFAAC881AEEBBF5FF48220F508529E559A7240C7799901CBA0
                                                              Function 054ED6A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,054ED66E,?,?,?,?,?), ref: 054ED72F
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1396551823.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_54e0000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 1cd8fc8c53f040b99fbc1537e8af3faa07b1b84b527218a9d46b4c4b2657a850
                                                              • Instruction ID: ecbafccef37bceba5258f9fc88ae6f3986ba66230a99050b7a8391f7b38a3669
                                                              • Opcode Fuzzy Hash: 1cd8fc8c53f040b99fbc1537e8af3faa07b1b84b527218a9d46b4c4b2657a850
                                                              • Instruction Fuzzy Hash: 6321E3B5D00309AFDB10CF9AD885ADEBBF5FB48320F14841AE918A3350D379A945CFA1
                                                              Function 054ED238 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 676 54ed238-54ed73c DuplicateHandle 678 54ed73e-54ed744 676->678 679 54ed745-54ed762 676->679 678->679
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,054ED66E,?,?,?,?,?), ref: 054ED72F
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1396551823.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_54e0000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: acca2de0e54dcff0298a8454789879730467e9e96dd54287d3466d2f14962603
                                                              • Instruction ID: 9672309a46bef638c02bdc73659d072386ba13cacdc60467f303f22c8df7d558
                                                              • Opcode Fuzzy Hash: acca2de0e54dcff0298a8454789879730467e9e96dd54287d3466d2f14962603
                                                              • Instruction Fuzzy Hash: F921E6B5D003089FDB10CFAAD484ADEBBF5FB48310F14841AE954A7350D374A955CFA4
                                                              Function 077435D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07743656
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1403234025.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_7740000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: fb905b9f7963ac04f542545cdfe6a4c626bdc79dac4b66bcc994f28b46addb16
                                                              • Instruction ID: f46864d4e95654893643c9c4f34af474bc30ab5890b7597d5d9fa4663c3e1688
                                                              • Opcode Fuzzy Hash: fb905b9f7963ac04f542545cdfe6a4c626bdc79dac4b66bcc994f28b46addb16
                                                              • Instruction Fuzzy Hash: 6C2138B1D003099FDB10DFAAC485BAEBBF4EF48314F54842AD419A7340CB789945CFA5
                                                              Function 07743860 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077438E0
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1403234025.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_7740000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 8428a1bf0f1f1c59cc06d8e40b6607951629db8c880f74dc5deb1ac152d3ffff
                                                              • Instruction ID: 1004dfaa7e6838dc9c77445946039e0dc2f5d3491e60329255a07903e7795104
                                                              • Opcode Fuzzy Hash: 8428a1bf0f1f1c59cc06d8e40b6607951629db8c880f74dc5deb1ac152d3ffff
                                                              • Instruction Fuzzy Hash: 792105B1C003599FDB10DFAAC841BDEBBF5FF48310F508429E919A7240C7799901CBA4
                                                              Function 077436A8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0774371E
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1403234025.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_7740000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 140289b2539e5e2bd2eb643bd6fdc643197fbc6b60fd3b38848fb3d25fa347a5
                                                              • Instruction ID: 3f6ac27d9c0a4f64c291d184ac92b96ad0b0fbdd5369dab523d4932ba29a6883
                                                              • Opcode Fuzzy Hash: 140289b2539e5e2bd2eb643bd6fdc643197fbc6b60fd3b38848fb3d25fa347a5
                                                              • Instruction Fuzzy Hash: EC1136B5C003499FDB20DFAAC844BAEBBF5EB88320F148819E559A7250C7759900CFA0
                                                              Function 07743520 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1403234025.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_7740000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 0af8c581e6664e8a8483aebb08939000125d686743fdb035e4713ff5580afbaa
                                                              • Instruction ID: b0cad304661a94f9079af32d36f7f09faf83d656cf5b970c67cf3ce6c86cae0b
                                                              • Opcode Fuzzy Hash: 0af8c581e6664e8a8483aebb08939000125d686743fdb035e4713ff5580afbaa
                                                              • Instruction Fuzzy Hash: 751179B5D003498FDB20DFAAC4457DEFFF4EB88224F148419D419A7640CB79A944CFA4
                                                              Function 077436B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0774371E
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1403234025.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_7740000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 130541054f6fb263d3fc527b3cc41c12eb398668e2cc6410fbb6680d45540499
                                                              • Instruction ID: 60c1aebf09824cf5aa10e92612834dedc17ae61749be1d562ca1cd32aecb5300
                                                              • Opcode Fuzzy Hash: 130541054f6fb263d3fc527b3cc41c12eb398668e2cc6410fbb6680d45540499
                                                              • Instruction Fuzzy Hash: 431126B5C003499FDB20DFAAC845BDEBBF5EB88320F148819E559A7250CB759940CFA0
                                                              Function 07743528 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1403234025.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_7740000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: bdce13125bc056e4647085fa35e14fbb6778fbcdbc37b4548656a61309b95c32
                                                              • Instruction ID: dc71b0d4f722eba0d6ccc625f4ffd75d7ba796b4dbba15617d9e2a7399870fb9
                                                              • Opcode Fuzzy Hash: bdce13125bc056e4647085fa35e14fbb6778fbcdbc37b4548656a61309b95c32
                                                              • Instruction Fuzzy Hash: 661136B1D003498FDB24DFAAC44579EFBF5EB88324F248829D519A7240CB79A945CFA4
                                                              Function 07746440 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07746C45
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1403234025.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_7740000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 505f8742f707900b30e5452bb58abd5e48bf75be50e9dad2c6a870ef33bc31c0
                                                              • Instruction ID: 559bff89c5a8e75abf226850320816f404dc6bdb5538f822cefd6898034a1fd8
                                                              • Opcode Fuzzy Hash: 505f8742f707900b30e5452bb58abd5e48bf75be50e9dad2c6a870ef33bc31c0
                                                              • Instruction Fuzzy Hash: C81103B5800349DFDB20DF9AC885BDEBBF8FB49324F10881AE519A7240D375A944CFA1
                                                              Function 07746BE0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 07746C45
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1403234025.0000000007740000.00000040.00000800.00020000.00000000.sdmp, Offset: 07740000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_7740000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 8cf2a49dbf6fce79847350f6dd97bca2c551e502269118bcd9bf99544d9b30e9
                                                              • Instruction ID: 791fad2a6080fe26c01a84a3980476138cef51d37fce01d4136e8805b47c738a
                                                              • Opcode Fuzzy Hash: 8cf2a49dbf6fce79847350f6dd97bca2c551e502269118bcd9bf99544d9b30e9
                                                              • Instruction Fuzzy Hash: E81103B5800359DFDB20CF99D885BEEBFF8EB48324F10891AE518A3250C375A944CFA0
                                                              Function 054EB3C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 054EB426
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1396551823.00000000054E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_54e0000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: d024cbc031677815acfd01a29d4afee37c9565cee7239c07941cac88a0c009dd
                                                              • Instruction ID: c8b2712a036f0ddbaaf1e4b8c0b32ed5c2f77c6588f8b8cf0f95777bec5efc8b
                                                              • Opcode Fuzzy Hash: d024cbc031677815acfd01a29d4afee37c9565cee7239c07941cac88a0c009dd
                                                              • Instruction Fuzzy Hash: B1110FB5C003498FCB20DF9AC444BDEFBF4EB88220F10842AD429A7200C379A545CFA1
                                                              Function 0155D3D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1376437513.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_155d000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 432455068f7355d0b2fd3a1e45c8d5cc3af4cb7d6978f602c40e0dddf14b052c
                                                              • Instruction ID: cf921719ef9fcbec5b0f71a862567fe7554f6f7d3e1849f11ae9609e8e5bd25e
                                                              • Opcode Fuzzy Hash: 432455068f7355d0b2fd3a1e45c8d5cc3af4cb7d6978f602c40e0dddf14b052c
                                                              • Instruction Fuzzy Hash: 4B213672504200DFDB45DF44D9C0B5ABFB5FB84324F20C56ADC090F246C376E446CAA2
                                                              Function 0155D4C4 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1376437513.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_155d000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 440d6fe10b261e7399463bfd99b236e88bfe5e70c14f46d830d2f39d90b31946
                                                              • Instruction ID: 7b6b5b602a69c1488202408371562082a8f5e35666c22097c5debfb8c34243cf
                                                              • Opcode Fuzzy Hash: 440d6fe10b261e7399463bfd99b236e88bfe5e70c14f46d830d2f39d90b31946
                                                              • Instruction Fuzzy Hash: 66210372504240DFDB55DF54D9D0B2ABFB5FB88328F20C56AEC090F256C336D456CAA2
                                                              Function 0156D1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1376770649.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_156d000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c15f99ba6f3ff5c618df993b3880f73a176b1430231da95ec545f05279c65ebd
                                                              • Instruction ID: 58a2ec7fb71ff5173dcf162dda8bcd8174997537a4f2bcb2c464395aee56edcf
                                                              • Opcode Fuzzy Hash: c15f99ba6f3ff5c618df993b3880f73a176b1430231da95ec545f05279c65ebd
                                                              • Instruction Fuzzy Hash: 4621F571A04200DFDB15DF94D9C0B25BBB9FB84324F24C96DD8894F252C736D446CAA1
                                                              Function 0156D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1376770649.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_156d000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 017abbad4fd00a7fb247c2a13fa79fef0db210883df8d312c5b0ac3458d026b5
                                                              • Instruction ID: cc719331ba170b819a7b9bdb9203b454590fd162c47bbd7e4e5c30ce97421d82
                                                              • Opcode Fuzzy Hash: 017abbad4fd00a7fb247c2a13fa79fef0db210883df8d312c5b0ac3458d026b5
                                                              • Instruction Fuzzy Hash: 02210375604200DFDB15DF54D984B26BBB9FB84324F20C96DD8890F246D337D447CAA1
                                                              Function 0156D006 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1376770649.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_156d000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 34f9e35eb77afba2be0ca1d14901fc0b7674c2cc9eecfa535d176d0fa7618bd1
                                                              • Instruction ID: 1d8622eb0df5ab683b0d87f9a558120f4b86fdb5f10b87addad20c042ea636a2
                                                              • Opcode Fuzzy Hash: 34f9e35eb77afba2be0ca1d14901fc0b7674c2cc9eecfa535d176d0fa7618bd1
                                                              • Instruction Fuzzy Hash: F12183755093808FC702CF24D590715BF71FB46224F28C5DAD8898F2A7C33A980ACBA2
                                                              Function 0155D3D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1376437513.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_155d000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction ID: b203f6fcc42f98a687d441c540ca318b9a2f47ec35e0255fd810aea322f8b325
                                                              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction Fuzzy Hash: FD11CD76504240CFDB06CF44D5C0B5ABF72FB84324F24C2AADC490A656C33AE456CBA1
                                                              Function 0155D4BF Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1376437513.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_155d000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction ID: 7b088d04802b6da968d977bf752a18532878d5b80c49448290a1a85a08a8c9f1
                                                              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                              • Instruction Fuzzy Hash: 05119D76504280CFCB16CF54D5C4B1ABF72FB84328F2486AADC490B656C33AD45ACBA1
                                                              Function 0156D1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000001F.00000002.1376770649.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_31_2_156d000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction ID: bd42b4dd9bbfd94363e417e63607a404ffff5cfa4821709f4e8db69bb96a2049
                                                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction Fuzzy Hash: 6311BE75604240DFCB16CF54C5C0B19BB71FB84324F28CAADD8894F296C33AD44ACB91

                                                              Execution Graph

                                                              Execution Coverage:12.5%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:19
                                                              Total number of Limit Nodes:4
                                                              execution_graph 26723 15c0848 26725 15c084e 26723->26725 26724 15c091b 26725->26724 26727 15c1380 26725->26727 26729 15c1396 26727->26729 26728 15c1480 26728->26725 26729->26728 26731 15c7eb0 26729->26731 26732 15c7eba 26731->26732 26733 15c7ed4 26732->26733 26736 6d9fa09 26732->26736 26741 6d9fa18 26732->26741 26733->26729 26738 6d9fa2d 26736->26738 26737 6d9fc42 26737->26733 26738->26737 26739 6d9fc58 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26738->26739 26740 6d9fc68 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26738->26740 26739->26738 26740->26738 26743 6d9fa2d 26741->26743 26742 6d9fc42 26742->26733 26743->26742 26744 6d9fc58 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26743->26744 26745 6d9fc68 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 26743->26745 26744->26743 26745->26743

                                                              Executed Functions

                                                              Function 06D92358 Relevance: 9.0, Strings: 6, Instructions: 1489COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-2069967915
                                                              • Opcode ID: 67537d1875ee9803fa77d64c56df61e83d03d02e21c5ba1287a207dbbe03186a
                                                              • Instruction ID: 5a2276b50936835c65c098a621117f212f556c3b11294d8a3181e11c4a859551
                                                              • Opcode Fuzzy Hash: 67537d1875ee9803fa77d64c56df61e83d03d02e21c5ba1287a207dbbe03186a
                                                              • Instruction Fuzzy Hash: 59D26830E10308DFDB64DF69C584A9DB7B2FF89314F5485A9D409AB264EB34ED85CB90
