Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0PPJsQE4wD.exe

Overview

General Information

Sample name:0PPJsQE4wD.exe
renamed because original name is a hash value
Original sample name:2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0.exe
Analysis ID:1587614
MD5:d5144747a0ac45151b3c5da28eed836b
SHA1:cc6a2eab70def6f10c6be941e30e5c8bf5c88c8b
SHA256:2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 0PPJsQE4wD.exe (PID: 3200 cmdline: "C:\Users\user\Desktop\0PPJsQE4wD.exe" MD5: D5144747A0AC45151B3C5DA28EED836B)
    • powershell.exe (PID: 6224 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0PPJsQE4wD.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7196 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 5044 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OKTSUgBLN.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6204 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp1AD3.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 0PPJsQE4wD.exe (PID: 5660 cmdline: "C:\Users\user\Desktop\0PPJsQE4wD.exe" MD5: D5144747A0AC45151B3C5DA28EED836B)
  • OKTSUgBLN.exe (PID: 6692 cmdline: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe MD5: D5144747A0AC45151B3C5DA28EED836B)
    • schtasks.exe (PID: 7348 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp2C57.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • OKTSUgBLN.exe (PID: 7404 cmdline: "C:\Users\user\AppData\Roaming\OKTSUgBLN.exe" MD5: D5144747A0AC45151B3C5DA28EED836B)
    • OKTSUgBLN.exe (PID: 7412 cmdline: "C:\Users\user\AppData\Roaming\OKTSUgBLN.exe" MD5: D5144747A0AC45151B3C5DA28EED836B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.3309284654.00000000030CF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000F.00000002.3306935480.0000000000437000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000009.00000002.3309727209.0000000002FA0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000002.3309727209.0000000002F51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000009.00000002.3309727209.0000000002F51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.0PPJsQE4wD.exe.3692340.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.0PPJsQE4wD.exe.3692340.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.0PPJsQE4wD.exe.3692340.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3173d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31859:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31935:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a5b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.0PPJsQE4wD.exe.36ccd60.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.0PPJsQE4wD.exe.36ccd60.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 9 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0PPJsQE4wD.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0PPJsQE4wD.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\0PPJsQE4wD.exe", ParentImage: C:\Users\user\Desktop\0PPJsQE4wD.exe, ParentProcessId: 3200, ParentProcessName: 0PPJsQE4wD.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0PPJsQE4wD.exe", ProcessId: 6224, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0PPJsQE4wD.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0PPJsQE4wD.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\0PPJsQE4wD.exe", ParentImage: C:\Users\user\Desktop\0PPJsQE4wD.exe, ParentProcessId: 3200, ParentProcessName: 0PPJsQE4wD.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0PPJsQE4wD.exe", ProcessId: 6224, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp2C57.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp2C57.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe, ParentImage: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe, ParentProcessId: 6692, ParentProcessName: OKTSUgBLN.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp2C57.tmp", ProcessId: 7348, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\0PPJsQE4wD.exe, Initiated: true, ProcessId: 5660, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49709
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp1AD3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp1AD3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\0PPJsQE4wD.exe", ParentImage: C:\Users\user\Desktop\0PPJsQE4wD.exe, ParentProcessId: 3200, ParentProcessName: 0PPJsQE4wD.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp1AD3.tmp", ProcessId: 6204, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0PPJsQE4wD.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0PPJsQE4wD.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\0PPJsQE4wD.exe", ParentImage: C:\Users\user\Desktop\0PPJsQE4wD.exe, ParentProcessId: 3200, ParentProcessName: 0PPJsQE4wD.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0PPJsQE4wD.exe", ProcessId: 6224, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp1AD3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp1AD3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\0PPJsQE4wD.exe", ParentImage: C:\Users\user\Desktop\0PPJsQE4wD.exe, ParentProcessId: 3200, ParentProcessName: 0PPJsQE4wD.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp1AD3.tmp", ProcessId: 6204, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: 0PPJsQE4wD.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://mail.iaa-airferight.comAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeAvira: detection malicious, Label: TR/AD.GenSteal.zbxpi
                    Found malware configuration
                    Source: 0.2.0PPJsQE4wD.exe.36ccd60.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeReversingLabs: Detection: 87%
                    Multi AV Scanner detection for submitted file
                    Source: 0PPJsQE4wD.exeVirustotal: Detection: 73%Perma Link
                    Source: 0PPJsQE4wD.exeReversingLabs: Detection: 87%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.8% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: 0PPJsQE4wD.exeJoe Sandbox ML: detected
                    Source: 0PPJsQE4wD.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0PPJsQE4wD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: xdqRd.pdbSHA256G source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.dr
                    Source: Binary string: xdqRd.pdb source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.dr