                                                              Function 06D97D68 Relevance: 3.0, Strings: 2, Instructions: 471COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1247 6d97d68-6d97d86 1248 6d97d88-6d97d8b 1247->1248 1249 6d97d8d-6d97d9b 1248->1249 1250 6d97da2-6d97da5 1248->1250 1256 6d97d9d 1249->1256 1257 6d97e0e-6d97e24 1249->1257 1251 6d97da7-6d97dc1 1250->1251 1252 6d97dc6-6d97dc9 1250->1252 1251->1252 1253 6d97dcb-6d97dd5 1252->1253 1254 6d97dd6-6d97dd9 1252->1254 1258 6d97ddb-6d97df7 1254->1258 1259 6d97dfc-6d97dfe 1254->1259 1256->1250 1266 6d97e2a-6d97e33 1257->1266 1267 6d9803f-6d98049 1257->1267 1258->1259 1261 6d97e00 1259->1261 1262 6d97e05-6d97e08 1259->1262 1261->1262 1262->1248 1262->1257 1269 6d97e39-6d97e56 1266->1269 1270 6d9804a-6d9807f 1266->1270 1279 6d9802c-6d98039 1269->1279 1280 6d97e5c-6d97e84 1269->1280 1273 6d98081-6d98084 1270->1273 1274 6d980a7-6d980aa 1273->1274 1275 6d98086-6d980a2 1273->1275 1277 6d982df-6d982e2 1274->1277 1278 6d980b0-6d980bf 1274->1278 1275->1274 1281 6d982e8-6d982f4 1277->1281 1282 6d9838d-6d9838f 1277->1282 1291 6d980de-6d98122 1278->1291 1292 6d980c1-6d980dc 1278->1292 1279->1266 1279->1267 1280->1279 1299 6d97e8a-6d97e93 1280->1299 1289 6d982ff-6d98301 1281->1289 1286 6d98391 1282->1286 1287 6d98396-6d98399 1282->1287 1286->1287 1287->1273 1288 6d9839f-6d983a8 1287->1288 1293 6d98319-6d9831d 1289->1293 1294 6d98303-6d98309 1289->1294 1304 6d98128-6d98139 1291->1304 1305 6d982b3-6d982c9 1291->1305 1292->1291 1300 6d9832b 1293->1300 1301 6d9831f-6d98329 1293->1301 1297 6d9830b 1294->1297 1298 6d9830d-6d9830f 1294->1298 1297->1293 1298->1293 1299->1270 1306 6d97e99-6d97eb5 1299->1306 1303 6d98330-6d98332 1300->1303 1301->1303 1307 6d98343-6d9837c 1303->1307 1308 6d98334-6d98337 1303->1308 1313 6d9813f-6d9815c 1304->1313 1314 6d9829e-6d982ad 1304->1314 1305->1277 1316 6d97ebb-6d97ee5 1306->1316 1317 6d9801a-6d98026 1306->1317 1307->1278 1330 6d98382-6d9838c 1307->1330 1308->1288 1313->1314 1326 6d98162-6d98258 call 6d96590 1313->1326 1314->1304 1314->1305 1331 6d97eeb-6d97f13 1316->1331 1332 6d98010-6d98015 1316->1332 1317->1279 1317->1299 1380 6d9825a-6d98264 1326->1380 1381 6d98266 1326->1381 1331->1332 1338 6d97f19-6d97f47 1331->1338 1332->1317 1338->1332 1344 6d97f4d-6d97f56 1338->1344 1344->1332 1345 6d97f5c-6d97f8e 1344->1345 1352 6d97f99-6d97fb5 1345->1352 1353 6d97f90-6d97f94 1345->1353 1352->1317 1356 6d97fb7-6d9800e call 6d96590 1352->1356 1353->1332 1355 6d97f96 1353->1355 1355->1352 1356->1317 1382 6d9826b-6d9826d 1380->1382 1381->1382 1382->1314 1383 6d9826f-6d98274 1382->1383 1384 6d98282 1383->1384 1385 6d98276-6d98280 1383->1385 1386 6d98287-6d98289 1384->1386 1385->1386 1386->1314 1387 6d9828b-6d98297 1386->1387 1387->1314
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q
                                                              • API String ID: 0-3126353813
                                                              • Opcode ID: 7bfee7772cd8355a4594f142c3032f45c48286964cd28908a4cef2c71d85261b
                                                              • Instruction ID: c2811e0dca5863ed781f765d0887db3f46c0d13a9631ba0f4f414621ce8b4b27
                                                              • Opcode Fuzzy Hash: 7bfee7772cd8355a4594f142c3032f45c48286964cd28908a4cef2c71d85261b
                                                              • Instruction Fuzzy Hash: EA028D30B002158FDF64DB69D490BAEBBA2FF85310F148969D905DB384DB75EC82CBA0
                                                              Function 06D965E0 Relevance: .8, Instructions: 809COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0bef5e6b4f28361ebbe872715b3951f4cd0d759df3e2a01b51e4a91d4887d198
                                                              • Instruction ID: c24996636f991e782f802b1bd514ec8ec88de90a5c093f29fd0c85ef8f9274ad
                                                              • Opcode Fuzzy Hash: 0bef5e6b4f28361ebbe872715b3951f4cd0d759df3e2a01b51e4a91d4887d198
                                                              • Instruction Fuzzy Hash: 7A628B34B002149FEF54DB69D590BADBBB2FB88314F148569E50ADB394DB35EC42CBA0
                                                              Function 06D95588 Relevance: .6, Instructions: 601COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6fe249c638518ae1966f445faf6658f7abc9a82c0b8324c892cc47a48139f159
                                                              • Instruction ID: e0f8dcc13d79bd5a52ba61b749c46f59122a32d24d11aad2ec4ff31788ef98ad
                                                              • Opcode Fuzzy Hash: 6fe249c638518ae1966f445faf6658f7abc9a82c0b8324c892cc47a48139f159
                                                              • Instruction Fuzzy Hash: 3922B035F002188FDF65DBA8D4807AEBBB2EF89310F248579D856AB345DA35DD41CBA0
                                                              Function 06D9B20F Relevance: .6, Instructions: 577COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4a2fddbdf065d977b16b4938d06da2414933a0afaacc07ecb182c051861a82b6
                                                              • Instruction ID: 8bb79fbd39a9b113d75d05d6ef6403365b1c157d41d0687abc4436dc2fdaa78d
                                                              • Opcode Fuzzy Hash: 4a2fddbdf065d977b16b4938d06da2414933a0afaacc07ecb182c051861a82b6
                                                              • Instruction Fuzzy Hash: A1224274F102099FEF64DB69E4847AEB7B2FB89310F258526E405DB351DA34EC81CBA1
                                                              Function 06D9ACB8 Relevance: 10.4, Strings: 8, Instructions: 392COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 6d9acb8-6d9acd6 1 6d9acd8-6d9acdb 0->1 2 6d9acdd-6d9ace2 1->2 3 6d9ace5-6d9ace8 1->3 2->3 4 6d9ad0b-6d9ad0e 3->4 5 6d9acea-6d9ad06 3->5 6 6d9ad1f-6d9ad22 4->6 7 6d9ad10-6d9ad14 4->7 5->4 10 6d9ad3c-6d9ad3f 6->10 11 6d9ad24-6d9ad37 6->11 8 6d9ad1a 7->8 9 6d9aee4-6d9aeee 7->9 8->6 13 6d9ad4f-6d9ad52 10->13 14 6d9ad41-6d9ad4a 10->14 11->10 16 6d9ad58-6d9ad5b 13->16 17 6d9aed5-6d9aede 13->17 14->13 19 6d9ad5d-6d9ad66 16->19 20 6d9ad75-6d9ad78 16->20 17->9 17->19 21 6d9ad6c-6d9ad70 19->21 22 6d9aeef-6d9af26 19->22 23 6d9ad7a-6d9ad87 20->23 24 6d9ad8c-6d9ad8e 20->24 21->20 31 6d9af28-6d9af2b 22->31 23->24 25 6d9ad90 24->25 26 6d9ad95-6d9ad98 24->26 25->26 26->1 28 6d9ad9e-6d9adc2 26->28 39 6d9adc8-6d9add7 28->39 40 6d9aed2 28->40 33 6d9af31-6d9af6c 31->33 34 6d9b194-6d9b197 31->34 43 6d9b15f-6d9b172 33->43 44 6d9af72-6d9af7e 33->44 35 6d9b199 call 6d9b20f 34->35 36 6d9b1a6-6d9b1a9 34->36 45 6d9b19f-6d9b1a1 35->45 41 6d9b1ab-6d9b1af 36->41 42 6d9b1ba-6d9b1bd 36->42 56 6d9add9-6d9addf 39->56 57 6d9adef-6d9ae2a call 6d96590 39->57 40->17 41->33 46 6d9b1b5 41->46 47 6d9b1ca-6d9b1cd 42->47 48 6d9b1bf-6d9b1c9 42->48 51 6d9b174 43->51 58 6d9af9e-6d9afe2 44->58 59 6d9af80-6d9af99 44->59 45->36 46->42 49 6d9b1cf-6d9b1eb 47->49 50 6d9b1f0-6d9b1f2 47->50 49->50 54 6d9b1f9-6d9b1fc 50->54 55 6d9b1f4 50->55 62 6d9b175 51->62 54->31 61 6d9b202-6d9b20c 54->61 55->54 63 6d9ade1 56->63 64 6d9ade3-6d9ade5 56->64 77 6d9ae2c-6d9ae32 57->77 78 6d9ae42-6d9ae59 57->78 79 6d9affe-6d9b03d 58->79 80 6d9afe4-6d9aff6 58->80 59->51 62->62 63->57 64->57 81 6d9ae34 77->81 82 6d9ae36-6d9ae38 77->82 89 6d9ae5b-6d9ae61 78->89 90 6d9ae71-6d9ae82 78->90 87 6d9b043-6d9b11e call 6d96590 79->87 88 6d9b124-6d9b139 79->88 80->79 81->78 82->78 87->88 88->43 93 6d9ae63 89->93 94 6d9ae65-6d9ae67 89->94 99 6d9ae9a-6d9aecb 90->99 100 6d9ae84-6d9ae8a 90->100 93->90 94->90 99->40 101 6d9ae8c 100->101 102 6d9ae8e-6d9ae90 100->102 101->99 102->99
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-3886557441
                                                              • Opcode ID: 6b8fefd52f819406a5a3670b1c921890e3a0305732a7e922dd90a958fb3656f1
                                                              • Instruction ID: 3ea11f6597ef5a7dd0006439e15ec640646a7068db2f51242c9159e79e3a16a9
                                                              • Opcode Fuzzy Hash: 6b8fefd52f819406a5a3670b1c921890e3a0305732a7e922dd90a958fb3656f1
                                                              • Instruction Fuzzy Hash: 4EE15C35F003198FDF64DF69D8406AEB7B2FB85204F258529D805AB344EB35EC46CBA1
                                                              Function 06D9B630 Relevance: 8.0, Strings: 6, Instructions: 473COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 572 6d9b630-6d9b650 573 6d9b652-6d9b655 572->573 574 6d9b66f-6d9b672 573->574 575 6d9b657-6d9b65e 573->575 578 6d9b682-6d9b685 574->578 579 6d9b674-6d9b67d 574->579 576 6d9b9d3-6d9ba0e 575->576 577 6d9b664-6d9b66a 575->577 587 6d9ba10-6d9ba13 576->587 577->574 580 6d9b68c-6d9b68f 578->580 581 6d9b687-6d9b689 578->581 579->578 582 6d9b69c-6d9b69f 580->582 583 6d9b691-6d9b697 580->583 581->580 585 6d9b770-6d9b771 582->585 586 6d9b6a5-6d9b6a8 582->586 583->582 588 6d9b776-6d9b779 585->588 589 6d9b6aa-6d9b6b3 586->589 590 6d9b6c5-6d9b6c8 586->590 591 6d9ba19-6d9ba41 587->591 592 6d9bc7f-6d9bc82 587->592 593 6d9b77b-6d9b7c9 call 6d96590 588->593 594 6d9b7ce-6d9b7d1 588->594 589->576 595 6d9b6b9-6d9b6c0 589->595 598 6d9b6d8-6d9b6db 590->598 599 6d9b6ca-6d9b6d3 590->599 648 6d9ba4b-6d9ba8f 591->648 649 6d9ba43-6d9ba46 591->649 596 6d9bca5-6d9bca7 592->596 597 6d9bc84-6d9bca0 592->597 593->594 600 6d9b810-6d9b813 594->600 601 6d9b7d3-6d9b7e8 594->601 595->590 605 6d9bca9 596->605 606 6d9bcae-6d9bcb1 596->606 597->596 603 6d9b6eb-6d9b6ee 598->603 604 6d9b6dd-6d9b6e6 598->604 599->598 608 6d9b852-6d9b855 600->608 609 6d9b815-6d9b82a 600->609 601->576 626 6d9b7ee-6d9b80b 601->626 611 6d9b708-6d9b70b 603->611 612 6d9b6f0-6d9b6f6 603->612 604->603 605->606 606->587 613 6d9bcb7-6d9bcc0 606->613 620 6d9b87f-6d9b882 608->620 621 6d9b857-6d9b85e 608->621 609->576 636 6d9b830-6d9b84d 609->636 614 6d9b71a-6d9b71d 611->614 615 6d9b70d-6d9b713 611->615 612->576 619 6d9b6fc-6d9b703 612->619 624 6d9b72f-6d9b732 614->624 625 6d9b71f-6d9b72a 614->625 615->612 623 6d9b715 615->623 619->611 628 6d9b8a5-6d9b8a8 620->628 629 6d9b884-6d9b8a0 620->629 621->576 622 6d9b864-6d9b874 621->622 655 6d9b87a 622->655 656 6d9b947-6d9b94e 622->656 623->614 632 6d9b749-6d9b74c 624->632 633 6d9b734-6d9b73b 624->633 625->624 626->600 634 6d9b8ca-6d9b8cd 628->634 635 6d9b8aa-6d9b8c5 628->635 629->628 646 6d9b74e-6d9b753 632->646 647 6d9b756-6d9b759 632->647 633->576 645 6d9b741-6d9b744 633->645 638 6d9b8cf-6d9b8d2 634->638 639 6d9b8d7-6d9b8da 634->639 635->634 636->608 638->639 650 6d9b8dc-6d9b8df 639->650 651 6d9b92e-6d9b937 639->651 645->632 646->647 652 6d9b75b-6d9b761 647->652 653 6d9b766-6d9b769 647->653 685 6d9ba95-6d9ba9e 648->685 686 6d9bc74-6d9bc7e 648->686 649->613 660 6d9b8e1-6d9b8e5 650->660 661 6d9b8f0-6d9b8f3 650->661 651->589 664 6d9b93d 651->664 652->653 653->615 665 6d9b76b-6d9b76e 653->665 655->620 656->576 658 6d9b954-6d9b964 656->658 658->585 678 6d9b96a 658->678 660->604 666 6d9b8eb 660->666 667 6d9b903-6d9b906 661->667 668 6d9b8f5-6d9b8fe 661->668 669 6d9b942-6d9b945 664->669 665->585 665->588 666->661 667->585 674 6d9b90c-6d9b90f 667->674 668->667 669->656 671 6d9b96f-6d9b972 669->671 679 6d9b984-6d9b987 671->679 680 6d9b974 671->680 676 6d9b929-6d9b92c 674->676 677 6d9b911-6d9b918 674->677 676->651 676->669 677->576 683 6d9b91e-6d9b924 677->683 678->671 679->585 682 6d9b98d-6d9b990 679->682 687 6d9b97c-6d9b97f 680->687 688 6d9b992-6d9b999 682->688 689 6d9b9b6-6d9b9b8 682->689 683->676 692 6d9bc6a-6d9bc6f 685->692 693 6d9baa4-6d9bb10 call 6d96590 685->693 687->679 688->576 694 6d9b99b-6d9b9ab 688->694 690 6d9b9ba 689->690 691 6d9b9bf-6d9b9c2 689->691 690->691 691->573 696 6d9b9c8-6d9b9d2 691->696 692->686 706 6d9bc0a-6d9bc1f 693->706 707 6d9bb16-6d9bb1b 693->707 694->621 700 6d9b9b1 694->700 700->689 706->692 708 6d9bb1d-6d9bb23 707->708 709 6d9bb37 707->709 711 6d9bb29-6d9bb2b 708->711 712 6d9bb25-6d9bb27 708->712 713 6d9bb39-6d9bb3f 709->713 714 6d9bb35 711->714 712->714 715 6d9bb41-6d9bb47 713->715 716 6d9bb54-6d9bb61 713->716 714->713 717 6d9bb4d 715->717 718 6d9bbf5-6d9bc04 715->718 723 6d9bb79-6d9bb86 716->723 724 6d9bb63-6d9bb69 716->724 717->716 719 6d9bb88-6d9bb95 717->719 720 6d9bbbc-6d9bbc9 717->720 718->706 718->707 732 6d9bbad-6d9bbba 719->732 733 6d9bb97-6d9bb9d 719->733 729 6d9bbcb-6d9bbd1 720->729 730 6d9bbe1-6d9bbee 720->730 723->718 725 6d9bb6b 724->725 726 6d9bb6d-6d9bb6f 724->726 725->723 726->723 734 6d9bbd3 729->734 735 6d9bbd5-6d9bbd7 729->735 730->718 732->718 736 6d9bb9f 733->736 737 6d9bba1-6d9bba3 733->737 734->730 735->730 736->732 737->732
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-2069967915
                                                              • Opcode ID: 03d024f2dbb8a8528a09ec6b388e335789025e465ac10fc866baa2cc04599513
                                                              • Instruction ID: ae638dcb1d1b57209bc76215bcc565fc79fc94956315c7ddb2344d74607a2fde
                                                              • Opcode Fuzzy Hash: 03d024f2dbb8a8528a09ec6b388e335789025e465ac10fc866baa2cc04599513
                                                              • Instruction Fuzzy Hash: D5026C30E102098FDFA4DB68E4807AEB7B1FB85314F26856BE445DB255DB74EC41CBA1
                                                              Function 06D99138 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 740 6d99138-6d9915d 741 6d9915f-6d99162 740->741 742 6d99168-6d9917d 741->742 743 6d99a20-6d99a23 741->743 749 6d9917f-6d99185 742->749 750 6d99195-6d991ab 742->750 744 6d99a49-6d99a4b 743->744 745 6d99a25-6d99a44 743->745 747 6d99a4d 744->747 748 6d99a52-6d99a55 744->748 745->744 747->748 748->741 752 6d99a5b-6d99a65 748->752 753 6d99189-6d9918b 749->753 754 6d99187 749->754 757 6d991b6-6d991b8 750->757 753->750 754->750 758 6d991ba-6d991c0 757->758 759 6d991d0-6d99241 757->759 760 6d991c2 758->760 761 6d991c4-6d991c6 758->761 770 6d9926d-6d99289 759->770 771 6d99243-6d99266 759->771 760->759 761->759 776 6d9928b-6d992ae 770->776 777 6d992b5-6d992d0 770->777 771->770 776->777 782 6d992fb-6d99316 777->782 783 6d992d2-6d992f4 777->783 788 6d99318-6d99334 782->788 789 6d9933b-6d99349 782->789 783->782 788->789 790 6d99359-6d993d3 789->790 791 6d9934b-6d99354 789->791 797 6d99420-6d99435 790->797 798 6d993d5-6d993f3 790->798 791->752 797->743 802 6d9940f-6d9941e 798->802 803 6d993f5-6d99404 798->803 802->797 802->798 803->802
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q
                                                              • API String ID: 0-4102054182
                                                              • Opcode ID: 25b39fdfead9af694670fdfd4525c5ef6cb977334a9a107814afb561b5755948
                                                              • Instruction ID: dd6cd20c04fceaa55cebbe0b8f84326932ac15a16a0907cea218b8b48506ec2c
                                                              • Opcode Fuzzy Hash: 25b39fdfead9af694670fdfd4525c5ef6cb977334a9a107814afb561b5755948
                                                              • Instruction Fuzzy Hash: 3D913030F002199FDB64DF69D8607AE7BB6FF89300F148569D819AB344EE74ED428B91
                                                              Function 06D9CF28 Relevance: 4.5, Strings: 3, Instructions: 798COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 806 6d9cf28-6d9cf43 807 6d9cf45-6d9cf48 806->807 808 6d9cf4a-6d9cf8c 807->808 809 6d9cf91-6d9cf94 807->809 808->809 810 6d9cf9a-6d9cf9d 809->810 811 6d9d414-6d9d420 809->811 815 6d9cf9f-6d9cfae 810->815 816 6d9cfe6-6d9cfe9 810->816 812 6d9d122-6d9d131 811->812 813 6d9d426-6d9d713 811->813 819 6d9d140-6d9d14c 812->819 820 6d9d133-6d9d138 812->820 1019 6d9d719-6d9d71f 813->1019 1020 6d9d93a-6d9d944 813->1020 821 6d9cfbd-6d9cfc9 815->821 822 6d9cfb0-6d9cfb5 815->822 817 6d9cfeb-6d9d02d 816->817 818 6d9d032-6d9d035 816->818 817->818 827 6d9d07e-6d9d081 818->827 828 6d9d037-6d9d079 818->828 825 6d9d152-6d9d164 819->825 826 6d9d945-6d9d97e 819->826 820->819 821->826 829 6d9cfcf-6d9cfe1 821->829 822->821 842 6d9d169-6d9d16c 825->842 846 6d9d980-6d9d983 826->846 831 6d9d083-6d9d09f 827->831 832 6d9d0a4-6d9d0a7 827->832 828->827 829->816 831->832 835 6d9d0a9-6d9d0eb 832->835 836 6d9d0f0-6d9d0f3 832->836 835->836 843 6d9d0fd-6d9d100 836->843 844 6d9d0f5-6d9d0fa 836->844 853 6d9d17b-6d9d17e 842->853 854 6d9d16e-6d9d170 842->854 855 6d9d11d-6d9d120 843->855 856 6d9d102-6d9d118 843->856 844->843 847 6d9d985-6d9d9a1 846->847 848 6d9d9a6-6d9d9a9 846->848 847->848 859 6d9d9b8-6d9d9bb 848->859 860 6d9d9ab 848->860 857 6d9d180-6d9d1c2 853->857 858 6d9d1c7-6d9d1ca 853->858 862 6d9d411 854->862 863 6d9d176 854->863 855->812 855->842 856->855 857->858 873 6d9d1cc-6d9d20e 858->873 874 6d9d213-6d9d216 858->874 871 6d9d9bd-6d9d9e9 859->871 872 6d9d9ee-6d9d9f0 859->872 1066 6d9d9ab call 6d9da9d 860->1066 1067 6d9d9ab call 6d9dab0 860->1067 862->811 863->853 871->872 880 6d9d9f2 872->880 881 6d9d9f7-6d9d9fa 872->881 873->874 875 6d9d218-6d9d21a 874->875 876 6d9d225-6d9d228 874->876 884 6d9d2cf-6d9d2d8 875->884 885 6d9d220 875->885 886 6d9d22a-6d9d26c 876->886 887 6d9d271-6d9d274 876->887 878 6d9d9b1-6d9d9b3 878->859 880->881 881->846 891 6d9d9fc-6d9da0b 881->891 893 6d9d2da-6d9d2df 884->893 894 6d9d2e7-6d9d2f3 884->894 885->876 886->887 896 6d9d2bd-6d9d2bf 887->896 897 6d9d276-6d9d2b8 887->897 909 6d9da0d-6d9da70 call 6d96590 891->909 910 6d9da72-6d9da87 891->910 893->894 903 6d9d2f9-6d9d30d 894->903 904 6d9d404-6d9d409 894->904 901 6d9d2c1 896->901 902 6d9d2c6-6d9d2c9 896->902 897->896 901->902 902->807 902->884 903->862 921 6d9d313-6d9d325 903->921 904->862 909->910 928 6d9da88 910->928 935 6d9d349-6d9d34b 921->935 936 6d9d327-6d9d32d 921->936 928->928 941 6d9d355-6d9d361 935->941 939 6d9d32f 936->939 940 6d9d331-6d9d33d 936->940 944 6d9d33f-6d9d347 939->944 940->944 952 6d9d36f 941->952 953 6d9d363-6d9d36d 941->953 944->941 955 6d9d374-6d9d376 952->955 953->955 955->862 957 6d9d37c-6d9d398 call 6d96590 955->957 966 6d9d39a-6d9d39f 957->966 967 6d9d3a7-6d9d3b3 957->967 966->967 967->904 968 6d9d3b5-6d9d402 967->968 968->862 1021 6d9d72e-6d9d737 1019->1021 1022 6d9d721-6d9d726 1019->1022 1021->826 1023 6d9d73d-6d9d750 1021->1023 1022->1021 1025 6d9d92a-6d9d934 1023->1025 1026 6d9d756-6d9d75c 1023->1026 1025->1019 1025->1020 1027 6d9d76b-6d9d774 1026->1027 1028 6d9d75e-6d9d763 1026->1028 1027->826 1029 6d9d77a-6d9d79b 1027->1029 1028->1027 1032 6d9d7aa-6d9d7b3 1029->1032 1033 6d9d79d-6d9d7a2 1029->1033 1032->826 1034 6d9d7b9-6d9d7d6 1032->1034 1033->1032 1034->1025 1037 6d9d7dc-6d9d7e2 1034->1037 1037->826 1038 6d9d7e8-6d9d801 1037->1038 1040 6d9d91d-6d9d924 1038->1040 1041 6d9d807-6d9d82e 1038->1041 1040->1025 1040->1037 1041->826 1044 6d9d834-6d9d83e 1041->1044 1044->826 1045 6d9d844-6d9d85b 1044->1045 1047 6d9d86a-6d9d885 1045->1047 1048 6d9d85d-6d9d868 1045->1048 1047->1040 1053 6d9d88b-6d9d8a4 call 6d96590 1047->1053 1048->1047 1057 6d9d8b3-6d9d8bc 1053->1057 1058 6d9d8a6-6d9d8ab 1053->1058 1057->826 1059 6d9d8c2-6d9d916 1057->1059 1058->1057 1059->1040 1066->878 1067->878
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q
                                                              • API String ID: 0-3067366958
                                                              • Opcode ID: 4458df8676753a4a5e8dee57c58606b4978f46d837fbd478a55bbc7caeb56228
                                                              • Instruction ID: 9e47aede249da3385b2348ed9a4b918627bda7e2b241bf0b581aa9318a02a909
                                                              • Opcode Fuzzy Hash: 4458df8676753a4a5e8dee57c58606b4978f46d837fbd478a55bbc7caeb56228
                                                              • Instruction Fuzzy Hash: CB628C34A007158FDB64EF68D590A5EBBB2FF84704B208A68D0059F759DB39FC46CB91
                                                              Function 06D94B50 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1200 6d94b50-6d94b74 1201 6d94b76-6d94b79 1200->1201 1202 6d95258-6d9525b 1201->1202 1203 6d94b7f-6d94c77 1201->1203 1204 6d9525d-6d95277 1202->1204 1205 6d9527c-6d9527e 1202->1205 1223 6d94cfa-6d94d01 1203->1223 1224 6d94c7d-6d94cc5 1203->1224 1204->1205 1206 6d95280 1205->1206 1207 6d95285-6d95288 1205->1207 1206->1207 1207->1201 1209 6d9528e-6d9529b 1207->1209 1225 6d94d85-6d94d8e 1223->1225 1226 6d94d07-6d94d77 1223->1226 1245 6d94cca call 6d95408 1224->1245 1246 6d94cca call 6d953f8 1224->1246 1225->1209 1243 6d94d79 1226->1243 1244 6d94d82 1226->1244 1237 6d94cd0-6d94cec 1240 6d94cee 1237->1240 1241 6d94cf7 1237->1241 1240->1241 1241->1223 1243->1244 1244->1225 1245->1237 1246->1237
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: fq$XPq$\Oq
                                                              • API String ID: 0-132346853
                                                              • Opcode ID: 7b4ced7ea3a6636ef61f34fdd11bfa3cf698e06979f0ef76c84d3081f03c6370
                                                              • Instruction ID: c0a2cee02c81cd8139c7851f2517aadd4acef624618fd7f7d210ee5904e1442f
                                                              • Opcode Fuzzy Hash: 7b4ced7ea3a6636ef61f34fdd11bfa3cf698e06979f0ef76c84d3081f03c6370
                                                              • Instruction Fuzzy Hash: 18616134F002199FEF549FA9C8157AEBAF6FF88304F248429D506AB395DE758C458BA0
                                                              Function 06D99127 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1931 6d99127-6d9915d 1932 6d9915f-6d99162 1931->1932 1933 6d99168-6d9917d 1932->1933 1934 6d99a20-6d99a23 1932->1934 1940 6d9917f-6d99185 1933->1940 1941 6d99195-6d991ab 1933->1941 1935 6d99a49-6d99a4b 1934->1935 1936 6d99a25-6d99a44 1934->1936 1938 6d99a4d 1935->1938 1939 6d99a52-6d99a55 1935->1939 1936->1935 1938->1939 1939->1932 1943 6d99a5b-6d99a65 1939->1943 1944 6d99189-6d9918b 1940->1944 1945 6d99187 1940->1945 1948 6d991b6-6d991b8 1941->1948 1944->1941 1945->1941 1949 6d991ba-6d991c0 1948->1949 1950 6d991d0-6d99241 1948->1950 1951 6d991c2 1949->1951 1952 6d991c4-6d991c6 1949->1952 1961 6d9926d-6d99289 1950->1961 1962 6d99243-6d99266 1950->1962 1951->1950 1952->1950 1967 6d9928b-6d992ae 1961->1967 1968 6d992b5-6d992d0 1961->1968 1962->1961 1967->1968 1973 6d992fb-6d99316 1968->1973 1974 6d992d2-6d992f4 1968->1974 1979 6d99318-6d99334 1973->1979 1980 6d9933b-6d99349 1973->1980 1974->1973 1979->1980 1981 6d99359-6d993d3 1980->1981 1982 6d9934b-6d99354 1980->1982 1988 6d99420-6d99435 1981->1988 1989 6d993d5-6d993f3 1981->1989 1982->1943 1988->1934 1993 6d9940f-6d9941e 1989->1993 1994 6d993f5-6d99404 1989->1994 1993->1988 1993->1989 1994->1993
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q
                                                              • API String ID: 0-3126353813
                                                              • Opcode ID: e729acb284e2d2036bbf0e16e925e22f31557f4c56cf44f0b84e8d846d3eb0fa
                                                              • Instruction ID: bf8892a4bf3df54935cf1b614e368bd2922353feb4d79a07934a9ee3f9c58461
                                                              • Opcode Fuzzy Hash: e729acb284e2d2036bbf0e16e925e22f31557f4c56cf44f0b84e8d846d3eb0fa
                                                              • Instruction Fuzzy Hash: EA510F30B102149FDB54DB79D861BAE7BF6FF88300F148569D819EB384EA74ED428B91
                                                              Function 015CEB48 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2453 15ceb48-15ceb53 2454 15ceb7d-15ceb93 2453->2454 2455 15ceb55-15ceb7c 2453->2455 2475 15ceb95 call 15ceb48 2454->2475 2476 15ceb95 call 15ceb38 2454->2476 2477 15ceb95 call 15cebd8 2454->2477 2478 15ceb95 call 15cec18 2454->2478 2458 15ceb9a-15ceb9c 2459 15ceb9e-15ceba1 2458->2459 2460 15ceba2-15cec01 2458->2460 2467 15cec07-15cec94 GlobalMemoryStatusEx 2460->2467 2468 15cec03-15cec06 2460->2468 2471 15cec9d-15cecc5 2467->2471 2472 15cec96-15cec9c 2467->2472 2472->2471 2475->2458 2476->2458 2477->2458 2478->2458
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2488553863.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_15c0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 173bf97836fc8cb0a339a3e9fe25e993ab12de62b244963257398836c7008670
                                                              • Instruction ID: 3eea8818b3541d5c761fdbf529707bf5fdf2d0721a476873fc3bdfbd03519ed2
                                                              • Opcode Fuzzy Hash: 173bf97836fc8cb0a339a3e9fe25e993ab12de62b244963257398836c7008670
                                                              • Instruction Fuzzy Hash: A6412272D003598FDB14DFAAD8406AEBBF5EF89210F15866AD408E7340EB389845CBE0
                                                              Function 015CEC18 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2479 15cec18-15cec94 GlobalMemoryStatusEx 2481 15cec9d-15cecc5 2479->2481 2482 15cec96-15cec9c 2479->2482 2482->2481
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 015CEC87
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2488553863.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_15c0000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: 5be0d95ce22abfa5f4a64f5d823ce73845f256f95f71e2013c63f1561e403a2e
                                                              • Instruction ID: c266b7e07a5e336e6899adc198716a6b528594efcc49a6f74969de9bce65c9e2
                                                              • Opcode Fuzzy Hash: 5be0d95ce22abfa5f4a64f5d823ce73845f256f95f71e2013c63f1561e403a2e
                                                              • Instruction Fuzzy Hash: 651103B1C0026A9FDB10DFAAD545BDEFBF4BB48320F15816AD818A7240D378A945CFA1
                                                              Function 06D94B40 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2546 6d94b40-6d94b48 2547 6d94b4a-6d94b64 2546->2547 2548 6d94b65-6d94b74 2546->2548 2547->2548 2549 6d94b76-6d94b79 2548->2549 2550 6d95258-6d9525b 2549->2550 2551 6d94b7f-6d94c77 2549->2551 2552 6d9525d-6d95277 2550->2552 2553 6d9527c-6d9527e 2550->2553 2571 6d94cfa-6d94d01 2551->2571 2572 6d94c7d-6d94cc5 2551->2572 2552->2553 2554 6d95280 2553->2554 2555 6d95285-6d95288 2553->2555 2554->2555 2555->2549 2557 6d9528e-6d9529b 2555->2557 2573 6d94d85-6d94d8e 2571->2573 2574 6d94d07-6d94d77 2571->2574 2593 6d94cca call 6d95408 2572->2593 2594 6d94cca call 6d953f8 2572->2594 2573->2557 2591 6d94d79 2574->2591 2592 6d94d82 2574->2592 2585 6d94cd0-6d94cec 2588 6d94cee 2585->2588 2589 6d94cf7 2585->2589 2588->2589 2589->2571 2591->2592 2592->2573 2593->2585 2594->2585
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: XPq
                                                              • API String ID: 0-1601936878
                                                              • Opcode ID: 09268c5f2dd19729ac830ae67aff7d9526a4ad579db6996a3fb3d6d05f4406f3
                                                              • Instruction ID: a8327af631d26f3465f19846dd985b84a18e64fdf10db7a670c82a2bf9f5e6d5
                                                              • Opcode Fuzzy Hash: 09268c5f2dd19729ac830ae67aff7d9526a4ad579db6996a3fb3d6d05f4406f3
                                                              • Instruction Fuzzy Hash: D9416F74F002189FDB559FA9C8557AEBBF6FF88300F24852AD106AB395DA758C05CB90
                                                              Function 06D9DAB0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2595 6d9dab0-6d9dac7 2596 6d9dac9-6d9dacc 2595->2596 2597 6d9daef-6d9daf2 2596->2597 2598 6d9dace-6d9daea 2596->2598 2599 6d9db25-6d9db28 2597->2599 2600 6d9daf4-6d9db20 2597->2600 2598->2597 2601 6d9db2a 2599->2601 2602 6d9db37-6d9db39 2599->2602 2600->2599 2607 6d9db30-6d9db32 2601->2607 2604 6d9db3b 2602->2604 2605 6d9db40-6d9db43 2602->2605 2604->2605 2605->2596 2608 6d9db45-6d9db54 2605->2608 2607->2602 2610 6d9dcd9-6d9dd03 2608->2610 2611 6d9db5a-6d9db93 2608->2611 2614 6d9dd04 2610->2614 2618 6d9dbe1-6d9dc05 2611->2618 2619 6d9db95-6d9db9f 2611->2619 2614->2614 2625 6d9dc0f-6d9dcd3 2618->2625 2626 6d9dc07 2618->2626 2623 6d9dba1-6d9dba7 2619->2623 2624 6d9dbb7-6d9dbdf 2619->2624 2627 6d9dba9 2623->2627 2628 6d9dbab-6d9dbad 2623->2628 2624->2618 2624->2619 2625->2610 2625->2611 2626->2625 2627->2624 2628->2624
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PHq
                                                              • API String ID: 0-3820536768
                                                              • Opcode ID: 537401ffe55c8835c2afcd26582cb74e22292ec401d7de517a679b9e12f7c8ce
                                                              • Instruction ID: 1cd9a6ca3fa7e96776e9121f2ebcdf7580c011fc088ff3376a3aca4beeb73269
                                                              • Opcode Fuzzy Hash: 537401ffe55c8835c2afcd26582cb74e22292ec401d7de517a679b9e12f7c8ce
                                                              • Instruction Fuzzy Hash: 97414D34E00B099FDF64DF65C49469EBBB2FF85304F204529E816EB244EB74E946CBA1
                                                              Function 06D9DA9D Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2634 6d9da9d-6d9dac7 2636 6d9dac9-6d9dacc 2634->2636 2637 6d9daef-6d9daf2 2636->2637 2638 6d9dace-6d9daea 2636->2638 2639 6d9db25-6d9db28 2637->2639 2640 6d9daf4-6d9db20 2637->2640 2638->2637 2641 6d9db2a 2639->2641 2642 6d9db37-6d9db39 2639->2642 2640->2639 2647 6d9db30-6d9db32 2641->2647 2644 6d9db3b 2642->2644 2645 6d9db40-6d9db43 2642->2645 2644->2645 2645->2636 2648 6d9db45-6d9db54 2645->2648 2647->2642 2650 6d9dcd9-6d9dd03 2648->2650 2651 6d9db5a-6d9db93 2648->2651 2654 6d9dd04 2650->2654 2658 6d9dbe1-6d9dc05 2651->2658 2659 6d9db95-6d9db9f 2651->2659 2654->2654 2665 6d9dc0f-6d9dcd3 2658->2665 2666 6d9dc07 2658->2666 2663 6d9dba1-6d9dba7 2659->2663 2664 6d9dbb7-6d9dbdf 2659->2664 2667 6d9dba9 2663->2667 2668 6d9dbab-6d9dbad 2663->2668 2664->2658 2664->2659 2665->2650 2665->2651 2666->2665 2667->2664 2668->2664
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PHq
                                                              • API String ID: 0-3820536768
                                                              • Opcode ID: e8cc88d14ffa10021ac3ba22e8943f9bc9e4cf758e9e32f35d7cf11f6f79a28b
                                                              • Instruction ID: 3d81def2b9ed160b7cbe82e61f761c1bad6b92900eadafee4ff37296183f9c74
                                                              • Opcode Fuzzy Hash: e8cc88d14ffa10021ac3ba22e8943f9bc9e4cf758e9e32f35d7cf11f6f79a28b
                                                              • Instruction Fuzzy Hash: AD416C34E006099FDF64DF65C48469EBBB3EF85304F144529E806EB240EB74E846CBA1
                                                              Function 06D921BD Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PHq
                                                              • API String ID: 0-3820536768
                                                              • Opcode ID: 92574ffdf887cefc641fb122f3b8b279e54bfa0799acb2e420c5f6f3d55082ef
                                                              • Instruction ID: 86d9fedf19a3a0585cc62c106c11bd0d47f63b832e5495381e3a9f157dc9e47e
                                                              • Opcode Fuzzy Hash: 92574ffdf887cefc641fb122f3b8b279e54bfa0799acb2e420c5f6f3d55082ef
                                                              • Instruction Fuzzy Hash: 0E31F230B103069FDF699B78C4507AE7BA6AF8A310F244568D402DB385DF39ED42C7A4
                                                              Function 06D921D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PHq
                                                              • API String ID: 0-3820536768
                                                              • Opcode ID: 02e7a3c17072e144623add289fbce509f679da61aa91fe20d1bd9a42d5a75150
                                                              • Instruction ID: 28d69ac4f31b81f9645e90463140e66cbbd480993263d9b1ab23a75a2f4320ed
                                                              • Opcode Fuzzy Hash: 02e7a3c17072e144623add289fbce509f679da61aa91fe20d1bd9a42d5a75150
                                                              • Instruction Fuzzy Hash: AE31DC30B20205AFDF68AB79C4547AE7BA6BF89300F244538D406DB385DE39ED02C7A5
                                                              Function 06D982DE Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q
                                                              • API String ID: 0-1301096350
                                                              • Opcode ID: dc8ca48a6f06b130ad605401e3f4d08e45599db5a6f855c56419f280784ec3d2
                                                              • Instruction ID: 7ae03c698a62a82eea6f4b5f4a3230dafa326f4521f7046ac7d56ebeeee2b7a3
                                                              • Opcode Fuzzy Hash: dc8ca48a6f06b130ad605401e3f4d08e45599db5a6f855c56419f280784ec3d2
                                                              • Instruction Fuzzy Hash: 49F0A032B14201CFDF644E66E8402A87374EB42A11F084866CE00D7140D275DA00E6B1
                                                              Function 06D9C170 Relevance: .6, Instructions: 644COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 503b458b055660cbe6139ff76bd55266438e02df77cf4e6b133e41552179a649
                                                              • Instruction ID: c042df1436078f3d6a3c500da84c1b6e207cb857c5bd7dc0fa456d0ccf01dc46
                                                              • Opcode Fuzzy Hash: 503b458b055660cbe6139ff76bd55266438e02df77cf4e6b133e41552179a649
                                                              • Instruction Fuzzy Hash: A3325E34B102059FDF64DF69D890BAEBBB6EB89310F108529D405EB385DB35EC46CBA0
                                                              Function 06D961E0 Relevance: .2, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7be4b2e3358ddaa175026fd85960a84047c340f52aff083183eea33b858a4212
                                                              • Instruction ID: a9b08b919cad1204ab2b2bf4cad07c4b06b86efeec27ab44b67b63f2fa04a8b6
                                                              • Opcode Fuzzy Hash: 7be4b2e3358ddaa175026fd85960a84047c340f52aff083183eea33b858a4212
                                                              • Instruction Fuzzy Hash: D161A371F001214FEF649B7DC88069EBAD7AFC5214B194439D80AEB364DEB5ED4287D2
                                                              Function 06D94280 Relevance: .2, Instructions: 221COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 56e273a1d0955c34633bbff6104d1d3c4e99c62ba665ed4839406da3f99332ba