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.0PPJsQE4wD.exe.36ccd60.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.0PPJsQE4wD.exe.3692340.2.raw.unpack, type: UNPACKEDPE
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: global trafficTCP traffic: 192.168.2.5:49709 -> 46.175.148.58:25
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: 0PPJsQE4wD.exe, 00000009.00000002.3309727209.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, OKTSUgBLN.exe, 0000000F.00000002.3309284654.00000000030D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://s2.symcb.com0
                    Source: 0PPJsQE4wD.exe, 00000000.00000002.2097343497.0000000002650000.00000004.00000800.00020000.00000000.sdmp, OKTSUgBLN.exe, 0000000A.00000002.2132633424.0000000002B85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://www.symauth.com/cps0(
                    Source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drString found in binary or memory: http://www.symauth.com/rpa00
                    Source: 0PPJsQE4wD.exe, 00000000.00000002.2098555785.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, 0PPJsQE4wD.exe, 00000009.00000002.3306934348.0000000000436000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.0PPJsQE4wD.exe.3692340.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.0PPJsQE4wD.exe.36ccd60.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.0PPJsQE4wD.exe.36ccd60.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.0PPJsQE4wD.exe.3692340.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 0_2_00C1D3840_2_00C1D384
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 0_2_04AC73600_2_04AC7360
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 0_2_04AC00060_2_04AC0006
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 0_2_04AC00400_2_04AC0040
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 0_2_04AC73520_2_04AC7352
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 0_2_0A6504480_2_0A650448
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 9_2_014F9B389_2_014F9B38
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 9_2_014F4A989_2_014F4A98
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 9_2_014FCDB09_2_014FCDB0
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 9_2_014F3E809_2_014F3E80
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 9_2_014F41C89_2_014F41C8
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 9_2_064056D89_2_064056D8
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 9_2_06403F489_2_06403F48
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 9_2_06402F009_2_06402F00
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 9_2_0640BD009_2_0640BD00
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 9_2_0640DD009_2_0640DD00
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 9_2_06409AE09_2_06409AE0
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 9_2_06408B889_2_06408B88
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 9_2_064000409_2_06400040
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 9_2_0640363B9_2_0640363B
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 9_2_06404FF89_2_06404FF8
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 10_2_04F6D38410_2_04F6D384
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 10_2_0566F5F810_2_0566F5F8
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 10_2_0566850010_2_05668500
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 10_2_0566A5C810_2_0566A5C8
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 10_2_0566A5B810_2_0566A5B8
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 10_2_05668D7010_2_05668D70
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 10_2_0566892810_2_05668928
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 10_2_0566A9F110_2_0566A9F1
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 10_2_0566084010_2_05660840
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 10_2_0566085010_2_05660850
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 10_2_0566AA0010_2_0566AA00
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 15_2_0162937815_2_01629378
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 15_2_01629B3815_2_01629B38
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 15_2_01624A9815_2_01624A98
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 15_2_0162CDB015_2_0162CDB0
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 15_2_01623E8015_2_01623E80
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 15_2_016241C815_2_016241C8
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 15_2_066256D815_2_066256D8
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 15_2_06623F4815_2_06623F48
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 15_2_06622F0015_2_06622F00
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 15_2_0662BD0015_2_0662BD00
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 15_2_0662DD1015_2_0662DD10
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 15_2_06629AE015_2_06629AE0
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 15_2_06628B9815_2_06628B98
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 15_2_0662004015_2_06620040
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 15_2_0662365015_2_06623650
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 15_2_06624FF815_2_06624FF8
                    Source: 0PPJsQE4wD.exeStatic PE information: invalid certificate
                    Source: 0PPJsQE4wD.exe, 00000000.00000000.2054018595.0000000000132000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamexdqRd.exe< vs 0PPJsQE4wD.exe
                    Source: 0PPJsQE4wD.exe, 00000000.00000002.2097343497.0000000002650000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs 0PPJsQE4wD.exe
                    Source: 0PPJsQE4wD.exe, 00000000.00000002.2086594102.000000000069E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 0PPJsQE4wD.exe
                    Source: 0PPJsQE4wD.exe, 00000000.00000002.2098555785.00000000035F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs 0PPJsQE4wD.exe
                    Source: 0PPJsQE4wD.exe, 00000000.00000002.2098555785.00000000035F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 0PPJsQE4wD.exe
                    Source: 0PPJsQE4wD.exe, 00000000.00000002.2104420456.0000000007380000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 0PPJsQE4wD.exe
                    Source: 0PPJsQE4wD.exe, 00000009.00000002.3307440772.0000000001028000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 0PPJsQE4wD.exe
                    Source: 0PPJsQE4wD.exe, 00000009.00000002.3307268556.0000000000F58000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 0PPJsQE4wD.exe
                    Source: 0PPJsQE4wD.exeBinary or memory string: OriginalFilenamexdqRd.exe< vs 0PPJsQE4wD.exe
                    Source: 0PPJsQE4wD.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.0PPJsQE4wD.exe.3692340.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.0PPJsQE4wD.exe.36ccd60.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.0PPJsQE4wD.exe.36ccd60.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.0PPJsQE4wD.exe.3692340.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0PPJsQE4wD.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: OKTSUgBLN.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/15@1/1
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeFile created: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1268:120:WilError_03
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1AD3.tmpJump to behavior
                    Source: 0PPJsQE4wD.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0PPJsQE4wD.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 0PPJsQE4wD.exeVirustotal: Detection: 73%
                    Source: 0PPJsQE4wD.exeReversingLabs: Detection: 87%
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeFile read: C:\Users\user\Desktop\0PPJsQE4wD.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\0PPJsQE4wD.exe "C:\Users\user\Desktop\0PPJsQE4wD.exe"
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0PPJsQE4wD.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OKTSUgBLN.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp1AD3.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess created: C:\Users\user\Desktop\0PPJsQE4wD.exe "C:\Users\user\Desktop\0PPJsQE4wD.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe C:\Users\user\AppData\Roaming\OKTSUgBLN.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp2C57.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess created: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe "C:\Users\user\AppData\Roaming\OKTSUgBLN.exe"
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess created: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe "C:\Users\user\AppData\Roaming\OKTSUgBLN.exe"
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0PPJsQE4wD.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OKTSUgBLN.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp1AD3.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess created: C:\Users\user\Desktop\0PPJsQE4wD.exe "C:\Users\user\Desktop\0PPJsQE4wD.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp2C57.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess created: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe "C:\Users\user\AppData\Roaming\OKTSUgBLN.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess created: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe "C:\Users\user\AppData\Roaming\OKTSUgBLN.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: 0PPJsQE4wD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 0PPJsQE4wD.exeStatic file information: File size 1086056 > 1048576
                    Source: 0PPJsQE4wD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: 0PPJsQE4wD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: xdqRd.pdbSHA256G source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.dr
                    Source: Binary string: xdqRd.pdb source: 0PPJsQE4wD.exe, OKTSUgBLN.exe.0.dr
                    Source: 0PPJsQE4wD.exeStatic PE information: 0xC822D260 [Tue May 26 13:28:00 2076 UTC]
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeCode function: 0_2_00C1EF30 push eax; iretd 0_2_00C1EF31
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 10_2_04F6EF30 push eax; iretd 10_2_04F6EF31
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeCode function: 10_2_05663AD3 push ebx; retf 10_2_05663ADA
                    Source: 0PPJsQE4wD.exeStatic PE information: section name: .text entropy: 7.896354902270702
                    Source: OKTSUgBLN.exe.0.drStatic PE information: section name: .text entropy: 7.896354902270702
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeFile created: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp1AD3.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: 0PPJsQE4wD.exe PID: 3200, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: OKTSUgBLN.exe PID: 6692, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeMemory allocated: C10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeMemory allocated: 25F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeMemory allocated: 2410000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeMemory allocated: 7510000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeMemory allocated: 8510000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeMemory allocated: 86C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeMemory allocated: 96C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeMemory allocated: 14F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeMemory allocated: 2F50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeMemory allocated: 2A20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeMemory allocated: 2B20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeMemory allocated: 2A20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeMemory allocated: 7640000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeMemory allocated: 8640000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeMemory allocated: 87E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeMemory allocated: 97E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeMemory allocated: 1620000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeMemory allocated: 3080000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeMemory allocated: 5080000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7821Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1740Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7991Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1598Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeWindow / User API: threadDelayed 4437Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeWindow / User API: threadDelayed 5407Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeWindow / User API: threadDelayed 8023
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeWindow / User API: threadDelayed 1809
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 1976Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6556Thread sleep count: 7821 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2820Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6556Thread sleep count: 1740 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2360Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep count: 36 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 3924Thread sleep count: 4437 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -99843s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -99733s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -99625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 3924Thread sleep count: 5407 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -99515s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -99406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -99296s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -99187s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -99078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -98968s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -98859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -98750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -98614s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -98485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -98359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -98250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -98141s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -98016s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -97906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -97797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -97688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -97568s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -97438s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -97313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -97203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -97089s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -96969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -96859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -96750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -96641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -96530s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -96422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -96312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -96203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -96094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -95969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -95859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -95750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -95641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -95531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -95422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -95312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -95203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -95094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -94984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -94875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -94766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -94641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -94516s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -94406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exe TID: 5908Thread sleep time: -94297s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 6948Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep count: 33 > 30
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -30437127721620741s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7504Thread sleep count: 8023 > 30
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -99891s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7504Thread sleep count: 1809 > 30
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -99766s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -99641s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -99531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -99422s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -99313s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -99188s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -99063s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -98953s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -98844s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -98719s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -98610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -98485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -98360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -98234s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -98125s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -98016s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -97907s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -97794s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -97672s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -97547s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -97438s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -97313s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -97203s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -97094s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -96969s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -96860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -96735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -96610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -96485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -96354s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -96235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -96110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -95985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -95860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -95735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -95610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -95485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -95360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -95235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -95110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -94986s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -94860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -94735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -94610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -94485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -94360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -94249s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe TID: 7496Thread sleep time: -94128s >= -30000s
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 99843Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 99733Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 99625Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 99515Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 99406Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 99296Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 99187Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 99078Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 98968Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 98859Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 98750Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 98614Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 98485Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 98359Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 98250Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 98141Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 98016Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 97906Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 97797Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 97688Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 97568Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 97438Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 97313Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 97203Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 97089Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 96969Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 96859Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 96750Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 96641Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 96530Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 96422Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 96312Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 96203Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 96094Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 95969Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 95859Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 95750Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 95641Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 95531Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 95422Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 95312Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 95203Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 95094Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 94984Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 94875Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 94766Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 94641Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 94516Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 94406Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeThread delayed: delay time: 94297Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 99891
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 99766
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 99641
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 99531
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 99422
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 99313
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 99188
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 99063
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 98953
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 98844
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 98719
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 98610
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 98485
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 98360
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 98234
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 98125
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 98016
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 97907
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 97794
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 97672
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 97547
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 97438
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 97313
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 97203
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 97094
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 96969
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 96860
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 96735
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 96610
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 96485
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 96354
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 96235
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 96110
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 95985
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 95860
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 95735
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 95610
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 95485
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 95360
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 95235
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 95110
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 94986
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 94860
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 94735
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 94610
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 94485
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 94360
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 94249
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeThread delayed: delay time: 94128
                    Source: 0PPJsQE4wD.exe, 00000009.00000002.3307440772.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, OKTSUgBLN.exe, 0000000F.00000002.3307514009.0000000001476000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0PPJsQE4wD.exe"
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OKTSUgBLN.exe"
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0PPJsQE4wD.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OKTSUgBLN.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeMemory written: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0PPJsQE4wD.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OKTSUgBLN.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp1AD3.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeProcess created: C:\Users\user\Desktop\0PPJsQE4wD.exe "C:\Users\user\Desktop\0PPJsQE4wD.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp2C57.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess created: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe "C:\Users\user\AppData\Roaming\OKTSUgBLN.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeProcess created: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe "C:\Users\user\AppData\Roaming\OKTSUgBLN.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeQueries volume information: C:\Users\user\Desktop\0PPJsQE4wD.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeQueries volume information: C:\Users\user\Desktop\0PPJsQE4wD.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeQueries volume information: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeQueries volume information: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.0PPJsQE4wD.exe.3692340.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.0PPJsQE4wD.exe.36ccd60.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.0PPJsQE4wD.exe.36ccd60.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.0PPJsQE4wD.exe.3692340.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.3309284654.00000000030CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3309727209.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3309727209.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3309284654.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2098555785.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 0PPJsQE4wD.exe PID: 3200, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 0PPJsQE4wD.exe PID: 5660, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: OKTSUgBLN.exe PID: 7412, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\0PPJsQE4wD.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\OKTSUgBLN.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.0PPJsQE4wD.exe.3692340.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.0PPJsQE4wD.exe.36ccd60.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.0PPJsQE4wD.exe.36ccd60.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.0PPJsQE4wD.exe.3692340.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.3306935480.0000000000437000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3309727209.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3309284654.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2098555785.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 0PPJsQE4wD.exe PID: 3200, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 0PPJsQE4wD.exe PID: 5660, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: OKTSUgBLN.exe PID: 7412, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.0PPJsQE4wD.exe.3692340.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.0PPJsQE4wD.exe.36ccd60.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.0PPJsQE4wD.exe.36ccd60.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.0PPJsQE4wD.exe.3692340.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.3309284654.00000000030CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3309727209.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3309727209.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3309284654.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2098555785.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 0PPJsQE4wD.exe PID: 3200, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 0PPJsQE4wD.exe PID: 5660, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: OKTSUgBLN.exe PID: 7412, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		211
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		1
                    Credentials in Registry                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Archive Collected Data                    		1
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		141
                    Virtualization/Sandbox Evasion                    		Security Account Manager141
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares2
                    Data from Local System                    		11
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Software Packing                    		Cached Domain Credentials24
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Timestomp                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587614 Sample: 0PPJsQE4wD.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 48 mail.iaa-airferight.com 2->48 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 58 9 other signatures 2->58 8 0PPJsQE4wD.exe 7 2->8         started        12 OKTSUgBLN.exe 5 2->12         started        signatures3 process4 file5 40 C:\Users\user\AppData\Roaming\OKTSUgBLN.exe, PE32 8->40 dropped 42 C:\Users\...\OKTSUgBLN.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmp1AD3.tmp, XML 8->44 dropped 46 C:\Users\user\AppData\...\0PPJsQE4wD.exe.log, ASCII 8->46 dropped 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 64 Adds a directory exclusion to Windows Defender 8->64 14 0PPJsQE4wD.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        66 Antivirus detection for dropped file 12->66 68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 72 Injects a PE file into a foreign processes 12->72 24 OKTSUgBLN.exe 12->24         started        26 schtasks.exe 12->26         started        28 OKTSUgBLN.exe 12->28         started        signatures6 process7 dnsIp8 50 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->50 74 Loading BitLocker PowerShell Module 18->74 30 conhost.exe 18->30         started        32 WmiPrvSE.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->76 78 Tries to steal Mail credentials (via file / registry access) 24->78 80 Tries to harvest and steal ftp login credentials 24->80 82 Tries to harvest and steal browser information (history, passwords, etc) 24->82 38 conhost.exe 26->38         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    0PPJsQE4wD.exe74%VirustotalBrowse
                    0PPJsQE4wD.exe88%ReversingLabsWin32.Trojan.Leonem
                    0PPJsQE4wD.exe100%AviraTR/AD.GenSteal.zbxpi
                    0PPJsQE4wD.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\OKTSUgBLN.exe100%AviraTR/AD.GenSteal.zbxpi
                    C:\Users\user\AppData\Roaming\OKTSUgBLN.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\OKTSUgBLN.exe88%ReversingLabsWin32.Trojan.Leonem

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://mail.iaa-airferight.com100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://account.dyn.com/0PPJsQE4wD.exe, 00000000.00000002.2098555785.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, 0PPJsQE4wD.exe, 00000009.00000002.3306934348.0000000000436000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0PPJsQE4wD.exe, 00000000.00000002.2097343497.0000000002650000.00000004.00000800.00020000.00000000.sdmp, OKTSUgBLN.exe, 0000000A.00000002.2132633424.0000000002B85000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.symauth.com/cps0(0PPJsQE4wD.exe, OKTSUgBLN.exe.0.drfalse
                            		high
                            http://www.symauth.com/rpa000PPJsQE4wD.exe, OKTSUgBLN.exe.0.drfalse
                              		high
                              http://mail.iaa-airferight.com0PPJsQE4wD.exe, 00000009.00000002.3309727209.0000000002FA8000.00000004.00000800.00020000.00000000.sdmp, OKTSUgBLN.exe, 0000000F.00000002.3309284654.00000000030D7000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              46.175.148.58
                              		mail.iaa-airferight.comUkraine
                              		56394ASLAGIDKOM-NETUAfalse