                                                              • Instruction ID: a8508d291296a9101f8e71c031cd6bda8ca66b4f290e282ce40522be252e46ec
                                                              • Opcode Fuzzy Hash: 56e273a1d0955c34633bbff6104d1d3c4e99c62ba665ed4839406da3f99332ba
                                                              • Instruction Fuzzy Hash: 87812D34B102098FDF94DFB9D4547AEBBF2AF89304F108529D41AEB345EA74EC428B91
                                                              Function 06D945A0 Relevance: .2, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 17e6353c8f3a69bfb5d89cba8cd3c26ec28eb06d8768cbca4239d49099a834d3
                                                              • Instruction ID: 1a81b7b1e14f53a4efb8908545a391c07dfc0e90902aa3bc75652f643bc092a1
                                                              • Opcode Fuzzy Hash: 17e6353c8f3a69bfb5d89cba8cd3c26ec28eb06d8768cbca4239d49099a834d3
                                                              • Instruction Fuzzy Hash: 5B913D34E102198FDF60DF68C890B9DB7B1FF89314F208699D549AB345DB70AA86CB91
                                                              Function 06D94290 Relevance: .2, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3beedc2e5321c4b0eca96758b02de3e62c8f16b031de0cb7752a79a8b6f7cc24
                                                              • Instruction ID: 15b3d9749e8e3b2ae75a3a402f592242e27d2853dab3374d61b251366bf60c9c
                                                              • Opcode Fuzzy Hash: 3beedc2e5321c4b0eca96758b02de3e62c8f16b031de0cb7752a79a8b6f7cc24
                                                              • Instruction Fuzzy Hash: 83810B30B102098FDF94DFB9D4507AEBBF6AF89304F108529D41ADB355EA74EC428B91
                                                              Function 06D945B8 Relevance: .2, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8c5097af2192d24aed567671eb93a078a1734df8f26318cb7ddb0383df349760
                                                              • Instruction ID: d888fdb375c97cc42793c0b0df9312a2475d6b5a4bac4a1707d0db8e9a34384f
                                                              • Opcode Fuzzy Hash: 8c5097af2192d24aed567671eb93a078a1734df8f26318cb7ddb0383df349760
                                                              • Instruction Fuzzy Hash: 82913C34E102198BDF64DF68C880B9DB7B1FF89314F208699D549BB345DB70AA86CF91
                                                              Function 06D9EEF0 Relevance: .2, Instructions: 207COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a9dcd5b2c05ce0f6ddf972955e27e4b2cebd5249c1ed9a566b736a2da6e14b3b
                                                              • Instruction ID: d1a9a7d8b526fcc6fa5e260bdd42355aa49e189591297b7b28a77e891bb7ef1d
                                                              • Opcode Fuzzy Hash: a9dcd5b2c05ce0f6ddf972955e27e4b2cebd5249c1ed9a566b736a2da6e14b3b
                                                              • Instruction Fuzzy Hash: 5C713870A002199FDF54DFA9D980A9EBBF6FF88304F148569D409EB355DA34EC46CB60
                                                              Function 06D9EF00 Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8797184f63f5975a03b4ac36dbfa01a24811b571a188320727c1d9a6721cb3b4
                                                              • Instruction ID: e9a8d1570eb4917d31da378502a631132b453ac5d23ccf8affacfa1d3b711316
                                                              • Opcode Fuzzy Hash: 8797184f63f5975a03b4ac36dbfa01a24811b571a188320727c1d9a6721cb3b4
                                                              • Instruction Fuzzy Hash: EC712970A002099FDB54DFA9D980A9EBBF6FF88300F148529D419EB355DB34EC46CB60
                                                              Function 06D9FC68 Relevance: .2, Instructions: 171COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4adfef4afc6decdc660ed7c45688782b1c24731b3d6d2df77c6193303ed6ef3
                                                              • Instruction ID: 3065b2e7019d909ad24128ac70ba5a38ba5e4917f921e01df1d7ba692a72d03b
                                                              • Opcode Fuzzy Hash: a4adfef4afc6decdc660ed7c45688782b1c24731b3d6d2df77c6193303ed6ef3
                                                              • Instruction Fuzzy Hash: B351BE31F002099FDF64EBB8E4846ADBBB2FB88315F208879E516D7350DB359955CBA0
                                                              Function 06D9FA09 Relevance: .2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 549d14885c5ec28a1947091fe72cf525d6acaa6dd85a7022314a0c3d11866bb6
                                                              • Instruction ID: 2497dda2ef5b677f3aa32fa535da86e71acbc8b2a74c1e023810940bdfe6047c
                                                              • Opcode Fuzzy Hash: 549d14885c5ec28a1947091fe72cf525d6acaa6dd85a7022314a0c3d11866bb6
                                                              • Instruction Fuzzy Hash: 0951C670F103149BEF645BB8D894B6F2A5AE78D710F20443AE40BD7790CA7CDC4297A2
                                                              Function 06D9FA18 Relevance: .2, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bc2dff5e82ed651d202822768d37bda9f599fd5ddd1c0f2a41b8906c0aeece1c
                                                              • Instruction ID: 3a4453c035a0de23648241690e4143a435bcdae0ce3aa4e8506bdb566c46214e
                                                              • Opcode Fuzzy Hash: bc2dff5e82ed651d202822768d37bda9f599fd5ddd1c0f2a41b8906c0aeece1c
                                                              • Instruction Fuzzy Hash: A851B270F202149BEF645BB8D894B6F2A5AE78D750F20443AE40BD7790CA7CDC4297A2
                                                              Function 06D95408 Relevance: .1, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 94a4a452eeb81d0f3b0b63a6efc2bdcd75678043a605e2f302f7c64c9218e6bb
                                                              • Instruction ID: b8f53001d703d6e748f632aa79c27a7f810b429024d1d311c43953c1ae098b56
                                                              • Opcode Fuzzy Hash: 94a4a452eeb81d0f3b0b63a6efc2bdcd75678043a605e2f302f7c64c9218e6bb
                                                              • Instruction Fuzzy Hash: 4B413D71E006098FDFB1CF99E880AAFF7B2FB88210F10493AE156D7651D630E9558BA1
                                                              Function 06D9FC58 Relevance: .1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b5ddb170838a94ca20241c115714cbe711fd63e7c451085ce11f61dc6b6b99e
                                                              • Instruction ID: 51c10ac6f53d93bb232974a24c3547ec4565a55c84537acd04eb75af4204ebe8
                                                              • Opcode Fuzzy Hash: 2b5ddb170838a94ca20241c115714cbe711fd63e7c451085ce11f61dc6b6b99e
                                                              • Instruction Fuzzy Hash: 5331AF32E002189FCF18ABB8E4546AEBBB3FB84316F108979E556D7340DF359856C7A1
                                                              Function 06D9D950 Relevance: .1, Instructions: 98COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 64ef24142d228582bb4cdddd3d3154aef9de7a76a58dc827a309ed51b58336be
                                                              • Instruction ID: 94cde4b63c3d0f89526bd082191c81fabf90e9b844642ff0712527916df700b3
                                                              • Opcode Fuzzy Hash: 64ef24142d228582bb4cdddd3d3154aef9de7a76a58dc827a309ed51b58336be
                                                              • Instruction Fuzzy Hash: 68319230E1075A9FDF25DF68C89069EBBB2EF85204F104929D405EB644EB74E9468BA0
                                                              Function 06D92090 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1a32f42bda8026196701ef01a83f5999ff4bcff6516f4dec02e968f051966d33
                                                              • Instruction ID: 47f848dfaf79314d083ff4e8e16045edf79214fe2e5852cc9c51e3b69cef00a9
                                                              • Opcode Fuzzy Hash: 1a32f42bda8026196701ef01a83f5999ff4bcff6516f4dec02e968f051966d33
                                                              • Instruction Fuzzy Hash: 4D317E34E20215ABCB59CF65D85469EBBB2FF89300F108529E906FB344DB71AD81CB60
                                                              Function 06D9208B Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fcd3a80bd9896dea79de8e5dde2dc6a6bc9de572eb2982bd3e93ce2ccf1f2dd3
                                                              • Instruction ID: 1a51ef4aecd8f8ac11384031c05eff8c679d742c30dee93442d37e4bd31d8e16
                                                              • Opcode Fuzzy Hash: fcd3a80bd9896dea79de8e5dde2dc6a6bc9de572eb2982bd3e93ce2ccf1f2dd3
                                                              • Instruction Fuzzy Hash: 85319E34E20615ABCB59CF65D89469EBBB2FF89300F108529E906FB344DB71AD82CB50
                                                              Function 06D93A80 Relevance: .1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4f1af543935592ebb3c3bae4284a204afcd29cb416dba9b743471f2b00ceb414
                                                              • Instruction ID: f781ce218b553fe5d83c7322ffdf93073374c41837d01bd72e6f2be53f659515
                                                              • Opcode Fuzzy Hash: 4f1af543935592ebb3c3bae4284a204afcd29cb416dba9b743471f2b00ceb414
                                                              • Instruction Fuzzy Hash: 30216976E002199FDF40CF69D880AEEBBF5EB88710F158029E944E7380E735ED418BA0
                                                              Function 06D93A90 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6462caaea197bc59c58e0a16b3823c668785c08dc8e9eb6c37eef9aaef4e0712
                                                              • Instruction ID: f7e3be5b471391f70a143927afa64f113740cb81ca201e0d119ccb66ef03b330
                                                              • Opcode Fuzzy Hash: 6462caaea197bc59c58e0a16b3823c668785c08dc8e9eb6c37eef9aaef4e0712
                                                              • Instruction Fuzzy Hash: 46213975E007199FDF50CFA9D880AAEBBF5EB88710F118029E905E7350E735ED408BA4
                                                              Function 0133D030 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2484304184.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_133d000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 72db13fd2f5f9e9868df84a48f95917a71987412dd11564e83b97ecd6761d775
                                                              • Instruction ID: 0db353ae57d6b13a887c7e18e52e6053de21c009307875e892faea5ed8e9fb65
                                                              • Opcode Fuzzy Hash: 72db13fd2f5f9e9868df84a48f95917a71987412dd11564e83b97ecd6761d775
                                                              • Instruction Fuzzy Hash: FD2100B1608204DFDB15DF54D980B26FBA5EBC4718F60C66DE8090A296C33AD847CA66
                                                              Function 06D953F8 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b7f812987169734c37ade562eecda3652b1d5aaef66dbd5fc21d6ace53a2c5e6
                                                              • Instruction ID: 606eccf71ea782d4c52b838b94ff4358a27df9cac436f019cd8b3e9e2a542924
                                                              • Opcode Fuzzy Hash: b7f812987169734c37ade562eecda3652b1d5aaef66dbd5fc21d6ace53a2c5e6
                                                              • Instruction Fuzzy Hash: 22216F31E007059FCB61CFA9DCC1AAFFBB6FB88610F144929E15597650D630A8568BA0
                                                              Function 06D96D00 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 80e17731958abaa39371ba83b16411b4d06c2eb7afb580e0baf8f92f30efd989
                                                              • Instruction ID: 01c6a4778b791b24ba8ff2938e0014f7f3faa5436651b9f078564b319132e97c
                                                              • Opcode Fuzzy Hash: 80e17731958abaa39371ba83b16411b4d06c2eb7afb580e0baf8f92f30efd989
                                                              • Instruction Fuzzy Hash: 1A21AF30B101189FDF94DB6AE8506AEBBB6EB84350F248569E405EB380DB35ED4187A4
                                                              Function 06D93BA0 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3c8d8e98536458616a290b5ba9d2d9d4aeb8f2741e45801dc67414b8c615477
                                                              • Instruction ID: 32013e6c7064e0a9972955f0e2f5350c631b6f9ed4757b5a96efa98481c1d828
                                                              • Opcode Fuzzy Hash: a3c8d8e98536458616a290b5ba9d2d9d4aeb8f2741e45801dc67414b8c615477
                                                              • Instruction Fuzzy Hash: A4116131B146288FDF989A6DD8146EE7BBAEBC8310F058579E406E7344EE64DC0287E1
                                                              Function 06D9A2F0 Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6da6e64cc402565450daa35149906684e3e6e7ebdb19d79695d88ff9a878c432
                                                              • Instruction ID: 4d8461d1f58022cf5e91aef54c6541e7e1c673e91f7f642a14ad64b00f91b932
                                                              • Opcode Fuzzy Hash: 6da6e64cc402565450daa35149906684e3e6e7ebdb19d79695d88ff9a878c432
                                                              • Instruction Fuzzy Hash: 1401FC31B042205FDBA197BCD46176E77E5EB8B750F14887AE50BCB781D925DC028B91
                                                              Function 06D941E1 Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ddb7ca94a8417045dcf95ffa1cbc7da07478c7eb365cf5b7a4cc28a78d7d4419
                                                              • Instruction ID: f4da1945148b1900e94cbd47d012532328754a3f8ce1ba361372cbe1a20d6b82
                                                              • Opcode Fuzzy Hash: ddb7ca94a8417045dcf95ffa1cbc7da07478c7eb365cf5b7a4cc28a78d7d4419
                                                              • Instruction Fuzzy Hash: 7A01DF35B101201FEFA496ADD84572BA7C6EBCA720F10843AF10ACB742ED69DC4343A1
                                                              Function 06D93B8F Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fe15291db9963022781ef4c77cc8b08b4e12aa944ff1f872cd36b84ce2e8eef7
                                                              • Instruction ID: 6780ba4f298ba4b1afdb43c7bcc0661dd4e1f55ae24ae7b19c332b06cb11937a
                                                              • Opcode Fuzzy Hash: fe15291db9963022781ef4c77cc8b08b4e12aa944ff1f872cd36b84ce2e8eef7
                                                              • Instruction Fuzzy Hash: B901F532B082684FDF94D6AED8206EF7BBA9BC8310F05407AE446D3280EF24DC05C7A1
                                                              Function 06D93859 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c0cb5d4b2bf472669e2b4939bb6d451027899f870abd39c0bc762940a2ccee9e
                                                              • Instruction ID: d0f6d8ddc612fcc4bd8f000a46122048aa54069265b178a5ec7ad061f91c2df9
                                                              • Opcode Fuzzy Hash: c0cb5d4b2bf472669e2b4939bb6d451027899f870abd39c0bc762940a2ccee9e
                                                              • Instruction Fuzzy Hash: 4021D6B5D01219AFCB10DF9AD885ADEFFB4FB48310F50822AE918A7340D375A954CFA5
                                                              Function 06D9F171 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c7c1397627acc632d1d237d702a9ea576cdd6e9c42a83f7cb73e4577af3ae531
                                                              • Instruction ID: 0f4057872901121be358b78ec92c77e30175d76bb7414d48d90849176df18408
                                                              • Opcode Fuzzy Hash: c7c1397627acc632d1d237d702a9ea576cdd6e9c42a83f7cb73e4577af3ae531
                                                              • Instruction Fuzzy Hash: D901F231F005205BDF64E72CD861B2F72D6EBCA214F108939E60AD7740D914DC0303E2
                                                              Function 06D93040 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5e15846e79b3e9065f84d31455bf25d14f218c0de9c4e8ed27fe1d5ef5d74da8
                                                              • Instruction ID: ea97de38664317e91f233c67517bcb0ac133c4bd9b8f8940b91a9e27ddb4bb8d
                                                              • Opcode Fuzzy Hash: 5e15846e79b3e9065f84d31455bf25d14f218c0de9c4e8ed27fe1d5ef5d74da8
                                                              • Instruction Fuzzy Hash: 7C015E71E002189ACF58DF79D8405DEFBB5EF89310F11856AD509E7200EA31DA44CBA0
                                                              Function 0133D02B Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2484304184.000000000133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0133D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_133d000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction ID: 2a7354df7a31add58041e4fa6a49a8d500c7a4f100fab2a2f598c0311a2c5868