                              General Information

                              Joe Sandbox version:42.0.0 Malachite
                              Analysis ID:1587614
                              Start date and time:2025-01-10 15:44:36 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 6m 31s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:18
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:0PPJsQE4wD.exe
                              renamed because original name is a hash value
                              Original Sample Name:2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@21/15@1/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 152
                              • Number of non-executed functions: 5
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 2.23.242.162, 4.175.87.197, 13.107.246.45
                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              09:45:29API Interceptor179x Sleep call for process: 0PPJsQE4wD.exe modified
                              09:45:30API Interceptor54x Sleep call for process: powershell.exe modified
                              09:45:33API Interceptor163x Sleep call for process: OKTSUgBLN.exe modified
                              15:45:31Task SchedulerRun new task: OKTSUgBLN path: C:\Users\user\AppData\Roaming\OKTSUgBLN.exe

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              46.175.148.58kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                  INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                    Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                      proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                        Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                          PO for fabric forecast.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            980001672 PPR for 30887217.scr.exeGet hashmaliciousAgentTeslaBrowse
                                              lC7L7oBBMC.exeGet hashmaliciousAgentTeslaBrowse
                                                OHScaqAPjt.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  mail.iaa-airferight.comkzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  PO for fabric forecast.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • 46.175.148.58
                                                  980001672 PPR for 30887217.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  lC7L7oBBMC.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  OHScaqAPjt.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                  • 46.175.148.58

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  ASLAGIDKOM-NETUAkzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  PO for fabric forecast.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • 46.175.148.58
                                                  980001672 PPR for 30887217.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  lC7L7oBBMC.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  OHScaqAPjt.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                  • 46.175.148.58

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0PPJsQE4wD.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\0PPJsQE4wD.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.34331486778365
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                  Malicious:true
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OKTSUgBLN.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\OKTSUgBLN.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.34331486778365
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):2232
                                                  Entropy (8bit):5.3797706053345555
                                                  Encrypted:false
                                                  SSDEEP:48:fWSU4xympx4RfoUP7gZ9tK8NPZHUx7u1iMuge//ZPUyds:fLHxv/IwLZ2KRH6OugEs
                                                  MD5:491A04CF4BEB6051A7EF34497EFBCC36
                                                  SHA1:50640B71A4A737C68D2D4CDCEEA91A608FCF1035
                                                  SHA-256:9C380DAE9B3DA91002894DC8CF3D5E79A29B1B88AC3782F99F0F36E9D187B462
                                                  SHA-512:59206435C76A0B33BAFB7E8B28DAB693A417D68D9A67DA772D0047AF85C8B03084C9E39A70DE2ADB14011074D049C0CA5F4575286049C8E89AE867D167B0F052
                                                  Malicious:false
                                                  Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2yk1qajc.cvn.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_alap5el3.35r.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b5bnsmya.ufh.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czea2tcz.5df.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e0enwo0i.0z2.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lkhjnis0.smx.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uogbjbbv.tov.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xbe41c15.zza.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\tmp1AD3.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\0PPJsQE4wD.exe
                                                  File Type:XML 1.0 document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):1582
                                                  Entropy (8bit):5.105936711678186
                                                  Encrypted:false
                                                  SSDEEP:48:cgergYrFdOFzOzN33ODOiDdKrsuTQXkBv:HergYrFdOFzOz6dKrsukw
                                                  MD5:6D8DBF2AEE010D2CEB84BF4415EF886D
                                                  SHA1:79FEC29F235F79B0B9808599DF8A597B66922E34
                                                  SHA-256:B7973CEB1F67BB5FC9B8E0F0C42D4F2F8F069A73F67AF5F8DFF401A9748C3D43
                                                  SHA-512:C840964A74EF41A942561A78EA71C5FB70F98327B2C35FED46E532D4A177A05E91B7B146270424CCD1599348F0A9143ED14BF4961338B486DCDD47D4CC2416FC
                                                  Malicious:true
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                  C:\Users\user\AppData\Local\Temp\tmp2C57.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\OKTSUgBLN.exe
                                                  File Type:XML 1.0 document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):1582
                                                  Entropy (8bit):5.105936711678186
                                                  Encrypted:false
                                                  SSDEEP:48:cgergYrFdOFzOzN33ODOiDdKrsuTQXkBv:HergYrFdOFzOz6dKrsukw
                                                  MD5:6D8DBF2AEE010D2CEB84BF4415EF886D
                                                  SHA1:79FEC29F235F79B0B9808599DF8A597B66922E34
                                                  SHA-256:B7973CEB1F67BB5FC9B8E0F0C42D4F2F8F069A73F67AF5F8DFF401A9748C3D43
                                                  SHA-512:C840964A74EF41A942561A78EA71C5FB70F98327B2C35FED46E532D4A177A05E91B7B146270424CCD1599348F0A9143ED14BF4961338B486DCDD47D4CC2416FC
                                                  Malicious:false
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                  C:\Users\user\AppData\Roaming\OKTSUgBLN.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\0PPJsQE4wD.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1086056
                                                  Entropy (8bit):7.5549738300186355
                                                  Encrypted:false
                                                  SSDEEP:24576:KQqL6rVbCx3YNB9WwzdXcaEPLPelSu2VRhNam+:U6lCyJuaEYA3fb+
                                                  MD5:D5144747A0AC45151B3C5DA28EED836B
                                                  SHA1:CC6A2EAB70DEF6F10C6BE941E30E5C8BF5C88C8B
                                                  SHA-256:2638D6A3C5E906C7AD8BFCE0A4B233789C0AD98A46C32DEB0F3CD889481A75B0
                                                  SHA-512:72DBBBE7217D86AEEE4F31A2C3544E0119022E4D8D7C320A8E8AA9D5652BAB3C6F0052F0191AF0CF30AD1705517E00148848A7F4FDC1ADF322DE5AAB1588193F
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 88%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`."...............0.................. ........@.. ....................................@.....................................O....................^..h4..............p............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............\..............@..B........................H.......................tv..@D............................................{....*..{....*V.(......}......}....*...0..C........u........6.,0(.....{.....{....o....,.(.....{.....{....o....+..+..*. ..l. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*.0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..(".....(#....r=..prS..psA...($....*..0..].........o%...(&.....,....o'.....+@.o%...((.....,....o'.....+%.o%...().....,....o'.

                                                  C:\Users\user\AppData\Roaming\OKTSUgBLN.exe:Zone.Identifier

                                                  Download File
                                                  Process:C:\Users\user\Desktop\0PPJsQE4wD.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.5549738300186355
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:0PPJsQE4wD.exe
                                                  File size:1'086'056 bytes
                                                  MD5:d5144747a0ac45151b3c5da28eed836b
                                                  SHA1:cc6a2eab70def6f10c6be941e30e5c8bf5c88c8b
                                                  SHA256:2638d6a3c5e906c7ad8bfce0a4b233789c0ad98a46c32deb0f3cd889481a75b0
                                                  SHA512:72dbbbe7217d86aeee4f31a2c3544e0119022e4d8d7c320a8e8aa9d5652bab3c6f0052f0191af0cf30ad1705517e00148848a7f4fdc1adf322de5aab1588193f
                                                  SSDEEP:24576:KQqL6rVbCx3YNB9WwzdXcaEPLPelSu2VRhNam+:U6lCyJuaEYA3fb+
                                                  TLSH:7F35F082A2146F26DD799BF56A32C53103327D6DB875E22C1DE97CCB3B7AF928510813
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`."...............0.................. ........@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:c5949296969e8473

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4cf606
                                                  Entrypoint Section:.text
                                                  Digitally signed:true
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0xC822D260 [Tue May 26 13:28:00 2076 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Authenticode Signature

                                                  Signature Valid:false
                                                  Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                  Signature Validation Error:The digital signature of the object did not verify
                                                  Error Number:-2146869232
                                                  Not Before, Not After
                                                  • 11/11/2021 01:00:00 14/11/2024 00:59:59
                                                  Subject Chain
                                                  • CN="NetEase Youdao Information Technology (Beijing) Co.,Ltd.", O="NetEase Youdao Information Technology (Beijing) Co.,Ltd.", S=Beijing, C=CN
                                                  Version:3
                                                  Thumbprint MD5:4F5FEC748CD450F88841E761105381F9
                                                  Thumbprint SHA-1:4969233BC110419F015F688CF21C19254B1B0BAA
                                                  Thumbprint SHA-256:1CC254B81F32E63E63AD35958D2E738ADAA491167E1EA91199DEF66274175909
                                                  Serial:01CC0C6632D0CA3E68F19D8028508E91

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xcf5b10x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd00000x381a8.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x105e000x3468
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x10a0000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xcbab40x70.text
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xcd60c0xcd800b3aaf8304d228648ac82fd77d37abfaaFalse0.9223692214111923data7.896354902270702IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xd00000x381a80x382001fc938daae9d58316cdb9d56c1b59153False0.3082066049554566data5.2046323316294245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x10a0000xc0x2005a1654180f4f91a04ec13b452bcdf52dFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0xd04600x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.38353658536585367
                                                  RT_ICON0xd0ac80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.48655913978494625
                                                  RT_ICON0xd0db00x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.5286885245901639
                                                  RT_ICON0xd0f980x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.5878378378378378
                                                  RT_ICON0xd10c00x6739PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9933017975402081
                                                  RT_ICON0xd77fc0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.5578358208955224
                                                  RT_ICON0xd86a40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.6367328519855595
                                                  RT_ICON0xd8f4c0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.6497695852534562
                                                  RT_ICON0xd96140x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.47760115606936415
                                                  RT_ICON0xd9b7c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.125
                                                  RT_ICON0xea3a40x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.21113622030691612
                                                  RT_ICON0xf384c0x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 265600.21157894736842106
                                                  RT_ICON0xfa0340x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.24269870609981517
                                                  RT_ICON0xff4bc0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.22325224374114314
                                                  RT_ICON0x1036e40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.3196058091286307
                                                  RT_ICON0x105c8c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.3642120075046904
                                                  RT_ICON0x106d340x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.5086065573770492
                                                  RT_ICON0x1076bc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5735815602836879
                                                  RT_GROUP_ICON0x107b240x102data0.5697674418604651
                                                  RT_VERSION0x107c280x394OpenPGP Secret Key0.42139737991266374
                                                  RT_MANIFEST0x107fbc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 10, 2025 15:45:33.871104956 CET4970925192.168.2.546.175.148.58
                                                  Jan 10, 2025 15:45:34.896302938 CET4970925192.168.2.546.175.148.58
                                                  Jan 10, 2025 15:45:36.990048885 CET4970925192.168.2.546.175.148.58
                                                  Jan 10, 2025 15:45:37.377885103 CET4971225192.168.2.546.175.148.58
                                                  Jan 10, 2025 15:45:38.396295071 CET4971225192.168.2.546.175.148.58
                                                  Jan 10, 2025 15:45:40.396334887 CET4971225192.168.2.546.175.148.58
                                                  Jan 10, 2025 15:45:40.990094900 CET4970925192.168.2.546.175.148.58
                                                  Jan 10, 2025 15:45:44.396373987 CET4971225192.168.2.546.175.148.58
                                                  Jan 10, 2025 15:45:49.005762100 CET4970925192.168.2.546.175.148.58
                                                  Jan 10, 2025 15:45:52.396534920 CET4971225192.168.2.546.175.148.58