                                                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                              • Instruction Fuzzy Hash: AB11BE75504280CFCB16CF54D9C0B15FB61FB84318F24C6AAD8494B656C33AD44ACB61
                                                              Function 06D93860 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4492c6de1dfd618a3016e5f5fdf4ce438fbc2487338d8b2cc9c5a56dbce50781
                                                              • Instruction ID: 677824819b171f37cd8721670032191712d38f49ea93a2c057602af3f65e7b55
                                                              • Opcode Fuzzy Hash: 4492c6de1dfd618a3016e5f5fdf4ce438fbc2487338d8b2cc9c5a56dbce50781
                                                              • Instruction Fuzzy Hash: DC11E4B5D01219AFCB10DF9AD884ADEFFB4FB48310F10822AE918A7340C375A944CFA5
                                                              Function 06D941F0 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ccfc56068f4f02b4d39ddb7e5709dd3a2ded9ea48a1d499cc035638c0c0a8da
                                                              • Instruction ID: 8e17da8d61ebf6ba560fd8430f97519265e3762d01ae9dd31b849241576130fe
                                                              • Opcode Fuzzy Hash: 5ccfc56068f4f02b4d39ddb7e5709dd3a2ded9ea48a1d499cc035638c0c0a8da
                                                              • Instruction Fuzzy Hash: 9101D134B101200BDFA496AEE45572BE7CAEBCA720F10843AF10AC7746DD25EC4303A1
                                                              Function 06D9F180 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 33888f6b765b68e112af3fdcfe197e6fc00fb62d5a774a1b30b8e1c3527b870d
                                                              • Instruction ID: f654aea3970dafaa1b9240c43ec484553a710eb71b6fb5b222f1e761ea1e7b72
                                                              • Opcode Fuzzy Hash: 33888f6b765b68e112af3fdcfe197e6fc00fb62d5a774a1b30b8e1c3527b870d
                                                              • Instruction Fuzzy Hash: 6601DC71B106205BDFA4976DD85072FB6D6EBCA210F208839E60AD7340DE25DC0203E1
                                                              Function 06D9A300 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5bcd4a9d0f8497b78ce42938c3f185d8c04bc834973edfee0789d502710c46fb
                                                              • Instruction ID: 63fdabf63f7cc4f433ee091ab46eb861936f23980dee3b970cc9abee1f7be100
                                                              • Opcode Fuzzy Hash: 5bcd4a9d0f8497b78ce42938c3f185d8c04bc834973edfee0789d502710c46fb
                                                              • Instruction Fuzzy Hash: 2801A431B102245FDBA0E7BDE45072FB7D9EB8A350F10897AE60BCB380D925EC018790
                                                              Function 06D96461 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fac36d211908efa61e34a6d8864c44a32261b7383b7d1d24185ed02a4f166c33
                                                              • Instruction ID: cf220c2144eae13006824fb8aa52553d4cd5360d329754a290b5bf395598b17f
                                                              • Opcode Fuzzy Hash: fac36d211908efa61e34a6d8864c44a32261b7383b7d1d24185ed02a4f166c33
                                                              • Instruction Fuzzy Hash: 8EE0D871E1C188ABFF90CFF0C95435E77AAD705244F2148A1D405CB142E236DD018F71
                                                              Function 06D96470 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
                                                              • Instruction ID: f0ecc6cfbd8a77b65289f5867ca36018936f0d2e263357d7e519088c4d244c11
                                                              • Opcode Fuzzy Hash: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
                                                              • Instruction Fuzzy Hash: 95E01271E18148ABEF50DFF4C95575A77ADD705214F2089A5D409CB201E576DE014BA0

                                                              Non-executed Functions

                                                              Function 06D97688 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-1298971921
                                                              • Opcode ID: e9154946ccde5ec76e602a95d3dbda6c13b219a1de3b92f0e46a28c0b19751da
                                                              • Instruction ID: 9b7e0297e704a0685c6a30df3f214f6167d90b0cfb4795da483d6a8ca2989e7b
                                                              • Opcode Fuzzy Hash: e9154946ccde5ec76e602a95d3dbda6c13b219a1de3b92f0e46a28c0b19751da
                                                              • Instruction Fuzzy Hash: A6120A34E10219CFDB64DF69D854AADB7B2FF88305F2485A9D40AAB354DB30ED85CB90
                                                              Function 06D9A920 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-3886557441
                                                              • Opcode ID: fa760f5a2caf7a3d1fe54c0d1798aea5d03799cf9352982109e17f1679b0a935
                                                              • Instruction ID: 1b55460088105052aad3f218987adbf942e064ac794f9d4d451b6e74d9e1e037
                                                              • Opcode Fuzzy Hash: fa760f5a2caf7a3d1fe54c0d1798aea5d03799cf9352982109e17f1679b0a935
                                                              • Instruction Fuzzy Hash: 84914035E0021ADFEF64DF65D554BAE77B6FF84304F188529E802AB290DB789C45CBA0
                                                              Function 06D97088 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-2069967915
                                                              • Opcode ID: 346aa9e2a495d8f701f59d23f657955fb445f6e8b558c7245211b2f7356472e7
                                                              • Instruction ID: 20b90bef8e2ddc5378b63072581d5200b2e36ba235958b56c9dfab639c526ecd
                                                              • Opcode Fuzzy Hash: 346aa9e2a495d8f701f59d23f657955fb445f6e8b558c7245211b2f7356472e7
                                                              • Instruction Fuzzy Hash: A8F11A34B10309CFDB95EFA5D450A6EBBB6FB88305F248568D4069B394DB75EC42CB90
                                                              Function 06D983C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q
                                                              • API String ID: 0-4102054182
                                                              • Opcode ID: 7dd8900a18f5e059d9b236a9347fcdefdac428a9caad2a3a311934fe1908864f
                                                              • Instruction ID: 86926652ca36676fd2e79b7723249ce7f1230c58b24c33465c7e0ba04bc2212f
                                                              • Opcode Fuzzy Hash: 7dd8900a18f5e059d9b236a9347fcdefdac428a9caad2a3a311934fe1908864f
                                                              • Instruction Fuzzy Hash: FCB13B34F10219CFDB64DBA9D4406AEB7B6FF89704F248929D4069B394DB75DC82CB90
                                                              Function 06D987D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LRq$LRq$$q$$q
                                                              • API String ID: 0-2204215535
                                                              • Opcode ID: 2b3a1b815d806769df5610889f07dbfb5ba2f451b370d109bb77424a14f86687
                                                              • Instruction ID: 7987ecdcf4aa70c7827123c92ed34e1170deaae3e4ef4202ed92ccc26ab2de2d
                                                              • Opcode Fuzzy Hash: 2b3a1b815d806769df5610889f07dbfb5ba2f451b370d109bb77424a14f86687
                                                              • Instruction Fuzzy Hash: AF518E30B00205DFDF58EB69D840A6EB7B6FF89700F148A69E4129B395DA35EC41CBA1
                                                              Function 06D9ACA8 Relevance: 5.2, Strings: 4, Instructions: 162COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000025.00000002.2528340306.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_37_2_6d90000_wlBldyvi.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q
                                                              • API String ID: 0-4102054182
                                                              • Opcode ID: e2995c802399853e696e1fc76e956e2936aa36db9bb59d4ead319ce4a29112a6
                                                              • Instruction ID: 08c58e89b895d0019996615e32e89bd7246c87a52e63b410ad09a2bec325c79a
                                                              • Opcode Fuzzy Hash: e2995c802399853e696e1fc76e956e2936aa36db9bb59d4ead319ce4a29112a6
                                                              • Instruction Fuzzy Hash: 39517F35F10205DFDF65DB64D4806AEB7B2FB88211F288529D806EB344EB35EC41CBA1

                                                              Execution Graph

                                                              Execution Coverage:11.6%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:17
                                                              Total number of Limit Nodes:4
                                                              execution_graph 24647 14a0848 24649 14a084e 24647->24649 24648 14a091b 24649->24648 24651 14a1380 24649->24651 24652 14a1396 24651->24652 24653 14a1480 24652->24653 24655 14a7eb0 24652->24655 24653->24649 24656 14a7eba 24655->24656 24657 14a7ed4 24656->24657 24660 6c8fa18 24656->24660 24664 6c8fa09 24656->24664 24657->24652 24662 6c8fa2d 24660->24662 24661 6c8fc42 24661->24657 24662->24661 24663 6c8fc58 GlobalMemoryStatusEx GlobalMemoryStatusEx 24662->24663 24663->24662 24666 6c8fa2d 24664->24666 24665 6c8fc42 24665->24657 24666->24665 24667 6c8fc58 GlobalMemoryStatusEx GlobalMemoryStatusEx 24666->24667 24667->24666

                                                              Executed Functions

                                                              Function 06C83040 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 126 6c83040-6c83061 127 6c83063-6c83066 126->127 128 6c8306c-6c8308b 127->128 129 6c83807-6c8380a 127->129 139 6c8308d-6c83090 128->139 140 6c830a4-6c830ae 128->140 130 6c8380c-6c8382b 129->130 131 6c83830-6c83832 129->131 130->131 133 6c83839-6c8383c 131->133 134 6c83834 131->134 133->127 135 6c83842-6c8384b 133->135 134->133 139->140 141 6c83092-6c830a2 139->141 144 6c830b4-6c830c3 140->144 141->144 252 6c830c5 call 6c83859 144->252 253 6c830c5 call 6c83860 144->253 145 6c830ca-6c830cf 146 6c830dc-6c833b9 145->146 147 6c830d1-6c830d7 145->147 168 6c837f9-6c83806 146->168 169 6c833bf-6c8346e 146->169 147->135 178 6c83470-6c83495 169->178 179 6c83497 169->179 181 6c834a0-6c834b3 178->181 179->181 183 6c834b9-6c834db 181->183 184 6c837e0-6c837ec 181->184 183->184 187 6c834e1-6c834eb 183->187 184->169 185 6c837f2 184->185 185->168 187->184 188 6c834f1-6c834fc 187->188 188->184 189 6c83502-6c835d8 188->189 201 6c835da-6c835dc 189->201 202 6c835e6-6c83616 189->202 201->202 206 6c83618-6c8361a 202->206 207 6c83624-6c83630 202->207 206->207 208 6c83690-6c83694 207->208 209 6c83632-6c83636 207->209 211 6c8369a-6c836d6 208->211 212 6c837d1-6c837da 208->212 209->208 210 6c83638-6c83662 209->210 219 6c83670-6c8368d 210->219 220 6c83664-6c83666 210->220 222 6c836d8-6c836da 211->222 223 6c836e4-6c836f2 211->223 212->184 212->189 219->208 220->219 222->223 226 6c83709-6c83714 223->226 227 6c836f4-6c836ff 223->227 230 6c8372c-6c8373d 226->230 231 6c83716-6c8371c 226->231 227->226 232 6c83701 227->232 236 6c8373f-6c83745 230->236 237 6c83755-6c83761 230->237 233 6c8371e 231->233 234 6c83720-6c83722 231->234 232->226 233->230 234->230 238 6c83749-6c8374b 236->238 239 6c83747 236->239 241 6c83779-6c837ca 237->241 242 6c83763-6c83769 237->242 238->237 239->237 241->212 243 6c8376b 242->243 244 6c8376d-6c8376f 242->244 243->241 244->241 252->145 253->145
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-2069967915
                                                              • Opcode ID: b4c00ce2cf247d0b21e3d0b8135131a8b6913124c32c2fe0da4bf347a23e372e
                                                              • Instruction ID: 32da7d8f6dc93d3bb126891663a13d5d0f2e1adb040e9957429861ccf314b87d
                                                              • Opcode Fuzzy Hash: b4c00ce2cf247d0b21e3d0b8135131a8b6913124c32c2fe0da4bf347a23e372e
                                                              • Instruction Fuzzy Hash: 1D322F71E10759CFCB14EFB9D89069DF7B2BF99300F61966AD409A7214EF30A985CB80
                                                              Function 06C87D68 Relevance: 3.0, Strings: 2, Instructions: 476COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 928 6c87d68-6c87d86 929 6c87d88-6c87d8b 928->929 930 6c87d8d-6c87d9b 929->930 931 6c87da2-6c87da5 929->931 937 6c87d9d 930->937 938 6c87e0e-6c87e24 930->938 932 6c87dc6-6c87dc9 931->932 933 6c87da7-6c87dc1 931->933 935 6c87dcb-6c87dd5 932->935 936 6c87dd6-6c87dd9 932->936 933->932 939 6c87ddb-6c87df7 936->939 940 6c87dfc-6c87dfe 936->940 937->931 947 6c87e2a-6c87e33 938->947 948 6c8803f-6c88049 938->948 939->940 942 6c87e00 940->942 943 6c87e05-6c87e08 940->943 942->943 943->929 943->938 949 6c87e39-6c87e56 947->949 950 6c8804a-6c8807f 947->950 960 6c8802c-6c88039 949->960 961 6c87e5c-6c87e84 949->961 954 6c88081-6c88084 950->954 956 6c88086-6c880a2 954->956 957 6c880a7-6c880aa 954->957 956->957 958 6c882df-6c882e2 957->958 959 6c880b0-6c880bf 957->959 962 6c882e8-6c882f4 958->962 963 6c8838d-6c8838f 958->963 971 6c880de-6c88122 959->971 972 6c880c1-6c880dc 959->972 960->947 960->948 961->960 983 6c87e8a-6c87e93 961->983 970 6c882ff-6c88301 962->970 966 6c88391 963->966 967 6c88396-6c88399 963->967 966->967 967->954 973 6c8839f-6c883a8 967->973 974 6c88319-6c8831d 970->974 975 6c88303-6c88309 970->975 986 6c88128-6c88139 971->986 987 6c882b3-6c882c9 971->987 972->971 980 6c8832b 974->980 981 6c8831f-6c88329 974->981 977 6c8830b 975->977 978 6c8830d-6c8830f 975->978 977->974 978->974 985 6c88330-6c88332 980->985 981->985 983->950 984 6c87e99-6c87eb5 983->984 997 6c8801a-6c88026 984->997 998 6c87ebb-6c87ee5 984->998 990 6c88343-6c8837c 985->990 991 6c88334-6c88337 985->991 995 6c8829e-6c882ad 986->995 996 6c8813f-6c8815c 986->996 987->958 990->959 1010 6c88382-6c8838c 990->1010 991->973 995->986 995->987 996->995 1007 6c88162-6c88258 call 6c86590 996->1007 997->960 997->983 1012 6c87eeb-6c87f13 998->1012 1013 6c88010-6c88015 998->1013 1061 6c8825a-6c88264 1007->1061 1062 6c88266 1007->1062 1012->1013 1019 6c87f19-6c87f47 1012->1019 1013->997 1019->1013 1025 6c87f4d-6c87f56 1019->1025 1025->1013 1026 6c87f5c-6c87f8e 1025->1026 1034 6c87f99-6c87fb5 1026->1034 1035 6c87f90-6c87f94 1026->1035 1034->997 1037 6c87fb7-6c8800e call 6c86590 1034->1037 1035->1013 1036 6c87f96 1035->1036 1036->1034 1037->997 1063 6c8826b-6c8826d 1061->1063 1062->1063 1063->995 1064 6c8826f-6c88274 1063->1064 1065 6c88282 1064->1065 1066 6c88276-6c88280 1064->1066 1067 6c88287-6c88289 1065->1067 1066->1067 1067->995 1068 6c8828b-6c88297 1067->1068 1068->995
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q
                                                              • API String ID: 0-3126353813
                                                              • Opcode ID: 8572a19a29965ab232cbf07e4a43aa560f64f568ac79aa9cc5fc7fa36d3c1f45
                                                              • Instruction ID: 6fc40615b7587f58511a7d1e49390e2b4d28d7e460ef6632da1283c57030f1f0
                                                              • Opcode Fuzzy Hash: 8572a19a29965ab232cbf07e4a43aa560f64f568ac79aa9cc5fc7fa36d3c1f45
                                                              • Instruction Fuzzy Hash: 0202C030B012198FDB64EB68D890BAEBBE2FF84314F648529D406DB744DB35ED42CB90
                                                              Function 06C8234A Relevance: 1.0, Instructions: 1000COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8a95673e3715773e183f68750fe48bff7ae1364a3ff2579d30b3ebbeb58399a1
                                                              • Instruction ID: bd2c5c3a33e46c83af6763e8975bd4321b0a5531384fd7b6f376f212256e0a0a
                                                              • Opcode Fuzzy Hash: 8a95673e3715773e183f68750fe48bff7ae1364a3ff2579d30b3ebbeb58399a1
                                                              • Instruction Fuzzy Hash: FD924934A002048FDB74EB68C598B5DBBF2EF45318F5484AED449AB365DB39EE45CB80
                                                              Function 06C865E0 Relevance: .8, Instructions: 810COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 692f50e6b0367b57a3e011be23f9dbb228552d227afcbf27c879c021ee6b7ac8
                                                              • Instruction ID: 909f63e7125557614ee54a0ed1d8aebbf3176781ee7e35e3dc42afc67acc951c