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 10, 2025 15:45:33.830971956 CET5211153192.168.2.51.1.1.1
                                                  Jan 10, 2025 15:45:33.846050978 CET53521111.1.1.1192.168.2.5

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Jan 10, 2025 15:45:33.830971956 CET192.168.2.51.1.1.10xb57cStandard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Jan 10, 2025 15:45:33.846050978 CET1.1.1.1192.168.2.50xb57cNo error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:09:45:28
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\Desktop\0PPJsQE4wD.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\0PPJsQE4wD.exe"
                                                  Imagebase:0x130000
                                                  File size:1'086'056 bytes
                                                  MD5 hash:D5144747A0AC45151B3C5DA28EED836B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2098555785.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2098555785.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:09:45:29
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0PPJsQE4wD.exe"
                                                  Imagebase:0x520000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:09:45:29
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:09:45:30
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OKTSUgBLN.exe"
                                                  Imagebase:0x520000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:09:45:30
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:09:45:30
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp1AD3.tmp"
                                                  Imagebase:0x3d0000
                                                  File size:187'904 bytes
                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:8
                                                  Start time:09:45:30
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:09:45:30
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\Desktop\0PPJsQE4wD.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\0PPJsQE4wD.exe"
                                                  Imagebase:0xac0000
                                                  File size:1'086'056 bytes
                                                  MD5 hash:D5144747A0AC45151B3C5DA28EED836B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3309727209.0000000002FA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3309727209.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3309727209.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:10
                                                  Start time:09:45:31
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\AppData\Roaming\OKTSUgBLN.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Roaming\OKTSUgBLN.exe
                                                  Imagebase:0x6e0000
                                                  File size:1'086'056 bytes
                                                  MD5 hash:D5144747A0AC45151B3C5DA28EED836B
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 88%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:11
                                                  Start time:09:45:33
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                  Imagebase:0x7ff6ef0c0000
                                                  File size:496'640 bytes
                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                  Has elevated privileges:true
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:12
                                                  Start time:09:45:34
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OKTSUgBLN" /XML "C:\Users\user\AppData\Local\Temp\tmp2C57.tmp"
                                                  Imagebase:0x3d0000
                                                  File size:187'904 bytes
                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:13
                                                  Start time:09:45:34
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:14
                                                  Start time:09:45:34
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\AppData\Roaming\OKTSUgBLN.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\OKTSUgBLN.exe"
                                                  Imagebase:0x3b0000
                                                  File size:1'086'056 bytes
                                                  MD5 hash:D5144747A0AC45151B3C5DA28EED836B
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:15
                                                  Start time:09:45:35
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\AppData\Roaming\OKTSUgBLN.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\OKTSUgBLN.exe"
                                                  Imagebase:0xce0000
                                                  File size:1'086'056 bytes
                                                  MD5 hash:D5144747A0AC45151B3C5DA28EED836B
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3309284654.00000000030CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3306935480.0000000000437000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3309284654.0000000003081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3309284654.0000000003081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:10.7%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:6.7%
                                                    Total number of Nodes:150
                                                    Total number of Limit Nodes:8
                                                    execution_graph 28361 c1d6a0 DuplicateHandle 28362 c1d736 28361->28362 28524 c1acd0 28525 c1acdf 28524->28525 28528 c1adc8 28524->28528 28533 c1adb8 28524->28533 28529 c1adfc 28528->28529 28530 c1add9 28528->28530 28529->28525 28530->28529 28531 c1b000 GetModuleHandleW 28530->28531 28532 c1b02d 28531->28532 28532->28525 28534 c1add9 28533->28534 28535 c1adfc 28533->28535 28534->28535 28536 c1b000 GetModuleHandleW 28534->28536 28535->28525 28537 c1b02d 28536->28537 28537->28525 28363 c14668 28364 c1467a 28363->28364 28365 c14686 28364->28365 28369 c14781 28364->28369 28374 c13e34 28365->28374 28367 c146b1 28370 c147a5 28369->28370 28378 c14881 28370->28378 28382 c14890 28370->28382 28375 c13e3f 28374->28375 28390 c15c80 28375->28390 28377 c17001 28377->28367 28379 c148b7 28378->28379 28380 c14994 28379->28380 28386 c144b4 28379->28386 28380->28380 28384 c148b7 28382->28384 28383 c14994 28383->28383 28384->28383 28385 c144b4 CreateActCtxA 28384->28385 28385->28383 28387 c15920 CreateActCtxA 28386->28387 28389 c159e3 28387->28389 28389->28389 28391 c15c8b 28390->28391 28394 c15ca0 28391->28394 28393 c17105 28393->28377 28395 c15cab 28394->28395 28398 c15cd0 28395->28398 28397 c171e2 28397->28393 28399 c15cdb 28398->28399 28402 c15d00 28399->28402 28401 c172e5 28401->28397 28404 c15d0b 28402->28404 28403 c18629 28403->28401 28404->28401 28404->28403 28406 c1cd8f 28404->28406 28407 c1cdb1 28406->28407 28408 c1cdd5 28407->28408 28412 c1cf40 28407->28412 28416 c1cf2f 28407->28416 28420 c1cefd 28407->28420 28408->28403 28413 c1cf4b 28412->28413 28415 c1ced9 28413->28415 28424 c1b7a0 28413->28424 28415->28408 28415->28415 28418 c1cf4b 28416->28418 28417 c1ced9 28417->28408 28418->28417 28419 c1b7a0 2 API calls 28418->28419 28419->28417 28421 c1cf4b 28420->28421 28422 c1ced9 28421->28422 28423 c1b7a0 2 API calls 28421->28423 28422->28408 28423->28422 28425 c1b7ab 28424->28425 28427 c1dc98 28425->28427 28428 c1d0a4 28425->28428 28427->28427 28429 c1d0af 28428->28429 28430 c15d00 2 API calls 28429->28430 28431 c1dd07 28430->28431 28434 c1fa88 28431->28434 28432 c1dd41 28432->28427 28435 c1fab9 28434->28435 28436 c1fac5 28434->28436 28435->28436 28437 4ac09af CreateWindowExW CreateWindowExW 28435->28437 28438 4ac09c0 CreateWindowExW CreateWindowExW 28435->28438 28436->28432 28437->28436 28438->28436 28538 c1d458 28539 c1d49e GetCurrentProcess 28538->28539 28541 c1d4f0 GetCurrentThread 28539->28541 28542 c1d4e9 28539->28542 28543 c1d526 28541->28543 28544 c1d52d GetCurrentProcess 28541->28544 28542->28541 28543->28544 28545 c1d563 28544->28545 28546 c1d58b GetCurrentThreadId 28545->28546 28547 c1d5bc 28546->28547 28439 4ac7360 28440 4ac738d 28439->28440 28451 4ac6e7c 28440->28451 28442 4ac7418 28443 4ac6e7c 2 API calls 28442->28443 28444 4ac744a 28443->28444 28456 4ac6e8c 28444->28456 28447 4ac6e7c 2 API calls 28448 4ac74ae 28447->28448 28449 4ac6e8c 2 API calls 28448->28449 28450 4ac74e0 28449->28450 28452 4ac6e87 28451->28452 28453 4ac8b4b 28452->28453 28454 c15d00 2 API calls 28452->28454 28460 c18328 28452->28460 28453->28442 28454->28453 28457 4ac6e97 28456->28457 28464 4ac707c 28457->28464 28459 4ac747c 28459->28447 28462 c18332 28460->28462 28461 c18629 28461->28453 28462->28453 28462->28461 28463 c1cd8f 2 API calls 28462->28463 28463->28461 28465 4ac7087 28464->28465 28466 4ac99f2 28465->28466 28467 c15d00 2 API calls 28465->28467 28468 c18328 2 API calls 28465->28468 28466->28459 28467->28466 28468->28466 28469 92d01c 28470 92d034 28469->28470 28471 92d08e 28470->28471 28476 4ac1aa8 28470->28476 28481 4ac2809 28470->28481 28486 4ac2818 28470->28486 28491 4ac1a98 28470->28491 28477 4ac1ace 28476->28477 28479 4ac2818 2 API calls 28477->28479 28480 4ac2809 2 API calls 28477->28480 28478 4ac1aef 28478->28471 28479->28478 28480->28478 28482 4ac2845 28481->28482 28483 4ac2877 28482->28483 28496 4ac2da8 28482->28496 28501 4ac2d88 28482->28501 28483->28483 28487 4ac2845 28486->28487 28488 4ac2877 28487->28488 28489 4ac2da8 2 API calls 28487->28489 28490 4ac2d88 2 API calls 28487->28490 28489->28488 28490->28488 28492 4ac1ace 28491->28492 28494 4ac2818 2 API calls 28492->28494 28495 4ac2809 2 API calls 28492->28495 28493 4ac1aef 28493->28471 28494->28493 28495->28493 28497 4ac2dbc 28496->28497 28506 4ac2e60 28497->28506 28509 4ac2e51 28497->28509 28498 4ac2e48 28498->28483 28503 4ac2dbc 28501->28503 28502 4ac2e48 28502->28483 28504 4ac2e60 2 API calls 28503->28504 28505 4ac2e51 2 API calls 28503->28505 28504->28502 28505->28502 28507 4ac2e71 28506->28507 28512 4ac4023 28506->28512 28507->28498 28510 4ac2e71 28509->28510 28511 4ac4023 2 API calls 28509->28511 28510->28498 28511->28510 28516 4ac4040 28512->28516 28520 4ac4050 28512->28520 28513 4ac403a 28513->28507 28517 4ac4092 28516->28517 28519 4ac4099 28516->28519 28518 4ac40ea CallWindowProcW 28517->28518 28517->28519 28518->28519 28519->28513 28521 4ac4092 28520->28521 28523 4ac4099 28520->28523 28522 4ac40ea CallWindowProcW 28521->28522 28521->28523 28522->28523 28523->28513

                                                    Executed Functions

                                                    Function 04AC7360 Relevance: 3.9, Strings: 2, Instructions: 1429COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 409 4ac7360-4ac738b 410 4ac738d 409->410 411 4ac7392-4ac7918 call 4ac6e7c * 2 call 4ac6e8c call 4ac6e7c call 4ac6e8c call 4ac6e9c call 4ac6eac * 2 call 4ac6ebc call 4ac6ecc call 4ac6edc call 4ac6eec call 4ac6efc call 4ac6f0c call 4ac6ecc call 4ac6edc call 4ac6eec call 4ac6efc 409->411 410->411 491 4ac7939-4ac794b 411->491 492 4ac794d-4ac7958 491->492 493 4ac791a-4ac7927 491->493 496 4ac7a0f-4ac7a21 492->496 494 4ac792e-4ac7938 493->494 495 4ac7929 493->495 494->491 495->494 497 4ac795d-4ac7978 496->497 498 4ac7a27-4ac7a37 496->498 506 4ac797a-4ac797c 497->506 507 4ac7985-4ac7988 497->507 499 4ac7b5e-4ac7b73 498->499 500 4ac7b7b-4ac7b7d 499->500 501 4ac7b75 499->501 505 4ac7b84-4ac7b8b 500->505 503 4ac7b7f 501->503 504 4ac7b77-4ac7b79 501->504 503->505 504->500 504->503 512 4ac7a3c-4ac7a5a 505->512 513 4ac7b91-4ac7f27 call 4ac6f0c call 4ac6edc call 4ac6eec call 4ac6efc call 4ac6f0c call 4ac6f2c call 4ac6f3c call 4ac6ecc call 4ac6edc call 4ac6eec call 4ac6efc call 4ac6f0c call 4ac6edc call 4ac6eec 505->513 508 4ac797e 506->508 509 4ac7983 506->509 510 4ac798f-4ac7995 507->510 511 4ac798a 507->511 508->509 509->510 514 4ac799c-4ac79af 510->514 515 4ac7997 510->515 511->510 516 4ac7a5c 512->516 517 4ac7a61-4ac7a7b 512->517 585 4ac7f34-4ac7f45 513->585 519 4ac79b6-4ac79d0 514->519 520 4ac79b1 514->520 515->514 516->517 521 4ac7a7d 517->521 522 4ac7a82-4ac7a98 517->522 524 4ac79d7-4ac79ed 519->524 525 4ac79d2 519->525 520->519 521->522 526 4ac7a9f-4ac7ac2 call 4ac6f1c 522->526 527 4ac7a9a 522->527 528 4ac79ef 524->528 529 4ac79f4-4ac7a05 call 4ac6f1c 524->529 525->524 535 4ac7ac9-4ac7ad9 526->535 536 4ac7ac4 526->536 527->526 528->529 537 4ac7a0a-4ac7a0e 529->537 539 4ac7adb 535->539 540 4ac7ae0-4ac7b0c 535->540 536->535 537->496 539->540 542 4ac7b0e 540->542 543 4ac7b13-4ac7b24 540->543 542->543 545 4ac7b2b-4ac7b49 543->545 546 4ac7b26 543->546 549 4ac7b4b 545->549 550 4ac7b50-4ac7b5d 545->550 546->545 549->550 550->499 586 4ac7f29-4ac7f31 585->586 587 4ac7f47-4ac7fd1 585->587 586->585 593 4ac7fdc-4ac7ff7 587->593 594 4ac7fd3-4ac7fdb 587->594 596 4ac7ffe-4ac8140 593->596 597 4ac7ff9 593->597 594->593 611 4ac814c-4ac87b1 call 4ac6efc call 4ac6f0c call 4ac6f50 call 4ac6ecc call 4ac6edc call 4ac6eec call 4ac6efc call 4ac6f0c call 4ac6f60 call 4ac6f70 call 4ac6f80 call 4ac6edc call 4ac6eec call 4ac6efc call 4ac6f0c call 4ac6f80 * 6 call 4ac6edc call 4ac6eec call 4ac6efc call 4ac6f0c 596->611 597->596 688 4ac87db 611->688 689 4ac87b3-4ac87bf 611->689 692 4ac87e1-4ac8b03 call 4ac6f90 call 4ac6edc call 4ac6eec call 4ac6efc call 4ac6fa0 call 4ac6fb0 call 4ac6fc0 call 4ac6fd0 call 4ac6fe0 call 4ac6f80 * 2 call 4ac6eec call 4ac6ff0 call 4ac7000 call 4ac7010 * 2 688->692 690 4ac87c9-4ac87cf 689->690 691 4ac87c1-4ac87c7 689->691 694 4ac87d9 690->694 691->694 694->692
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2102025015.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4ac0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 90$Ppcq
                                                    • API String ID: 0-1719840682
                                                    • Opcode ID: 4f5aa1ab99c4a32d22d17bf49f83e700a219a8cc8203aaab738d5b7b8cb0fdab
                                                    • Instruction ID: 0bcadecf52472e7f9bea15e808274c721c6c423c9d1a04472dbe5202164b5ea2
                                                    • Opcode Fuzzy Hash: 4f5aa1ab99c4a32d22d17bf49f83e700a219a8cc8203aaab738d5b7b8cb0fdab
                                                    • Instruction Fuzzy Hash: C1E2D434A41219CFDB55DF68C994AE9B7B2FF89300F1181E9D409AB3A5DB31AE85CF40
                                                    Function 04AC7352 Relevance: 3.8, Strings: 2, Instructions: 1282COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 800 4ac7352-4ac738b 801 4ac738d 800->801 802 4ac7392-4ac73fd 800->802 801->802 807 4ac7407-4ac7413 call 4ac6e7c 802->807 809 4ac7418-4ac74f7 call 4ac6e7c call 4ac6e8c call 4ac6e7c call 4ac6e8c 807->809 827 4ac7501-4ac750d call 4ac6e9c 809->827 829 4ac7512-4ac75fa call 4ac6eac * 2 call 4ac6ebc 827->829 846 4ac7605-4ac7619 829->846 847 4ac761f-4ac7620 846->847 848 4ac762a-4ac766d call 4ac6ecc 847->848 851 4ac7673-4ac7692 848->851 852 4ac769d-4ac76b1 call 4ac6edc 851->852 854 4ac76b6-4ac7918 call 4ac6eec call 4ac6efc call 4ac6f0c call 4ac6ecc call 4ac6edc call 4ac6eec call 4ac6efc 852->854 882 4ac7939-4ac794b 854->882 883 4ac794d-4ac7958 882->883 884 4ac791a-4ac7927 882->884 887 4ac7a0f-4ac7a21 883->887 885 4ac792e-4ac7938 884->885 886 4ac7929 884->886 885->882 886->885 888 4ac795d-4ac7978 887->888 889 4ac7a27-4ac7a37 887->889 897 4ac797a-4ac797c 888->897 898 4ac7985-4ac7988 888->898 890 4ac7b5e-4ac7b73 889->890 891 4ac7b7b-4ac7b7d 890->891 892 4ac7b75 890->892 896 4ac7b84-4ac7b8b 891->896 894 4ac7b7f 892->894 895 4ac7b77-4ac7b79 892->895 894->896 895->891 895->894 903 4ac7a3c-4ac7a5a 896->903 904 4ac7b91-4ac7f27 call 4ac6f0c call 4ac6edc call 4ac6eec call 4ac6efc call 4ac6f0c call 4ac6f2c call 4ac6f3c call 4ac6ecc call 4ac6edc call 4ac6eec call 4ac6efc call 4ac6f0c call 4ac6edc call 4ac6eec 896->904 899 4ac797e 897->899 900 4ac7983 897->900 901 4ac798f-4ac7995 898->901 902 4ac798a 898->902 899->900 900->901 905 4ac799c-4ac79af 901->905 906 4ac7997 901->906 902->901 907 4ac7a5c 903->907 908 4ac7a61-4ac7a7b 903->908 976 4ac7f34-4ac7f45 904->976 910 4ac79b6-4ac79d0 905->910 911 4ac79b1 905->911 906->905 907->908 912 4ac7a7d 908->912 913 4ac7a82-4ac7a98 908->913 915 4ac79d7-4ac79ed 910->915 916 4ac79d2 910->916 911->910 912->913 917 4ac7a9f-4ac7ac2 call 4ac6f1c 913->917 918 4ac7a9a 913->918 919 4ac79ef 915->919 920 4ac79f4-4ac7a05 call 4ac6f1c 915->920 916->915 926 4ac7ac9-4ac7ad9 917->926 927 4ac7ac4 917->927 918->917 919->920 928 4ac7a0a-4ac7a0e 920->928 930 4ac7adb 926->930 931 4ac7ae0-4ac7b0c 926->931 927->926 928->887 930->931 933 4ac7b0e 931->933 934 4ac7b13-4ac7b24 931->934 933->934 936 4ac7b2b-4ac7b49 934->936 937 4ac7b26 934->937 940 4ac7b4b 936->940 941 4ac7b50-4ac7b5d 936->941 937->936 940->941 941->890 977 4ac7f29-4ac7f31 976->977 978 4ac7f47 976->978 977->976 979 4ac7f4c-4ac7f60 978->979 980 4ac7f65-4ac7fd1 979->980 984 4ac7fdc-4ac7fe1 980->984 985 4ac7fd3-4ac7fdb 980->985 986 4ac7fe7-4ac7ff7 984->986 985->984 987 4ac7ffe-4ac811b 986->987 988 4ac7ff9 986->988 1001 4ac8126-4ac8140 987->1001 988->987 1002 4ac814c-4ac87b1 call 4ac6efc call 4ac6f0c call 4ac6f50 call 4ac6ecc call 4ac6edc call 4ac6eec call 4ac6efc call 4ac6f0c call 4ac6f60 call 4ac6f70 call 4ac6f80 call 4ac6edc call 4ac6eec call 4ac6efc call 4ac6f0c call 4ac6f80 * 6 call 4ac6edc call 4ac6eec call 4ac6efc call 4ac6f0c 1001->1002 1079 4ac87db 1002->1079 1080 4ac87b3-4ac87bf 1002->1080 1083 4ac87e1-4ac8b03 call 4ac6f90 call 4ac6edc call 4ac6eec call 4ac6efc call 4ac6fa0 call 4ac6fb0 call 4ac6fc0 call 4ac6fd0 call 4ac6fe0 call 4ac6f80 * 2 call 4ac6eec call 4ac6ff0 call 4ac7000 call 4ac7010 * 2 1079->1083 1081 4ac87c9-4ac87cf 1080->1081 1082 4ac87c1-4ac87c7 1080->1082 1085 4ac87d9 1081->1085 1082->1085 1085->1083
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2102025015.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4ac0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 90$Ppcq
                                                    • API String ID: 0-1719840682
                                                    • Opcode ID: c4397154ad4193bea4ce74468445d05a9c455f2e60c448b16c66d421b27ed393
                                                    • Instruction ID: fea94ede1b295b7813c3513895546252fd61effbce6bdee233bebc9f191b7a85
                                                    • Opcode Fuzzy Hash: c4397154ad4193bea4ce74468445d05a9c455f2e60c448b16c66d421b27ed393
                                                    • Instruction Fuzzy Hash: 4DD2D334A41219CFDB55DF64C994AE9B7B2FF89304F1181E9E409AB3A1DB31AE85CF40
                                                    Function 0A650448 Relevance: .6, Instructions: 641COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2106009225.000000000A650000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A650000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_a650000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: edf367ec85979c5ce8d7140f06674f3ed97aefa4adbeb4fe90081876a01c9df2
                                                    • Instruction ID: 43b054092b19ab2ae2e3a3f5ef3547580d8e33fa6fe40a662596221b22363cd4
                                                    • Opcode Fuzzy Hash: edf367ec85979c5ce8d7140f06674f3ed97aefa4adbeb4fe90081876a01c9df2
                                                    • Instruction Fuzzy Hash: 7B32BD70B012049FDB19DFB9C5A0BAEB7F6AF89300F2644A9E9059B395CB34ED41CB51
                                                    Function 00C1D448 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 294 c1d448-c1d4e7 GetCurrentProcess 298 c1d4f0-c1d524 GetCurrentThread 294->298 299 c1d4e9-c1d4ef 294->299 300 c1d526-c1d52c 298->300 301 c1d52d-c1d561 GetCurrentProcess 298->301 299->298 300->301 302 c1d563-c1d569 301->302 303 c1d56a-c1d585 call c1d627 301->303 302->303 307 c1d58b-c1d5ba GetCurrentThreadId 303->307 308 c1d5c3-c1d625 307->308 309 c1d5bc-c1d5c2 307->309 309->308
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 00C1D4D6
                                                    • GetCurrentThread.KERNEL32 ref: 00C1D513
                                                    • GetCurrentProcess.KERNEL32 ref: 00C1D550
                                                    • GetCurrentThreadId.KERNEL32 ref: 00C1D5A9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2094289635.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c10000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID: B*j
                                                    • API String ID: 2063062207-2588744886
                                                    • Opcode ID: 703ee01736a3d691553a67df552e8de750c259c69924cf30dc0c59ef3d0ed3eb
                                                    • Instruction ID: 7d117c13f32364e77bea82af95424715c105f951640148d454e82f1e221fafc0
                                                    • Opcode Fuzzy Hash: 703ee01736a3d691553a67df552e8de750c259c69924cf30dc0c59ef3d0ed3eb