                                                              • Opcode Fuzzy Hash: 692f50e6b0367b57a3e011be23f9dbb228552d227afcbf27c879c021ee6b7ac8
                                                              • Instruction Fuzzy Hash: B7628D34A002088FDB64EB69D594BADB7F2FF84318F248569E416DB394DB35ED46CB80
                                                              Function 06C85588 Relevance: .6, Instructions: 601COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba7e7111d6cbdbdb0a744fa5cf2fbdcbeea73f5e6b32ce98e1b64a8cd26e6bcb
                                                              • Instruction ID: 3d3327c998775b5fd24e6f39f3264b1b8be259fb52389a104c62de1c8c2b8c03
                                                              • Opcode Fuzzy Hash: ba7e7111d6cbdbdb0a744fa5cf2fbdcbeea73f5e6b32ce98e1b64a8cd26e6bcb
                                                              • Instruction Fuzzy Hash: B822CF71E102148FDFB4EB68C4807AEBBB2EF85314F64846ED455AB385DAB1DD41CB90
                                                              Function 06C8B20F Relevance: .6, Instructions: 593COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8d2900fcb7f6d188e556c7cb47e54b0281ce0ad2294ecd99e68ffb00277f078
                                                              • Instruction ID: 6b0fc66e31cf502852e83f509f643fa1d10417050d4458d0833aa5ac388393a8
                                                              • Opcode Fuzzy Hash: e8d2900fcb7f6d188e556c7cb47e54b0281ce0ad2294ecd99e68ffb00277f078
                                                              • Instruction Fuzzy Hash: 3F225E70E102098FEF74EB68D4907AEB7B2EB85318F24842AE419DB395DB35ED81C751
                                                              Function 06C8ACB8 Relevance: 10.4, Strings: 8, Instructions: 396COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 6c8acb8-6c8acd6 1 6c8acd8-6c8acdb 0->1 2 6c8acdd-6c8ace2 1->2 3 6c8ace5-6c8ace8 1->3 2->3 4 6c8acea-6c8ad06 3->4 5 6c8ad0b-6c8ad0e 3->5 4->5 6 6c8ad1f-6c8ad22 5->6 7 6c8ad10-6c8ad14 5->7 8 6c8ad3c-6c8ad3f 6->8 9 6c8ad24-6c8ad37 6->9 11 6c8ad1a 7->11 12 6c8aee4-6c8aeee 7->12 13 6c8ad4f-6c8ad52 8->13 14 6c8ad41-6c8ad4a 8->14 9->8 11->6 16 6c8ad58-6c8ad5b 13->16 17 6c8aed5-6c8aede 13->17 14->13 19 6c8ad5d-6c8ad66 16->19 20 6c8ad75-6c8ad78 16->20 17->12 17->19 21 6c8ad6c-6c8ad70 19->21 22 6c8aeef-6c8af26 19->22 23 6c8ad7a-6c8ad87 20->23 24 6c8ad8c-6c8ad8e 20->24 21->20 31 6c8af28-6c8af2b 22->31 23->24 25 6c8ad90 24->25 26 6c8ad95-6c8ad98 24->26 25->26 26->1 27 6c8ad9e-6c8adc2 26->27 38 6c8adc8-6c8add7 27->38 39 6c8aed2 27->39 33 6c8af31-6c8af6c 31->33 34 6c8b194-6c8b197 31->34 47 6c8b15f-6c8b172 33->47 48 6c8af72-6c8af7e 33->48 35 6c8b199 call 6c8b20f 34->35 36 6c8b1a6-6c8b1a9 34->36 43 6c8b19f-6c8b1a1 35->43 40 6c8b1ba-6c8b1bd 36->40 41 6c8b1ab-6c8b1af 36->41 56 6c8add9-6c8addf 38->56 57 6c8adef-6c8ae2a call 6c86590 38->57 39->17 45 6c8b1ca-6c8b1cd 40->45 46 6c8b1bf-6c8b1c9 40->46 41->33 44 6c8b1b5 41->44 43->36 44->40 51 6c8b1cf-6c8b1eb 45->51 52 6c8b1f0-6c8b1f2 45->52 49 6c8b174 47->49 60 6c8af9e-6c8afe2 48->60 61 6c8af80-6c8af99 48->61 58 6c8b175 49->58 51->52 53 6c8b1f9-6c8b1fc 52->53 54 6c8b1f4 52->54 53->31 59 6c8b202-6c8b20c 53->59 54->53 62 6c8ade1 56->62 63 6c8ade3-6c8ade5 56->63 76 6c8ae2c-6c8ae32 57->76 77 6c8ae42-6c8ae59 57->77 58->58 81 6c8affe-6c8b03d 60->81 82 6c8afe4-6c8aff6 60->82 61->49 62->57 63->57 79 6c8ae34 76->79 80 6c8ae36-6c8ae38 76->80 91 6c8ae5b-6c8ae61 77->91 92 6c8ae71-6c8ae82 77->92 79->77 80->77 86 6c8b043-6c8b11e call 6c86590 81->86 87 6c8b124-6c8b139 81->87 82->81 86->87 87->47 94 6c8ae63 91->94 95 6c8ae65-6c8ae67 91->95 98 6c8ae9a-6c8aecb 92->98 99 6c8ae84-6c8ae8a 92->99 94->92 95->92 98->39 101 6c8ae8c 99->101 102 6c8ae8e-6c8ae90 99->102 101->98 102->98
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-3886557441
                                                              • Opcode ID: 183539eacb905273d323635e7ad5f77566bc542fd00b43a2d9ed7ff54141d0c3
                                                              • Instruction ID: a3481248a53b2b068a3e511b51d564c0c722da972c833dc52e2367f4da05c10b
                                                              • Opcode Fuzzy Hash: 183539eacb905273d323635e7ad5f77566bc542fd00b43a2d9ed7ff54141d0c3
                                                              • Instruction Fuzzy Hash: 17E16E30E103098FDB69EFA9D4906AEB7B2FF85305F10892AD8059B354DB71ED46CB91
                                                              Function 06C8B630 Relevance: 8.0, Strings: 6, Instructions: 472COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 254 6c8b630-6c8b650 255 6c8b652-6c8b655 254->255 256 6c8b66f-6c8b672 255->256 257 6c8b657-6c8b65e 255->257 260 6c8b682-6c8b685 256->260 261 6c8b674-6c8b67d 256->261 258 6c8b9d3-6c8ba0e 257->258 259 6c8b664-6c8b66a 257->259 269 6c8ba10-6c8ba13 258->269 259->256 262 6c8b68c-6c8b68f 260->262 263 6c8b687-6c8b689 260->263 261->260 264 6c8b69c-6c8b69f 262->264 265 6c8b691-6c8b697 262->265 263->262 267 6c8b770-6c8b771 264->267 268 6c8b6a5-6c8b6a8 264->268 265->264 270 6c8b776-6c8b779 267->270 271 6c8b6aa-6c8b6b3 268->271 272 6c8b6c5-6c8b6c8 268->272 273 6c8ba19-6c8ba41 269->273 274 6c8bc7f-6c8bc82 269->274 275 6c8b77b-6c8b7c9 call 6c86590 270->275 276 6c8b7ce-6c8b7d1 270->276 271->258 277 6c8b6b9-6c8b6c0 271->277 280 6c8b6d8-6c8b6db 272->280 281 6c8b6ca-6c8b6d3 272->281 320 6c8ba4b-6c8ba8f 273->320 321 6c8ba43-6c8ba46 273->321 278 6c8bc84-6c8bca0 274->278 279 6c8bca5-6c8bca7 274->279 275->276 284 6c8b810-6c8b813 276->284 285 6c8b7d3-6c8b7e8 276->285 277->272 278->279 282 6c8bca9 279->282 283 6c8bcae-6c8bcb1 279->283 287 6c8b6eb-6c8b6ee 280->287 288 6c8b6dd-6c8b6e6 280->288 281->280 282->283 283->269 291 6c8bcb7-6c8bcc0 283->291 293 6c8b852-6c8b855 284->293 294 6c8b815-6c8b82a 284->294 285->258 308 6c8b7ee-6c8b80b 285->308 289 6c8b708-6c8b70b 287->289 290 6c8b6f0-6c8b6f6 287->290 288->287 300 6c8b71a-6c8b71d 289->300 301 6c8b70d-6c8b713 289->301 290->258 297 6c8b6fc-6c8b703 290->297 298 6c8b87f-6c8b882 293->298 299 6c8b857-6c8b85e 293->299 294->258 319 6c8b830-6c8b84d 294->319 297->289 309 6c8b884-6c8b8a0 298->309 310 6c8b8a5-6c8b8a8 298->310 299->258 304 6c8b864-6c8b874 299->304 306 6c8b72f-6c8b732 300->306 307 6c8b71f-6c8b72a 300->307 301->290 305 6c8b715 301->305 338 6c8b87a 304->338 339 6c8b947-6c8b94e 304->339 305->300 315 6c8b749-6c8b74c 306->315 316 6c8b734-6c8b73b 306->316 307->306 308->284 309->310 317 6c8b8ca-6c8b8cd 310->317 318 6c8b8aa-6c8b8c5 310->318 330 6c8b74e-6c8b753 315->330 331 6c8b756-6c8b759 315->331 316->258 329 6c8b741-6c8b744 316->329 322 6c8b8cf-6c8b8d2 317->322 323 6c8b8d7-6c8b8da 317->323 318->317 319->293 367 6c8bc74-6c8bc7e 320->367 368 6c8ba95-6c8ba9e 320->368 321->291 322->323 333 6c8b8dc-6c8b8df 323->333 334 6c8b92e-6c8b937 323->334 329->315 330->331 335 6c8b75b-6c8b761 331->335 336 6c8b766-6c8b769 331->336 344 6c8b8f0-6c8b8f3 333->344 345 6c8b8e1-6c8b8e5 333->345 334->271 340 6c8b93d 334->340 335->336 336->301 341 6c8b76b-6c8b76e 336->341 338->298 339->258 342 6c8b954-6c8b964 339->342 352 6c8b942-6c8b945 340->352 341->267 341->270 342->267 360 6c8b96a 342->360 350 6c8b903-6c8b906 344->350 351 6c8b8f5-6c8b8fe 344->351 345->288 349 6c8b8eb 345->349 349->344 350->267 356 6c8b90c-6c8b90f 350->356 351->350 352->339 353 6c8b96f-6c8b972 352->353 361 6c8b984-6c8b987 353->361 362 6c8b974 353->362 358 6c8b929-6c8b92c 356->358 359 6c8b911-6c8b918 356->359 358->334 358->352 359->258 366 6c8b91e-6c8b924 359->366 360->353 361->267 365 6c8b98d-6c8b990 361->365 369 6c8b97c-6c8b97f 362->369 370 6c8b992-6c8b999 365->370 371 6c8b9b6-6c8b9b8 365->371 366->358 376 6c8bc6a-6c8bc6f 368->376 377 6c8baa4-6c8bb10 call 6c86590 368->377 369->361 370->258 372 6c8b99b-6c8b9ab 370->372 374 6c8b9ba 371->374 375 6c8b9bf-6c8b9c2 371->375 372->299 382 6c8b9b1 372->382 374->375 375->255 378 6c8b9c8-6c8b9d2 375->378 376->367 388 6c8bc0a-6c8bc1f 377->388 389 6c8bb16-6c8bb1b 377->389 382->371 388->376 391 6c8bb1d-6c8bb23 389->391 392 6c8bb37 389->392 393 6c8bb29-6c8bb2b 391->393 394 6c8bb25-6c8bb27 391->394 395 6c8bb39-6c8bb3f 392->395 396 6c8bb35 393->396 394->396 397 6c8bb41-6c8bb47 395->397 398 6c8bb54-6c8bb61 395->398 396->395 399 6c8bb4d 397->399 400 6c8bbf5-6c8bc04 397->400 405 6c8bb79-6c8bb86 398->405 406 6c8bb63-6c8bb69 398->406 399->398 401 6c8bb88-6c8bb95 399->401 402 6c8bbbc-6c8bbc9 399->402 400->388 400->389 414 6c8bbad-6c8bbba 401->414 415 6c8bb97-6c8bb9d 401->415 411 6c8bbcb-6c8bbd1 402->411 412 6c8bbe1-6c8bbee 402->412 405->400 407 6c8bb6b 406->407 408 6c8bb6d-6c8bb6f 406->408 407->405 408->405 416 6c8bbd3 411->416 417 6c8bbd5-6c8bbd7 411->417 412->400 414->400 418 6c8bb9f 415->418 419 6c8bba1-6c8bba3 415->419 416->412 417->412 418->414 419->414
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-2069967915
                                                              • Opcode ID: 52a4cb2c36d951287d6501f0d74bb40dc9835ac0a057239081a6d93612af5769
                                                              • Instruction ID: f5dc1dcf719c8d8fcc178efd578be1e4f276262e85915326ffb624b3b7be76dd
                                                              • Opcode Fuzzy Hash: 52a4cb2c36d951287d6501f0d74bb40dc9835ac0a057239081a6d93612af5769
                                                              • Instruction Fuzzy Hash: 16028C30E102098FEBB4EF68D4907AEB7B2FB45318F24856AD419DB255DB30EE45CB91
                                                              Function 06C89138 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 422 6c89138-6c8915d 423 6c8915f-6c89162 422->423 424 6c89168-6c8917d 423->424 425 6c89a20-6c89a23 423->425 432 6c8917f-6c89185 424->432 433 6c89195-6c891ab 424->433 426 6c89a49-6c89a4b 425->426 427 6c89a25-6c89a44 425->427 428 6c89a4d 426->428 429 6c89a52-6c89a55 426->429 427->426 428->429 429->423 431 6c89a5b-6c89a65 429->431 435 6c89189-6c8918b 432->435 436 6c89187 432->436 439 6c891b6-6c891b8 433->439 435->433 436->433 440 6c891ba-6c891c0 439->440 441 6c891d0-6c89241 439->441 442 6c891c2 440->442 443 6c891c4-6c891c6 440->443 452 6c8926d-6c89289 441->452 453 6c89243-6c89266 441->453 442->441 443->441 458 6c8928b-6c892ae 452->458 459 6c892b5-6c892d0 452->459 453->452 458->459 464 6c892fb-6c89316 459->464 465 6c892d2-6c892f4 459->465 470 6c89318-6c89334 464->470 471 6c8933b-6c89349 464->471 465->464 470->471 472 6c89359-6c893d3 471->472 473 6c8934b-6c89354 471->473 479 6c89420-6c89435 472->479 480 6c893d5-6c893f3 472->480 473->431 479->425 484 6c8940f-6c8941e 480->484 485 6c893f5-6c89404 480->485 484->479 484->480 485->484
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q
                                                              • API String ID: 0-4102054182
                                                              • Opcode ID: bff6649d3643b30f7587a5a141033154bd40d091baf7fc012e0d0a80135ae788
                                                              • Instruction ID: 098eaa66400ba67a19faac593bdb494647eb0fa8c2a1d3776aa8d39b36509ffe
                                                              • Opcode Fuzzy Hash: bff6649d3643b30f7587a5a141033154bd40d091baf7fc012e0d0a80135ae788
                                                              • Instruction Fuzzy Hash: 0F917470F002198FDB64EB69D8A07AE77B6BFC8304F108569D9199B348EE70DD41CB91
                                                              Function 06C8CF28 Relevance: 4.5, Strings: 3, Instructions: 799COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 488 6c8cf28-6c8cf43 489 6c8cf45-6c8cf48 488->489 490 6c8cf4a-6c8cf8c 489->490 491 6c8cf91-6c8cf94 489->491 490->491 492 6c8cf9a-6c8cf9d 491->492 493 6c8d414-6c8d420 491->493 494 6c8cf9f-6c8cfae 492->494 495 6c8cfe6-6c8cfe9 492->495 496 6c8d122-6c8d131 493->496 497 6c8d426-6c8d713 493->497 499 6c8cfbd-6c8cfc9 494->499 500 6c8cfb0-6c8cfb5 494->500 501 6c8cfeb-6c8d02d 495->501 502 6c8d032-6c8d035 495->502 503 6c8d140-6c8d14c 496->503 504 6c8d133-6c8d138 496->504 701 6c8d719-6c8d71f 497->701 702 6c8d93a-6c8d944 497->702 506 6c8d945-6c8d97e 499->506 507 6c8cfcf-6c8cfe1 499->507 500->499 501->502 508 6c8d07e-6c8d081 502->508 509 6c8d037-6c8d079 502->509 505 6c8d152-6c8d164 503->505 503->506 504->503 524 6c8d169-6c8d16c 505->524 528 6c8d980-6c8d983 506->528 507->495 512 6c8d083-6c8d09f 508->512 513 6c8d0a4-6c8d0a7 508->513 509->508 512->513 516 6c8d0a9-6c8d0eb 513->516 517 6c8d0f0-6c8d0f3 513->517 516->517 526 6c8d0fd-6c8d100 517->526 527 6c8d0f5-6c8d0fa 517->527 529 6c8d17b-6c8d17e 524->529 530 6c8d16e-6c8d170 524->530 531 6c8d11d-6c8d120 526->531 532 6c8d102-6c8d118 526->532 527->526 535 6c8d985-6c8d9a1 528->535 536 6c8d9a6-6c8d9a9 528->536 545 6c8d180-6c8d1c2 529->545 546 6c8d1c7-6c8d1ca 529->546 542 6c8d411 530->542 543 6c8d176 530->543 531->496 531->524 532->531 535->536 540 6c8d9b8-6c8d9bb 536->540 541 6c8d9ab call 6c8da9d 536->541 554 6c8d9bd-6c8d9e9 540->554 555 6c8d9ee-6c8d9f0 540->555 560 6c8d9b1-6c8d9b3 541->560 542->493 543->529 545->546 548 6c8d1cc-6c8d20e 546->548 549 6c8d213-6c8d216 546->549 548->549 558 6c8d218-6c8d21a 549->558 559 6c8d225-6c8d228 549->559 554->555 561 6c8d9f2 555->561 562 6c8d9f7-6c8d9fa 555->562 569 6c8d2cf-6c8d2d8 558->569 570 6c8d220 558->570 572 6c8d22a-6c8d26c 559->572 573 6c8d271-6c8d274 559->573 560->540 561->562 562->528 574 6c8d9fc-6c8da0b 562->574 578 6c8d2da-6c8d2df 569->578 579 6c8d2e7-6c8d2f3 569->579 570->559 572->573 575 6c8d2bd-6c8d2bf 573->575 576 6c8d276-6c8d2b8 573->576 592 6c8da0d-6c8da70 call 6c86590 574->592 593 6c8da72-6c8da87 574->593 584 6c8d2c1 575->584 585 6c8d2c6-6c8d2c9 575->585 576->575 578->579 586 6c8d2f9-6c8d30d 579->586 587 6c8d404-6c8d409 579->587 584->585 585->489 585->569 586->542 605 6c8d313-6c8d325 586->605 587->542 592->593 609 6c8da88 593->609 617 6c8d349-6c8d34b 605->617 618 6c8d327-6c8d32d 605->618 609->609 622 6c8d355-6c8d361 617->622 623 6c8d32f 618->623 624 6c8d331-6c8d33d 618->624 632 6c8d36f 622->632 633 6c8d363-6c8d36d 622->633 626 6c8d33f-6c8d347 623->626 624->626 626->622 636 6c8d374-6c8d376 632->636 633->636 636->542 638 6c8d37c-6c8d398 call 6c86590 636->638 647 6c8d39a-6c8d39f 638->647 648 6c8d3a7-6c8d3b3 638->648 647->648 648->587 650 6c8d3b5-6c8d402 648->650 650->542 703 6c8d72e-6c8d737 701->703 704 6c8d721-6c8d726 701->704 703->506 705 6c8d73d-6c8d750 703->705 704->703 707 6c8d92a-6c8d934 705->707 708 6c8d756-6c8d75c 705->708 707->701 707->702 709 6c8d76b-6c8d774 708->709 710 6c8d75e-6c8d763 708->710 709->506 711 6c8d77a-6c8d79b 709->711 710->709 714 6c8d7aa-6c8d7b3 711->714 715 6c8d79d-6c8d7a2 711->715 714->506 716 6c8d7b9-6c8d7d6 714->716 715->714 716->707 719 6c8d7dc-6c8d7e2 716->719 719->506 720 6c8d7e8-6c8d801 719->720 722 6c8d91d-6c8d924 720->722 723 6c8d807-6c8d82e 720->723 722->707 722->719 723->506 726 6c8d834-6c8d83e 723->726 726->506 727 6c8d844-6c8d85b 726->727 729 6c8d86a-6c8d885 727->729 730 6c8d85d-6c8d868 727->730 729->722 735 6c8d88b-6c8d8a4 call 6c86590 729->735 730->729 739 6c8d8b3-6c8d8bc 735->739 740 6c8d8a6-6c8d8ab 735->740 739->506 741 6c8d8c2-6c8d916 739->741 740->739 741->722
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q
                                                              • API String ID: 0-3067366958
                                                              • Opcode ID: aeb819a3dff3bca49f0d892ed82d93831293b1986f0028b9b854343855ba00db
                                                              • Instruction ID: 4718a64d0310532914aefbdc3abcf46d5d02d2b3aa3e6eaae8cd6e04d7d15c0b
                                                              • Opcode Fuzzy Hash: aeb819a3dff3bca49f0d892ed82d93831293b1986f0028b9b854343855ba00db
                                                              • Instruction Fuzzy Hash: C8623834A003198FDB69EF68D590A5EB7E2FF84314F208A68D0169F259DB71FD46CB81
                                                              Function 06C84B50 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 881 6c84b50-6c84b74 882 6c84b76-6c84b79 881->882 883 6c85258-6c8525b 882->883 884 6c84b7f-6c84c77 882->884 885 6c8527c-6c8527e 883->885 886 6c8525d-6c85277 883->886 904 6c84cfa-6c84d01 884->904 905 6c84c7d-6c84cca call 6c853f8 884->905 887 6c85280 885->887 888 6c85285-6c85288 885->888 886->885 887->888 888->882 890 6c8528e-6c8529b 888->890 906 6c84d85-6c84d8e 904->906 907 6c84d07-6c84d77 904->907 918 6c84cd0-6c84cec 905->918 906->890 924 6c84d79 907->924 925 6c84d82 907->925 922 6c84cee 918->922 923 6c84cf7-6c84cf8 918->923 922->923 923->904 924->925 925->906
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: fq$XPq$\Oq
                                                              • API String ID: 0-132346853
                                                              • Opcode ID: 786a587d59b9a424ceca7b684bc0c8453a014e48777a7e727bc3efecfb84d3e7
                                                              • Instruction ID: 58f3bd1d6974ddf8a41a9eba5e839297a2a025e7a4d22b732aeb509147899a08
                                                              • Opcode Fuzzy Hash: 786a587d59b9a424ceca7b684bc0c8453a014e48777a7e727bc3efecfb84d3e7
                                                              • Instruction Fuzzy Hash: F5616E70E002199FEB54ABA9C8547AEBAF6FF88304F20842AD505AB395DF758D45CB90