                                                    • Instruction Fuzzy Hash: 4F5178B0D002498FDB15CFA9D548BDEBFF2EF89304F20849AE41AA7260D7349984CF65
                                                    Function 00C1D458 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 316 c1d458-c1d4e7 GetCurrentProcess 320 c1d4f0-c1d524 GetCurrentThread 316->320 321 c1d4e9-c1d4ef 316->321 322 c1d526-c1d52c 320->322 323 c1d52d-c1d561 GetCurrentProcess 320->323 321->320 322->323 324 c1d563-c1d569 323->324 325 c1d56a-c1d585 call c1d627 323->325 324->325 329 c1d58b-c1d5ba GetCurrentThreadId 325->329 330 c1d5c3-c1d625 329->330 331 c1d5bc-c1d5c2 329->331 331->330
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 00C1D4D6
                                                    • GetCurrentThread.KERNEL32 ref: 00C1D513
                                                    • GetCurrentProcess.KERNEL32 ref: 00C1D550
                                                    • GetCurrentThreadId.KERNEL32 ref: 00C1D5A9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2094289635.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c10000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID: B*j
                                                    • API String ID: 2063062207-2588744886
                                                    • Opcode ID: a5158c8c48ae53cb79120e1337ce4e6ec802ef1a1256481ea92308a9a51c4483
                                                    • Instruction ID: 41c51b52e98713e7f3a4b08ac4316542c24642f636dcc40c3e29357d5ed68201
                                                    • Opcode Fuzzy Hash: a5158c8c48ae53cb79120e1337ce4e6ec802ef1a1256481ea92308a9a51c4483
                                                    • Instruction Fuzzy Hash: E15156B0D002098FDB15DFAAD548BDEBBF5EF88314F20845AE41AA7250D774A984CF65
                                                    Function 04AC18E4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 338 4ac18e4-4ac1956 339 4ac1958-4ac195e 338->339 340 4ac1961-4ac1968 338->340 339->340 341 4ac196a-4ac1970 340->341 342 4ac1973-4ac1a12 CreateWindowExW 340->342 341->342 344 4ac1a1b-4ac1a53 342->344 345 4ac1a14-4ac1a1a 342->345 349 4ac1a55-4ac1a58 344->349 350 4ac1a60 344->350 345->344 349->350 351 4ac1a61 350->351 351->351
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04AC1A02
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2102025015.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4ac0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID: B*j$B*j
                                                    • API String ID: 716092398-3359529638
                                                    • Opcode ID: 585f72074913482baa22a32fa20e757f412f704e94517a14a9ccd4bde073cbd3
                                                    • Instruction ID: 024abd4287fcc77e0f9eda1ccda768d4056ebbf26504ce18caa9e53b6fd5a0e2
                                                    • Opcode Fuzzy Hash: 585f72074913482baa22a32fa20e757f412f704e94517a14a9ccd4bde073cbd3
                                                    • Instruction Fuzzy Hash: CF51C1B1D103499FDB14CF99C894ADEBFB5FF48310F64822AE819AB211D771A985CF50
                                                    Function 04AC18F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 352 4ac18f0-4ac1956 353 4ac1958-4ac195e 352->353 354 4ac1961-4ac1968 352->354 353->354 355 4ac196a-4ac1970 354->355 356 4ac1973-4ac1a12 CreateWindowExW 354->356 355->356 358 4ac1a1b-4ac1a53 356->358 359 4ac1a14-4ac1a1a 356->359 363 4ac1a55-4ac1a58 358->363 364 4ac1a60 358->364 359->358 363->364 365 4ac1a61 364->365 365->365
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04AC1A02
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2102025015.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4ac0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID: B*j$B*j
                                                    • API String ID: 716092398-3359529638
                                                    • Opcode ID: 4a7f32c3d3530e88b2ca0aff4decbfa7aca9350893c0065e6eb33f124d8d5627
                                                    • Instruction ID: e798029fd8d15bde9a2a97b94798e5a01250b7cc5e4364cb6cff88fda95c4f90
                                                    • Opcode Fuzzy Hash: 4a7f32c3d3530e88b2ca0aff4decbfa7aca9350893c0065e6eb33f124d8d5627
                                                    • Instruction Fuzzy Hash: 9341C0B5D003099FDB14CF99C884ADEBBB5FF48310F64822AE819AB211D774A985CF90
                                                    Function 00C1ADC8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1132 c1adc8-c1add7 1133 c1ae03-c1ae07 1132->1133 1134 c1add9-c1ade6 call c193f4 1132->1134 1136 c1ae09-c1ae13 1133->1136 1137 c1ae1b-c1ae5c 1133->1137 1139 c1ade8 1134->1139 1140 c1adfc 1134->1140 1136->1137 1143 c1ae69-c1ae77 1137->1143 1144 c1ae5e-c1ae66 1137->1144 1187 c1adee call c1b051 1139->1187 1188 c1adee call c1b060 1139->1188 1140->1133 1145 c1ae79-c1ae7e 1143->1145 1146 c1ae9b-c1ae9d 1143->1146 1144->1143 1148 c1ae80-c1ae87 call c1a130 1145->1148 1149 c1ae89 1145->1149 1151 c1aea0-c1aea7 1146->1151 1147 c1adf4-c1adf6 1147->1140 1150 c1af38-c1aff8 1147->1150 1153 c1ae8b-c1ae99 1148->1153 1149->1153 1182 c1b000-c1b02b GetModuleHandleW 1150->1182 1183 c1affa-c1affd 1150->1183 1154 c1aeb4-c1aebb 1151->1154 1155 c1aea9-c1aeb1 1151->1155 1153->1151 1157 c1aec8-c1aed1 call c1a140 1154->1157 1158 c1aebd-c1aec5 1154->1158 1155->1154 1163 c1aed3-c1aedb 1157->1163 1164 c1aede-c1aee3 1157->1164 1158->1157 1163->1164 1165 c1af01-c1af0e 1164->1165 1166 c1aee5-c1aeec 1164->1166 1173 c1af31-c1af37 1165->1173 1174 c1af10-c1af2e 1165->1174 1166->1165 1168 c1aeee-c1aefe call c1a150 call c1a160 1166->1168 1168->1165 1174->1173 1184 c1b034-c1b048 1182->1184 1185 c1b02d-c1b033 1182->1185 1183->1182 1185->1184 1187->1147 1188->1147
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00C1B01E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2094289635.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c10000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID: B*j
                                                    • API String ID: 4139908857-2588744886
                                                    • Opcode ID: 3a7126364f760450162c674a7c00fd142bf25ef6c34c97d09c18bcc3ed769f18
                                                    • Instruction ID: a7e9e58e7a7e76a028837521fe462bd6a5c5aee34579f50bbab3ea65bb4df9a6
                                                    • Opcode Fuzzy Hash: 3a7126364f760450162c674a7c00fd142bf25ef6c34c97d09c18bcc3ed769f18
                                                    • Instruction Fuzzy Hash: 067156B0A01B058FD724DF2AD44479ABBF1FF89300F10892DE45AC7A50D735E99ADB91
                                                    Function 00C15914 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1189 c15914-c159e1 CreateActCtxA 1191 c159e3-c159e9 1189->1191 1192 c159ea-c15a44 1189->1192 1191->1192 1199 c15a53-c15a57 1192->1199 1200 c15a46-c15a49 1192->1200 1201 c15a59-c15a65 1199->1201 1202 c15a68 1199->1202 1200->1199 1201->1202 1204 c15a69 1202->1204 1204->1204
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 00C159D1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2094289635.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c10000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID: B*j
                                                    • API String ID: 2289755597-2588744886
                                                    • Opcode ID: 325b84f72ef02847c9ded0af91dcdbfe1a2324ed0acb769f8bf2953a0999eb27
                                                    • Instruction ID: b22c00319deef0edf55f967b5cf43c92a6a8cc097a6ca79c165253280e1ee6e3
                                                    • Opcode Fuzzy Hash: 325b84f72ef02847c9ded0af91dcdbfe1a2324ed0acb769f8bf2953a0999eb27
                                                    • Instruction Fuzzy Hash: A141F3B0C00619CFDB25CFA9C884BDDBBB5FF89304F24815AD408AB255DBB5698ACF51
                                                    Function 00C144B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1205 c144b4-c159e1 CreateActCtxA 1208 c159e3-c159e9 1205->1208 1209 c159ea-c15a44 1205->1209 1208->1209 1216 c15a53-c15a57 1209->1216 1217 c15a46-c15a49 1209->1217 1218 c15a59-c15a65 1216->1218 1219 c15a68 1216->1219 1217->1216 1218->1219 1221 c15a69 1219->1221 1221->1221
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 00C159D1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2094289635.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c10000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID: B*j
                                                    • API String ID: 2289755597-2588744886
                                                    • Opcode ID: f14b86a6351742ea40ce045c1e2058f58d35c902905634bf5c321e21a11c0012
                                                    • Instruction ID: 12b95a838d3e453660ed9223b80e4f0a46edbb8cb9f623ffdefa093c10be96ed
                                                    • Opcode Fuzzy Hash: f14b86a6351742ea40ce045c1e2058f58d35c902905634bf5c321e21a11c0012
                                                    • Instruction Fuzzy Hash: B741F2B0C0061DCBDB24CFA9C884BDDBBB5FF89304F20806AD408AB255DBB56985CF91
                                                    Function 04AC4050 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1222 4ac4050-4ac408c 1223 4ac413c-4ac415c 1222->1223 1224 4ac4092-4ac4097 1222->1224 1230 4ac415f-4ac416c 1223->1230 1225 4ac4099-4ac40d0 1224->1225 1226 4ac40ea-4ac4122 CallWindowProcW 1224->1226 1233 4ac40d9-4ac40e8 1225->1233 1234 4ac40d2-4ac40d8 1225->1234 1228 4ac412b-4ac413a 1226->1228 1229 4ac4124-4ac412a 1226->1229 1228->1230 1229->1228 1233->1230 1234->1233
                                                    APIs
                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 04AC4111
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2102025015.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4ac0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID: CallProcWindow
                                                    • String ID: B*j
                                                    • API String ID: 2714655100-2588744886
                                                    • Opcode ID: 644e702907dbd60d40bafd0cdde6e1461df4e6eaa631b684192d23f66f6e93a8
                                                    • Instruction ID: a0f1ab1df41c48d60007f98806ffdf173a70540c8b2472404e61cb3dfe9ad09b
                                                    • Opcode Fuzzy Hash: 644e702907dbd60d40bafd0cdde6e1461df4e6eaa631b684192d23f66f6e93a8
                                                    • Instruction Fuzzy Hash: 394103B8A002098FDB54CF99C848AAABBF5FF8C314F25845DD519AB321D774A841CFA0
                                                    Function 00C1D698 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C1D727
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2094289635.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c10000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID: B*j
                                                    • API String ID: 3793708945-2588744886
                                                    • Opcode ID: 41fd0be98f7633864d6ad1b17588470f3675938f3b0570ebc57a6ee81db57dfc
                                                    • Instruction ID: c34bc8efcdee56e02ef2c28719ba67e77c6095b66dc98deacc02e36143a93507
                                                    • Opcode Fuzzy Hash: 41fd0be98f7633864d6ad1b17588470f3675938f3b0570ebc57a6ee81db57dfc
                                                    • Instruction Fuzzy Hash: EE2114B5D002499FDB10CFAAD485AEEFFF4EB48310F14801AE959A3350C378A945CFA1
                                                    Function 00C1D6A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C1D727
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2094289635.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c10000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID: B*j
                                                    • API String ID: 3793708945-2588744886
                                                    • Opcode ID: 1f72d0527138523a80f519ba092640d7df8f7cf14432164b43aa33fd783a50ca
                                                    • Instruction ID: ece4a84d7e037ecf45b2e82cc990065d27061c61eb2a9c756b11229700b2e76e
                                                    • Opcode Fuzzy Hash: 1f72d0527138523a80f519ba092640d7df8f7cf14432164b43aa33fd783a50ca
                                                    • Instruction Fuzzy Hash: 7F21E4B5D002499FDB10CF9AD484ADEFFF8EB48310F14801AE919A3350C374A944CFA5
                                                    Function 00C1AFB8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00C1B01E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2094289635.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c10000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID: B*j
                                                    • API String ID: 4139908857-2588744886
                                                    • Opcode ID: 4c5cc0cfde58078ee0a312e0edf93ffa3574d8dc78b8bc06d20f08f9f5d2d1ee
                                                    • Instruction ID: 6575c59c40585446e8eba5123b3825d99f2e66f703ca5a91668fe65184925f9e
                                                    • Opcode Fuzzy Hash: 4c5cc0cfde58078ee0a312e0edf93ffa3574d8dc78b8bc06d20f08f9f5d2d1ee
                                                    • Instruction Fuzzy Hash: 9411DFB5C006498FCB10CF9AD444BDEFBF4EB89314F11845AD529A7210D379A945CFA5
                                                    Function 0A650E38 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2106009225.000000000A650000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A650000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_a650000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: <
                                                    • API String ID: 0-4251816714
                                                    • Opcode ID: 189bed72e27796df62fc0d6518901e72306f6ee76eebfb7f37e34167a7d18ae4
                                                    • Instruction ID: 2ed5ca79dab2823aa2cfef96a544949023472a7b8c40cc3f7b570d970ea57583
                                                    • Opcode Fuzzy Hash: 189bed72e27796df62fc0d6518901e72306f6ee76eebfb7f37e34167a7d18ae4
                                                    • Instruction Fuzzy Hash: E411C178A06108DFDB00DBA4E880AECBBB4EB8E315F259495C818B7391C635E942CF50
                                                    Function 0A650E48 Relevance: 1.3, Strings: 1, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2106009225.000000000A650000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A650000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_a650000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: <
                                                    • API String ID: 0-4251816714
                                                    • Opcode ID: cec5d9eaf34b9b9cb2da938e54ca5cecd719ecc8d00590fcd4d54786bcbb0298
                                                    • Instruction ID: c4ae28b058aabc29274c72562a154aa63a1d2ad7bab416ca978ceccd3492f605
                                                    • Opcode Fuzzy Hash: cec5d9eaf34b9b9cb2da938e54ca5cecd719ecc8d00590fcd4d54786bcbb0298
                                                    • Instruction Fuzzy Hash: B0D0A77014B208EEEB10E7B6F405B6DB3BCD702305F1548458C051315086705D00DA66
                                                    Function 0092D1D4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2091649410.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_92d000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f1007017ec728a61fe65978080574a335e68250ec9046f37d805c4d3545a4543
                                                    • Instruction ID: c705d47bf3f433758e402f65b28dc2690ab16781fd4187ff5486dd01a4924b6b
                                                    • Opcode Fuzzy Hash: f1007017ec728a61fe65978080574a335e68250ec9046f37d805c4d3545a4543
                                                    • Instruction Fuzzy Hash: 6A213BB1505200EFDB05DF14E5C0B25BBA9FB84314F34C96DD8094B35AC33AD806CB61
                                                    Function 0092D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2091649410.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_92d000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fc5b03123adf1b808b2af315717939688eac07acb135e0fd09ed0ebcaff8d688
                                                    • Instruction ID: 5a05ffd2bbd12c62b64f3c9f2cfee7158a241a47ece6770062f15ddb79f14510
                                                    • Opcode Fuzzy Hash: fc5b03123adf1b808b2af315717939688eac07acb135e0fd09ed0ebcaff8d688
                                                    • Instruction Fuzzy Hash: BB210771544240DFDB14DF14E5C4B26BB65FB84314F34C96DD94A4B2AAC33AD807CA61
                                                    Function 0092D006 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2091649410.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_92d000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 599417e0f70b6d4e6e1e5ed62567b10edac599aa4c2493af03c52d5911247cae
                                                    • Instruction ID: 9566e43ab066707cd363dc2f48ef4dd60f3948ee2aafede9d813fd86a7a55dca
                                                    • Opcode Fuzzy Hash: 599417e0f70b6d4e6e1e5ed62567b10edac599aa4c2493af03c52d5911247cae
                                                    • Instruction Fuzzy Hash: 55219F755493C08FCB12CF24D994715BF71EB46314F28C5EAD8898F6A7C33A980ACB62
                                                    Function 0A651E1B Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2106009225.000000000A650000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A650000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_a650000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 73aaa3bcb0d2adfc21253f89f4bc922dc3731f43e5da72c5957280dde13c5848
                                                    • Instruction ID: e43d6f5465241ca8dceccb8c57abd3423a0847dd6cd9ef85e29def73778d3fb1
                                                    • Opcode Fuzzy Hash: 73aaa3bcb0d2adfc21253f89f4bc922dc3731f43e5da72c5957280dde13c5848
                                                    • Instruction Fuzzy Hash: 4A1104309083489FCB069FB8D845DD9BFB1EF86310F0581BBE854CB222D334984ACB51
                                                    Function 0092D1CF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2091649410.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_92d000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                    • Instruction ID: 86af05e6fe976f8661ad737dd929bd7686c6df49369b43e90314159fcf97e7ae
                                                    • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                    • Instruction Fuzzy Hash: 8E119D75904280DFDB16CF14E5C4B15FBB1FB84314F24C6ADD8494B69AC33AD85ACBA1
                                                    Function 0091D759 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2089852325.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_91d000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 99cae322ecd9888a5080f583eb856587ad38a65f3d9ab221e3ad989bbe87f128
                                                    • Instruction ID: b592c5329c8be8c4e67b0c62b994ac3f7202fc231df079e2e4badf3ad839bc78
                                                    • Opcode Fuzzy Hash: 99cae322ecd9888a5080f583eb856587ad38a65f3d9ab221e3ad989bbe87f128
                                                    • Instruction Fuzzy Hash: 2901DBB12063489AE7108A15DCC47A7FFECDF55320F2CC81AED090A2C6C7799884C671
                                                    Function 0091D758 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2089852325.000000000091D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0091D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_91d000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6ca948571569e796ee9a81970faa76685c4c4a5080595ecd9502d3fda2012c2b
                                                    • Instruction ID: 21ae39241f225a0ef7e133bba8cfb19250d542eca60a3c27693ef94c1c2ac27e
                                                    • Opcode Fuzzy Hash: 6ca948571569e796ee9a81970faa76685c4c4a5080595ecd9502d3fda2012c2b
                                                    • Instruction Fuzzy Hash: 19F062755053449EE7108A16DD84B62FFACEF51724F18C45AED084A296C3799884CAB1