                                                              Function 06C89127 Relevance: 2.7, Strings: 2, Instructions: 160COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1170 6c89127-6c8915d 1171 6c8915f-6c89162 1170->1171 1172 6c89168-6c8917d 1171->1172 1173 6c89a20-6c89a23 1171->1173 1180 6c8917f-6c89185 1172->1180 1181 6c89195-6c891ab 1172->1181 1174 6c89a49-6c89a4b 1173->1174 1175 6c89a25-6c89a44 1173->1175 1176 6c89a4d 1174->1176 1177 6c89a52-6c89a55 1174->1177 1175->1174 1176->1177 1177->1171 1179 6c89a5b-6c89a65 1177->1179 1183 6c89189-6c8918b 1180->1183 1184 6c89187 1180->1184 1187 6c891b6-6c891b8 1181->1187 1183->1181 1184->1181 1188 6c891ba-6c891c0 1187->1188 1189 6c891d0-6c89241 1187->1189 1190 6c891c2 1188->1190 1191 6c891c4-6c891c6 1188->1191 1200 6c8926d-6c89289 1189->1200 1201 6c89243-6c89266 1189->1201 1190->1189 1191->1189 1206 6c8928b-6c892ae 1200->1206 1207 6c892b5-6c892d0 1200->1207 1201->1200 1206->1207 1212 6c892fb-6c89316 1207->1212 1213 6c892d2-6c892f4 1207->1213 1218 6c89318-6c89334 1212->1218 1219 6c8933b-6c89349 1212->1219 1213->1212 1218->1219 1220 6c89359-6c893d3 1219->1220 1221 6c8934b-6c89354 1219->1221 1227 6c89420-6c89435 1220->1227 1228 6c893d5-6c893f3 1220->1228 1221->1179 1227->1173 1232 6c8940f-6c8941e 1228->1232 1233 6c893f5-6c89404 1228->1233 1232->1227 1232->1228 1233->1232
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q
                                                              • API String ID: 0-3126353813
                                                              • Opcode ID: 1114488c11f422da6e0228d10c5b919c618f0cf2f49f8cefc3ea3d5a0bf408bc
                                                              • Instruction ID: 41df466adc8c7c3cfdfa23c2de3afb5674c5262aacbb6a2f01a7f22eac1f86dd
                                                              • Opcode Fuzzy Hash: 1114488c11f422da6e0228d10c5b919c618f0cf2f49f8cefc3ea3d5a0bf408bc
                                                              • Instruction Fuzzy Hash: 73517470B002099FDB64EB79D8A0B6E7BF6BF88300F108569D919DB358EA74DD41CB91
                                                              Function 014AEB38 Relevance: 1.6, APIs: 1, Instructions: 150COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1236 14aeb38-14aeb40 1237 14aeaff-14aeb16 1236->1237 1238 14aeb42-14aeb53 1236->1238 1239 14aeb1e-14aeb22 1237->1239 1264 14aeb18 call 14aeb38 1237->1264 1240 14aeb7d-14aeb93 1238->1240 1241 14aeb55-14aeb7c 1238->1241 1242 14aeb2b-14aeb2e 1239->1242 1243 14aeb24-14aeb29 1239->1243 1265 14aeb95 call 14aeb38 1240->1265 1266 14aeb95 call 14aec20 1240->1266 1244 14aeb31-14aeb33 1242->1244 1243->1244 1247 14aeb9a-14aeb9c 1248 14aeb9e-14aeba1 1247->1248 1249 14aeba2-14aec01 1247->1249 1256 14aec03-14aec06 1249->1256 1257 14aec07-14aec94 GlobalMemoryStatusEx 1249->1257 1260 14aec9d-14aecc5 1257->1260 1261 14aec96-14aec9c 1257->1261 1261->1260 1264->1239 1265->1247 1266->1247
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2488653902.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_14a0000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0eb9aebe0b4ce6c7877de85bdf80ccf07d4d8779bc47f760d0f3ea096d1a04c3
                                                              • Instruction ID: 8f7c1f788be380023c10936d1f9803c89ae951ef0bd10f8ed18112a00d151267
                                                              • Opcode Fuzzy Hash: 0eb9aebe0b4ce6c7877de85bdf80ccf07d4d8779bc47f760d0f3ea096d1a04c3
                                                              • Instruction Fuzzy Hash: AF516572D003458FD724CF69D80439EBFF2AF89210F1A856BC519EB361DB349846CB90
                                                              Function 014AEC20 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1267 14aec20-14aec94 GlobalMemoryStatusEx 1269 14aec9d-14aecc5 1267->1269 1270 14aec96-14aec9c 1267->1270 1270->1269
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 014AEC87
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2488653902.00000000014A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_14a0000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: da7b579f468811059313038943bf09c6ce3d3505224e36ec5fb296d921667fde
                                                              • Instruction ID: 7939f3ed36e49718f13a4a7f6bb59a5bc7cb2c4305186f2ab6d3eeca89ab6dfa
                                                              • Opcode Fuzzy Hash: da7b579f468811059313038943bf09c6ce3d3505224e36ec5fb296d921667fde
                                                              • Instruction Fuzzy Hash: 831112B1C0065A9BDB10DF9AC544B9EFBF4AB48220F11812AD918B7240D778A941CFA1
                                                              Function 06C84B40 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1333 6c84b40-6c84b74 1334 6c84b76-6c84b79 1333->1334 1335 6c85258-6c8525b 1334->1335 1336 6c84b7f-6c84c77 1334->1336 1337 6c8527c-6c8527e 1335->1337 1338 6c8525d-6c85277 1335->1338 1356 6c84cfa-6c84d01 1336->1356 1357 6c84c7d-6c84cca call 6c853f8 1336->1357 1339 6c85280 1337->1339 1340 6c85285-6c85288 1337->1340 1338->1337 1339->1340 1340->1334 1342 6c8528e-6c8529b 1340->1342 1358 6c84d85-6c84d8e 1356->1358 1359 6c84d07-6c84d77 1356->1359 1370 6c84cd0-6c84cec 1357->1370 1358->1342 1376 6c84d79 1359->1376 1377 6c84d82 1359->1377 1374 6c84cee 1370->1374 1375 6c84cf7-6c84cf8 1370->1375 1374->1375 1375->1356 1376->1377 1377->1358
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: XPq
                                                              • API String ID: 0-1601936878
                                                              • Opcode ID: 53b8da7067e7770c9e3dc8e3a615fc306a04a8254818253ea172a13158e1c21e
                                                              • Instruction ID: c97bc38deedb3f7fedf266a2e9c979a3f8c0766a302218d1457a0ea28eb47bcf
                                                              • Opcode Fuzzy Hash: 53b8da7067e7770c9e3dc8e3a615fc306a04a8254818253ea172a13158e1c21e
                                                              • Instruction Fuzzy Hash: 63416074F002199FEB549FA9C854B9EBBF6BF88300F24852DD105AB395DB759C05CB90
                                                              Function 06C8DA9D Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1380 6c8da9d-6c8dac7 1381 6c8dac9-6c8dacc 1380->1381 1382 6c8dace-6c8daea 1381->1382 1383 6c8daef-6c8daf2 1381->1383 1382->1383 1384 6c8daf4-6c8db20 1383->1384 1385 6c8db25-6c8db28 1383->1385 1384->1385 1386 6c8db2a 1385->1386 1387 6c8db37-6c8db39 1385->1387 1391 6c8db30-6c8db32 1386->1391 1389 6c8db3b 1387->1389 1390 6c8db40-6c8db43 1387->1390 1389->1390 1390->1381 1392 6c8db45-6c8db54 1390->1392 1391->1387 1395 6c8dcd9-6c8dd03 1392->1395 1396 6c8db5a-6c8db93 1392->1396 1399 6c8dd04 1395->1399 1403 6c8dbe1-6c8dc05 1396->1403 1404 6c8db95-6c8db9f 1396->1404 1399->1399 1410 6c8dc0f-6c8dcd3 1403->1410 1411 6c8dc07 1403->1411 1408 6c8dba1-6c8dba7 1404->1408 1409 6c8dbb7-6c8dbdf 1404->1409 1412 6c8dba9 1408->1412 1413 6c8dbab-6c8dbad 1408->1413 1409->1403 1409->1404 1410->1395 1410->1396 1411->1410 1412->1409 1413->1409
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PHq
                                                              • API String ID: 0-3820536768
                                                              • Opcode ID: d187fe0b7fbdc556230f1f8a6de718b1a2219d8e87c305d286656a2ea8e634ec
                                                              • Instruction ID: 558f6fcf45cb817730d83fa1918f96bf23ac8e4b93af14dc03f89453a89797ef
                                                              • Opcode Fuzzy Hash: d187fe0b7fbdc556230f1f8a6de718b1a2219d8e87c305d286656a2ea8e634ec
                                                              • Instruction Fuzzy Hash: B8417130E00309DFDB64EF65D4546AEBBB2BF85304F24452AE806DB284DB70A946CB91
                                                              Function 06C821D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PHq
                                                              • API String ID: 0-3820536768
                                                              • Opcode ID: 46e9e54a431834ec3805f9a2bef42beabda4c0a9f84d31901f8a970722abf86e
                                                              • Instruction ID: 5ce40d2b8713e8628ef61097ce4b0e5862f20146865e4291e8fc5965c09ed790
                                                              • Opcode Fuzzy Hash: 46e9e54a431834ec3805f9a2bef42beabda4c0a9f84d31901f8a970722abf86e
                                                              • Instruction Fuzzy Hash: 3731CF30B102098FDB68AB75D46866E7BE6AB89214F24443CD406DB388DF39DE06C7D5
                                                              Function 06C882DE Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q
                                                              • API String ID: 0-1301096350
                                                              • Opcode ID: 119407b9af77c573be6b644dca1929f88dd4e633c912e1e6b3deaa6124781e48
                                                              • Instruction ID: f386554c8666be5599eab0741bd846d84172ae156d80e2b102ab7d4f9953d40f
                                                              • Opcode Fuzzy Hash: 119407b9af77c573be6b644dca1929f88dd4e633c912e1e6b3deaa6124781e48
                                                              • Instruction Fuzzy Hash: 7DF0A936A06209DFEF747986FC902A873A0EB04259B8845AADE00C3945E370DF00C690
                                                              Function 06C8C170 Relevance: .6, Instructions: 641COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: deaec7d892c8b53eaaff0f037f7e6acd00bae5728d7d784988b799efbd2d3d3b
                                                              • Instruction ID: 76a352d33b268f18d7246333634a3b9fbe6d7d16d9705180762c3606af7a823c
                                                              • Opcode Fuzzy Hash: deaec7d892c8b53eaaff0f037f7e6acd00bae5728d7d784988b799efbd2d3d3b
                                                              • Instruction Fuzzy Hash: 2B329374B002098FDB64EFA8D490BAEBBB2FB88314F108529D505DB355DB35ED46CB91
                                                              Function 06C861E0 Relevance: .2, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 847f51290b3ae0e4bcd893302af05a761213d013dfc70f985591434f2251e9f3
                                                              • Instruction ID: 733e82c1fdd1f31c5fb6fc3a34ea512e06c12bb9ce43171d0876533e240c2f4c
                                                              • Opcode Fuzzy Hash: 847f51290b3ae0e4bcd893302af05a761213d013dfc70f985591434f2251e9f3
                                                              • Instruction Fuzzy Hash: 7961C471F001204FDF64AA7EC884A5EBAD7AFC4214B194479D80AEB364DEB5ED4287C2
                                                              Function 06C84280 Relevance: .2, Instructions: 224COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b7f3f5d24c23fe069d2b4ceb75718571be1c5f8a13c2e7416c38f5c8c7c8dcd
                                                              • Instruction ID: f9ef2a132c99fc947da0bd32cbe26931f0a2504289ef0840441d9ff35b42ea15
                                                              • Opcode Fuzzy Hash: 4b7f3f5d24c23fe069d2b4ceb75718571be1c5f8a13c2e7416c38f5c8c7c8dcd
                                                              • Instruction Fuzzy Hash: 3B813F74B102098FDB58EFA9D4907AEBBE2AF89304F108529D40ADB355EE34DD42C791
                                                              Function 06C845A0 Relevance: .2, Instructions: 221COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7892fea439a705d73b466ae9a48f777e342b8e07a6f7055c19e2e85f5e7cb9d6
                                                              • Instruction ID: 9d551a54051a953901856a9f5151ee9700dc13989356faa6cb82182c4a4202bb
                                                              • Opcode Fuzzy Hash: 7892fea439a705d73b466ae9a48f777e342b8e07a6f7055c19e2e85f5e7cb9d6
                                                              • Instruction Fuzzy Hash: AA915F30E1021A8FDB64DF64C850B9DBBB1FF89304F20C699D449BB255DB71AA85CB91
                                                              Function 06C845B8 Relevance: .2, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 542edfec2893f3a09dd489acdc5b05a2296fa23f8e069a3c0219e694d0cbdd79
                                                              • Instruction ID: 584637ab578fb4a381c763f1cf87dacff2c23afdc38940a306db3fa84d109142
                                                              • Opcode Fuzzy Hash: 542edfec2893f3a09dd489acdc5b05a2296fa23f8e069a3c0219e694d0cbdd79
                                                              • Instruction Fuzzy Hash: E0913934E1021A8FDF64DF68C880B9DB7B1FF89304F20C699D549BB244DB71AA85CB90
                                                              Function 06C8EEF0 Relevance: .2, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4086b0309efeeb3be116669cb9201c5a410a219439de814a1f88e46a7e1a0df2
                                                              • Instruction ID: 215a3591f7ba7c687de364d133b09dc6c72382f24d88e7aa11181150d919dac6
                                                              • Opcode Fuzzy Hash: 4086b0309efeeb3be116669cb9201c5a410a219439de814a1f88e46a7e1a0df2
                                                              • Instruction Fuzzy Hash: AD714B70A002499FDB64EFA9D990A9EBBF6FF88304F248529D415EB354DB30ED46CB50
                                                              Function 06C8EF00 Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7e1bf1cc3c01d6a7403978822bbddd5ced20998731ac4bd086e5710e4bd151ab
                                                              • Instruction ID: e8262c3b9b20f025a1ec87f137d3d0d56dbf7baf7ce2e7c4bff917cb126ef68f
                                                              • Opcode Fuzzy Hash: 7e1bf1cc3c01d6a7403978822bbddd5ced20998731ac4bd086e5710e4bd151ab
                                                              • Instruction Fuzzy Hash: 2E714B70A002499FDB64EBA9D990A9EBBF6FF88304F248429D415EB354DB31ED46CB50
                                                              Function 06C8FC58 Relevance: .2, Instructions: 177COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 562b4f84d8ad16c1d4534f0f687cb6d373d1e0ebbfdae012d8fdbd5777cb7599
                                                              • Instruction ID: 81f914d222f282eef8910fd1c09e5d5e03dd9b0d3e41243ed118c4f0788f0de0
                                                              • Opcode Fuzzy Hash: 562b4f84d8ad16c1d4534f0f687cb6d373d1e0ebbfdae012d8fdbd5777cb7599
                                                              • Instruction Fuzzy Hash: 9951D431E01109DFCB74BF78E4546ADBBB2FB88359F20486EE126D7251DB319A55C780
                                                              Function 06C8FA09 Relevance: .2, Instructions: 169COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d3ec5a4af385f41ddb5e86214d78f9a583c92947abdd38375846befc005647f
                                                              • Instruction ID: 3e7eaba35f0a4683909564547d35eebefb7bd2edf5a21d60ec18c12432c4c664
                                                              • Opcode Fuzzy Hash: 2d3ec5a4af385f41ddb5e86214d78f9a583c92947abdd38375846befc005647f
                                                              • Instruction Fuzzy Hash: 0451D330B103188FEF747668D864B7F365AE789394F20442EE51AC7395CB78CD4293A2
                                                              Function 06C8FA18 Relevance: .2, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2e93e967701fab4b6804673b130d11bedec206f929c5a04425f04f5f486b6cbd
                                                              • Instruction ID: 25211aa39c0c1c13b32c3720e9fe085292d6ace6aa4729383f4eed2c94455003
                                                              • Opcode Fuzzy Hash: 2e93e967701fab4b6804673b130d11bedec206f929c5a04425f04f5f486b6cbd
                                                              • Instruction Fuzzy Hash: 9B51B030F103189FEF747668D864B6F365AE789394F20442ED51AC7394CA78DD4293A2
                                                              Function 06C853F8 Relevance: .1, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e6728f31d3d0558f35b2721de2eab21f8042cd9bcb8f0de360b7df6b7431b5f2
                                                              • Instruction ID: 6da3b969a5465668390ca690bfb0bca4663bd9203b45047292bc27e9056dc44b
                                                              • Opcode Fuzzy Hash: e6728f31d3d0558f35b2721de2eab21f8042cd9bcb8f0de360b7df6b7431b5f2
                                                              • Instruction Fuzzy Hash: D7418D71E007098FDBB0DEA9C880AAFBBB2EB84214F50492AE155D7650D370E959CB90
                                                              Function 06C8D950 Relevance: .1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1579793bf7dfd72f99c75b9e1425043c92f87e95af4c42aa1f3b6b1f3faccb62
                                                              • Instruction ID: ad644067fdda7872375c52466592694863a36dca0da8ff437725747d343d6f0d
                                                              • Opcode Fuzzy Hash: 1579793bf7dfd72f99c75b9e1425043c92f87e95af4c42aa1f3b6b1f3faccb62
                                                              • Instruction Fuzzy Hash: 18317430E1071A8FDB25EF68D89069EB7B2FF85314F104A2DD416EB294DB71B946CB81
                                                              Function 06C82081 Relevance: .1, Instructions: 97COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f6c419cf9badd49056bc044d8d40b8b2ceffedf836684d3413618cc1014a37b1
                                                              • Instruction ID: 77de2d1f7a5869e87985b188270a923c31cd7545f8d4b88ee7580bfb8c497691
                                                              • Opcode Fuzzy Hash: f6c419cf9badd49056bc044d8d40b8b2ceffedf836684d3413618cc1014a37b1
                                                              • Instruction Fuzzy Hash: E9318E31E102059FCB59DFA4D85469EB7B2FF89304F208429E906EB350DB75EE41CB80
                                                              Function 06C82090 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 101faaf847048c44516599419d86cb5394b98004dbec841acf969f8b81ac19dc
                                                              • Instruction ID: c62592867dd02b9cdbef7b1a82aea2f5f8327327b7aebbe8ad1bc9ff229ba5d2
                                                              • Opcode Fuzzy Hash: 101faaf847048c44516599419d86cb5394b98004dbec841acf969f8b81ac19dc
                                                              • Instruction Fuzzy Hash: 44319030E102059FCB59DFA8D85469EB7B2FF89300F208429E906EB354DB71EE41CB80
                                                              Function 06C83A80 Relevance: .1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3bcc109427c0543664ce6aa943e6ffd2fc86d8b4b2b588d036149f30d58e7988
                                                              • Instruction ID: bc389fb9034debe736e03384a61a642a3ba8a07cacd72f289060688aae7b8de3
                                                              • Opcode Fuzzy Hash: 3bcc109427c0543664ce6aa943e6ffd2fc86d8b4b2b588d036149f30d58e7988
                                                              • Instruction Fuzzy Hash: 8921A6B5F002199FEB50DFA9D891BEEBBF5AB48710F108029E505E7344EB30D941CB94
                                                              Function 0127D006 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2487899373.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_127d000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9d1a1b45de87fdb191a72dc63009cb43d17e399a2d51bfbd6b89f455b018df12
                                                              • Instruction ID: d3b66a4ac13978641d12a03433c128b4880a222988eb44c1b9f1b82f7dac50ba
                                                              • Opcode Fuzzy Hash: 9d1a1b45de87fdb191a72dc63009cb43d17e399a2d51bfbd6b89f455b018df12
                                                              • Instruction Fuzzy Hash: C33159755093C49FCB03CB64D994712BF71AF46214F29C5DBD9898B2A3C23A980ACB62
                                                              Function 06C83A90 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d345674fcacef87a92a459bea35e50434677f120981eaa1291c0061da1aadca5
                                                              • Instruction ID: 05fa0fde9307eeea6a141ebd374e9f9810af3c1688b85f57b0ee161306f0d184
                                                              • Opcode Fuzzy Hash: d345674fcacef87a92a459bea35e50434677f120981eaa1291c0061da1aadca5
                                                              • Instruction Fuzzy Hash: D6214FB5E006199FDB50EFA9D890AAEBBF5EB48710F108029E909E7354EB31DD40CB94
                                                              Function 0127D030 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2487899373.000000000127D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0127D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_127d000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 931356f269877db981d0a4c0aafaca61b62df39a9e401d2ddef743a5ce3d9be7
                                                              • Instruction ID: 4e33d8ee83a018ee140c6dea7e60b8f60c54a8505157a1e7e82e0d198d64e38c
                                                              • Opcode Fuzzy Hash: 931356f269877db981d0a4c0aafaca61b62df39a9e401d2ddef743a5ce3d9be7
                                                              • Instruction Fuzzy Hash: 3F212271614208DFDB16DF54D9C0B26BBA1FF84314F24C56DD94A0B282C376D847CA62
                                                              Function 06C86D00 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b093d04982a3048d5ffeb5926417825c70a906b35a6200058622ac9e7b5aea4e
                                                              • Instruction ID: 6b1680f5cc531732034c17f6a344f9381b6040c8b78dfc37388e8300a56bad39
                                                              • Opcode Fuzzy Hash: b093d04982a3048d5ffeb5926417825c70a906b35a6200058622ac9e7b5aea4e
                                                              • Instruction Fuzzy Hash: 8A217270B101189FDF64EA6AE8A06AEBBB7EB84354F24842AD405DB345EB31ED41C790
                                                              Function 06C83BA0 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e72bf410a2904303d8d66971605e9b652bd6ffa050e9699d524c1765dd541f7c
                                                              • Instruction ID: 99f539bdf322de3d72761c016cb9100505802342a94990692c62b50a5ac5ccf0
                                                              • Opcode Fuzzy Hash: e72bf410a2904303d8d66971605e9b652bd6ffa050e9699d524c1765dd541f7c
                                                              • Instruction Fuzzy Hash: 3311A171B101284FDBA4AAA9D8606AE7BABABC8710F008539C40AE7354EE64DC0287D0
                                                              Function 06C8F171 Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a5bf5d29cad41f73b5a9d274151faba401a0ee883c630b73420d2fcbdea4ae23
                                                              • Instruction ID: a530ec7ccaa54ad275d2a6a8efb2d69dcd8b32db6c23ffa2cc883e6e8bd82b09
                                                              • Opcode Fuzzy Hash: a5bf5d29cad41f73b5a9d274151faba401a0ee883c630b73420d2fcbdea4ae23
                                                              • Instruction Fuzzy Hash: 3A01B171B206101FDBB5A92CD850B7F67D6EBC9654F10843EE00ACB344DA15DD078391
                                                              Function 06C841E1 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cce66c3de6768c50f7a27a5e2c99011c8b1eb1c490514d3fb24e9497de049739
                                                              • Instruction ID: 4ccd75b7099c16eb04928de941613d284bdc095cd9c55dfea4eae798e54ac1df
                                                              • Opcode Fuzzy Hash: cce66c3de6768c50f7a27a5e2c99011c8b1eb1c490514d3fb24e9497de049739
                                                              • Instruction Fuzzy Hash: D2012870B042520FDBA5A6BC985472BFBD6DFCA320F14C56EE10ACB3A2D915CD428391
                                                              Function 06C83859 Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c97612485cf5079bf563f08082a7f8c8d61f233cf53d6280b2fa2483202ea6e4
                                                              • Instruction ID: 4f8980110eb336500b361e6915867bb6d735310d0d945d6943e3a6f1a2c0ee75
                                                              • Opcode Fuzzy Hash: c97612485cf5079bf563f08082a7f8c8d61f233cf53d6280b2fa2483202ea6e4
                                                              • Instruction Fuzzy Hash: D421CFB5D11259AFCB10DF9AD984ADEFBB4FB48310F10822AE918A7240C374A945CFA4
                                                              Function 06C8A2F0 Relevance: .1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4eaba43e09d50648a4426cf560cf0f898782b33221b4573b4f5c2151d17d1d02
                                                              • Instruction ID: 8babcaff64d7674af08d7c0f64b09b0e693bfb13f0a26a9ccf7dd25bdcf60015
                                                              • Opcode Fuzzy Hash: 4eaba43e09d50648a4426cf560cf0f898782b33221b4573b4f5c2151d17d1d02
                                                              • Instruction Fuzzy Hash: 8C01B570B146144FDB75AB7CE86076EBBD5EB86314F10846FE14ACB394EA25ED01C381
                                                              Function 06C83860 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d603e660ed760944769f0a98aa5a809d102cb075152564f6652b3baa89d53cb5
                                                              • Instruction ID: 6c5df774a33f4c436f07487682d74f4ce0e93a11723b88451ebaaf60e7f87cea
                                                              • Opcode Fuzzy Hash: d603e660ed760944769f0a98aa5a809d102cb075152564f6652b3baa89d53cb5
                                                              • Instruction Fuzzy Hash: 6811E2B5D01259AFCB10DF9AD884ADEFFB8FB48310F10812AE918A7340C375A944CFA5
                                                              Function 06C841F0 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d47d17477313bcb6e74e05ff80b6f74a51f972fb4e42b655ef6fcd9ceae62d7c
                                                              • Instruction ID: 695f965e6b4f9613e763f873dfe94f5b99f0e8f1fce3d6d72a1056c1cb30a6bf
                                                              • Opcode Fuzzy Hash: d47d17477313bcb6e74e05ff80b6f74a51f972fb4e42b655ef6fcd9ceae62d7c
                                                              • Instruction Fuzzy Hash: 13016D71B102110FDBA8A6ADA85472BE2DAEBC9725F10C43DE10ACB355EA66DD428391
                                                              Function 06C83B8F Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 24efc174784cd878d30eeedb122d48e9f3ef04f1f1935562199658887d4ee24b
                                                              • Instruction ID: 5cadf4024275ade66c86e235343bcce20b70404b38655891701ce400c284306c
                                                              • Opcode Fuzzy Hash: 24efc174784cd878d30eeedb122d48e9f3ef04f1f1935562199658887d4ee24b
                                                              • Instruction Fuzzy Hash: 9401F772B100144FEBA4AAADD8207EF3B9BABC8310F04453ED409E3384EE64CD0283D1
                                                              Function 06C8F180 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cb9b6b5142e08847bd74809a80d4aa2dbd288f65744640e43d5fe0a9a26a1dfd
                                                              • Instruction ID: da9ddbf001acf361da979293aa62b52c5f67dfbb7448d61cdb50f87e4bd547f5
                                                              • Opcode Fuzzy Hash: cb9b6b5142e08847bd74809a80d4aa2dbd288f65744640e43d5fe0a9a26a1dfd
                                                              • Instruction Fuzzy Hash: CD018175B105141FDBB4A56DD85072FA3DAEBC9658F10842DE51ACB344DE21DD028391
                                                              Function 06C8A300 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 38b18a663d9c2ccf0328d3961e11d856b9e257ccb6eceaf8dcde7f066cf18d2a
                                                              • Instruction ID: 6333587b87d6dd8c507d9eca4a56de3129887c0d07965b74460b555fd7c166e4
                                                              • Opcode Fuzzy Hash: 38b18a663d9c2ccf0328d3961e11d856b9e257ccb6eceaf8dcde7f066cf18d2a
                                                              • Instruction Fuzzy Hash: 69013170B106144FDB74AAADD8A072EB7DAEB89718F10843EE50BCB354EA25ED01C781
                                                              Function 06C86461 Relevance: .0, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a95f9290f6887c2c31d95be34cb88b05f521268d0671c5ca83416166649c9f3a
                                                              • Instruction ID: 1cbd8174044839a336d939f2dddf618235a3134686f9cdd2bc6e2e5f79ca0749
                                                              • Opcode Fuzzy Hash: a95f9290f6887c2c31d95be34cb88b05f521268d0671c5ca83416166649c9f3a
                                                              • Instruction Fuzzy Hash: 2CE02270E141858EEBB0EE70851076EBBA6DBC220CF204A99C049CB242E236EA10C340

                                                              Non-executed Functions

                                                              Function 06C87688 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-1298971921
                                                              • Opcode ID: 3caa4f04cc70303dcb0bbb09d6d85d80e9c58eae243134789b26a12c60388fd4
                                                              • Instruction ID: fbb70ad012274b70b80ef63b3c1468af8cd889c9f73f013504de1e6c61bd784b
                                                              • Opcode Fuzzy Hash: 3caa4f04cc70303dcb0bbb09d6d85d80e9c58eae243134789b26a12c60388fd4
                                                              • Instruction Fuzzy Hash: 15124D70E002198FDB64EF69D854B9DB7B2FF88305F21856AD40AAB355EB31AD41CF90
                                                              Function 06C8A920 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-3886557441
                                                              • Opcode ID: 2f1bb718626f7b5de05999c4c5b61daae8e207627d32834ef42b7ad9d100273f
                                                              • Instruction ID: 19f660389d56e119f3bccd06e375f4a4a8fa8b9d8d333b5ac502c6bffc74dcf3
                                                              • Opcode Fuzzy Hash: 2f1bb718626f7b5de05999c4c5b61daae8e207627d32834ef42b7ad9d100273f
                                                              • Instruction Fuzzy Hash: 84916E30A00209DFEB78FFA5D9947AE7BB2BF44304F14852EE4029B255DB75AD45CB90
                                                              Function 06C87088 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q$$q$$q
                                                              • API String ID: 0-2069967915
                                                              • Opcode ID: 60c6fcad3e07113903df446210e328ce6a9a575590b6918d14b3cc05197ec1a3
                                                              • Instruction ID: 356325dbe14a4880aeb593b4f790ba38d44c09d934cb13ede7fc5981659b80e8
                                                              • Opcode Fuzzy Hash: 60c6fcad3e07113903df446210e328ce6a9a575590b6918d14b3cc05197ec1a3
                                                              • Instruction Fuzzy Hash: 7BF14E30B00309CFDB69EF65D494A6EB7B2BF98305F648569D4059B368EB35EC42CB90
                                                              Function 06C883C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q
                                                              • API String ID: 0-4102054182
                                                              • Opcode ID: c561847c9f3b8b103a6009b0773a1811efec129648840baef7b17aced08225a9
                                                              • Instruction ID: 959428fcacb350ab7bbcc3e16d89d417a3dae06defd9ea0bd230f417dc792891
                                                              • Opcode Fuzzy Hash: c561847c9f3b8b103a6009b0773a1811efec129648840baef7b17aced08225a9
                                                              • Instruction Fuzzy Hash: 8EB15B30B112098FDB64EFA5D89066EB7B2BF88304FA4852DD406DB754DB75DD42CB80
                                                              Function 06C887D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LRq$LRq$$q$$q
                                                              • API String ID: 0-2204215535
                                                              • Opcode ID: e5acc071a8f1ce2a7dd3c80df00632c0d238ae52688b5b4bc111f5a7afa1c9a3
                                                              • Instruction ID: a250116f2340ba4bc525a3672f6c26c79b8c83f60c1216f0e7d83f2b58089e0a
                                                              • Opcode Fuzzy Hash: e5acc071a8f1ce2a7dd3c80df00632c0d238ae52688b5b4bc111f5a7afa1c9a3
                                                              • Instruction Fuzzy Hash: 1D51D230B002059FDB68EB69D890A6E77A2FF88304F54856EE406DB799DA31EC05CB91
                                                              Function 06C8ACA8 Relevance: 5.2, Strings: 4, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000027.00000002.2527517358.0000000006C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_39_2_6c80000_IxumRsOtTdrVAu.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $q$$q$$q$$q
                                                              • API String ID: 0-4102054182
                                                              • Opcode ID: 9f2a1274af1f70612b415c4144b3b64785178ba5979dd1c1cc168ff99696e741
                                                              • Instruction ID: 70fdcfb28c7396e3514b3f5f2933c26a747408791059e7af60cfa61c7a39dc06
                                                              • Opcode Fuzzy Hash: 9f2a1274af1f70612b415c4144b3b64785178ba5979dd1c1cc168ff99696e741
                                                              • Instruction Fuzzy Hash: CE518C34A102099FDB75EBA8D4906AEB7B2EB88305F14492FD805DB364DB31ED42CB91