                                                    Non-executed Functions

                                                    Function 04AC0040 Relevance: .3, Instructions: 315COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2102025015.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4ac0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0bbeed6252b808a2c5573b949f3c378259fe5b2774b23cb009421e41c7d053be
                                                    • Instruction ID: 9beeb66f6ba668f54acc4de8944696041c571cdee470626e96fb9b83b8fd8996
                                                    • Opcode Fuzzy Hash: 0bbeed6252b808a2c5573b949f3c378259fe5b2774b23cb009421e41c7d053be
                                                    • Instruction Fuzzy Hash: 341296F0C837458AE310CF65F94C1897BB9BB85319FE04E0AD261AB2E5DBB4116ACF54
                                                    Function 00C1D384 Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2094289635.0000000000C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C10000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_c10000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 681d2e51371e63dd5ed3e92e3af5d6fa137b824404ebaf9277caae51789c9869
                                                    • Instruction ID: 5a55e7430b1c953bb979d60a84a12f2c1169f713e4cf0d8f29bb7d62a0f42d8d
                                                    • Opcode Fuzzy Hash: 681d2e51371e63dd5ed3e92e3af5d6fa137b824404ebaf9277caae51789c9869
                                                    • Instruction Fuzzy Hash: 59A14B36E002058FCF05DFB5D4405DEB7B2BF8A300B15857AE815AB266DB31EA56DB80
                                                    Function 04AC0006 Relevance: .2, Instructions: 241COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2102025015.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4ac0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 148e8f8ceafd925490085eae6d608bb85108654af822fb681ab13d14fb03d515
                                                    • Instruction ID: fc097a281626fcaf3e08dccf86de10eb74247362b110a6332269925c3b237e4d
                                                    • Opcode Fuzzy Hash: 148e8f8ceafd925490085eae6d608bb85108654af822fb681ab13d14fb03d515
                                                    • Instruction Fuzzy Hash: 8DC137F0C827458FD711CF29F8881897BB9FB85325FA04E0AD161AB2E5DBB4146ACF54
                                                    Function 04ACFDF1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemMetrics.USER32 ref: 04ACFE4E
                                                    • GetSystemMetrics.USER32(00000006), ref: 04ACFE88
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2102025015.0000000004AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_4ac0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID: MetricsSystem
                                                    • String ID: B*j
                                                    • API String ID: 4116985748-2588744886
                                                    • Opcode ID: 378009885802edc1815e79105e903c1391f19089f7e37a2d24f577b9bc52a5e3
                                                    • Instruction ID: 9ca5a3e3ddeb9ee1f794d9307b007e31771dd4e63ceb07934f34183d8e72ad1f
                                                    • Opcode Fuzzy Hash: 378009885802edc1815e79105e903c1391f19089f7e37a2d24f577b9bc52a5e3
                                                    • Instruction Fuzzy Hash: 8E2144B08047498FDB218FA9C4597DEFFF0EB49314F24844ED549A7291C3B9A949CBA1

                                                    Execution Graph

                                                    Execution Coverage:11.5%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:3
                                                    Total number of Limit Nodes:0
                                                    execution_graph 25425 640e280 25426 640e2c6 GlobalMemoryStatusEx 25425->25426 25427 640e2f6 25426->25427

                                                    Executed Functions

                                                    Function 014F9B38 Relevance: 2.8, Instructions: 2817COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 08465ebc05c38055c6694c0544b26825521fc8a8441fb54dd737c76d9616fc31
                                                    • Instruction ID: ecf67f65bd92d363df5be2bdb95b828a587e0a7fe62dc6b7739da2527287443d
                                                    • Opcode Fuzzy Hash: 08465ebc05c38055c6694c0544b26825521fc8a8441fb54dd737c76d9616fc31
                                                    • Instruction Fuzzy Hash: F153FB31D10B1A8ACB51EF68C8845A9F7B1FF99300F11D79AE45877221FB70AAD5CB81
                                                    Function 014FCDB0 Relevance: 2.3, Instructions: 2317COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6af367471dda35752681fd11fa57436c75220d7a8f0cb70cb62e6d267ad170bf
                                                    • Instruction ID: 29c3189a72395a61f677f26b0d78316a83bc81f7dcfaa7b45e0906e92c7bf4de
                                                    • Opcode Fuzzy Hash: 6af367471dda35752681fd11fa57436c75220d7a8f0cb70cb62e6d267ad170bf
                                                    • Instruction Fuzzy Hash: B8332F31D107198EDB11DF68C8946AEF7B1FF99300F15C79AE548A7221EB70AAC5CB81
                                                    Function 014F3E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \V,m
                                                    • API String ID: 0-3265022799
                                                    • Opcode ID: 0d68287c4678eb88f55d62dd0b99fec52d15255ae1e0257442e30f04d9ef00f3
                                                    • Instruction ID: 0458ed8f774af4f0dc8836abcba7d35f394aa51a7c763faf1c6f569d611f969f
                                                    • Opcode Fuzzy Hash: 0d68287c4678eb88f55d62dd0b99fec52d15255ae1e0257442e30f04d9ef00f3
                                                    • Instruction Fuzzy Hash: 26914E70E002099FDB10CFA9C99579EBBF2BF98314F18812EE515A7364EB749846CB91
                                                    Function 014F4A98 Relevance: .3, Instructions: 266COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 097d51208003f56778dac5f3946aec8ddf4202d48b04a8ae9f667df76c2f190e
                                                    • Instruction ID: 619045266dd4820ddb6e4c84fed22ddb40a26c0cc379b6556cc4779923bc7196
                                                    • Opcode Fuzzy Hash: 097d51208003f56778dac5f3946aec8ddf4202d48b04a8ae9f667df76c2f190e
                                                    • Instruction Fuzzy Hash: A1B15370E002099FDB14CFA9C98579FBBF2AF88314F19812ED515E73A5EB749846CB81
                                                    Function 014F4804 Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2166 14f4804-14f4806 2167 14f480a 2166->2167 2168 14f4808-14f4809 2166->2168 2169 14f480e-14f489c 2167->2169 2170 14f480b-14f480c 2167->2170 2168->2167 2174 14f489e-14f48a9 2169->2174 2175 14f48e6-14f48e8 2169->2175 2170->2169 2174->2175 2176 14f48ab-14f48b7 2174->2176 2177 14f48ea-14f4902 2175->2177 2178 14f48da-14f48e4 2176->2178 2179 14f48b9-14f48c3 2176->2179 2183 14f494c-14f494e 2177->2183 2184 14f4904-14f490f 2177->2184 2178->2177 2180 14f48c7-14f48d6 2179->2180 2181 14f48c5 2179->2181 2180->2180 2185 14f48d8 2180->2185 2181->2180 2187 14f4950-14f4962 2183->2187 2184->2183 2186 14f4911-14f491d 2184->2186 2185->2178 2188 14f491f-14f4929 2186->2188 2189 14f4940-14f494a 2186->2189 2194 14f4969-14f4995 2187->2194 2190 14f492d-14f493c 2188->2190 2191 14f492b 2188->2191 2189->2187 2190->2190 2193 14f493e 2190->2193 2191->2190 2193->2189 2195 14f499b-14f49a9 2194->2195 2196 14f49ab-14f49b1 2195->2196 2197 14f49b2-14f4a0f 2195->2197 2196->2197 2204 14f4a1f-14f4a23 2197->2204 2205 14f4a11-14f4a15 2197->2205 2207 14f4a25-14f4a29 2204->2207 2208 14f4a33-14f4a37 2204->2208 2205->2204 2206 14f4a17-14f4a1a call 14f0ab8 2205->2206 2206->2204 2207->2208 2209 14f4a2b-14f4a2e call 14f0ab8 2207->2209 2210 14f4a39-14f4a3d 2208->2210 2211 14f4a47-14f4a4b 2208->2211 2209->2208 2210->2211 2214 14f4a3f 2210->2214 2215 14f4a4d-14f4a51 2211->2215 2216 14f4a5b 2211->2216 2214->2211 2215->2216 2217 14f4a53 2215->2217 2218 14f4a5c 2216->2218 2217->2216 2218->2218
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \V,m$\V,m
                                                    • API String ID: 0-2328366710
                                                    • Opcode ID: b137f71665ca7d6458560a4d0446aa80b5a5905dd8c2616d450b254a0a5efcd2
                                                    • Instruction ID: af48699b981abe8d9b301ed1a61dd6c6eaa534affc679f57e13f5711e1034de3
                                                    • Opcode Fuzzy Hash: b137f71665ca7d6458560a4d0446aa80b5a5905dd8c2616d450b254a0a5efcd2
                                                    • Instruction Fuzzy Hash: E4716DB1E002499FDB10CFA9C984BDFBBF1AF88314F18812EE515A7364EB749845CB95
                                                    Function 014F4810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2219 14f4810-14f489c 2222 14f489e-14f48a9 2219->2222 2223 14f48e6-14f48e8 2219->2223 2222->2223 2224 14f48ab-14f48b7 2222->2224 2225 14f48ea-14f4902 2223->2225 2226 14f48da-14f48e4 2224->2226 2227 14f48b9-14f48c3 2224->2227 2231 14f494c-14f494e 2225->2231 2232 14f4904-14f490f 2225->2232 2226->2225 2228 14f48c7-14f48d6 2227->2228 2229 14f48c5 2227->2229 2228->2228 2233 14f48d8 2228->2233 2229->2228 2235 14f4950-14f4995 2231->2235 2232->2231 2234 14f4911-14f491d 2232->2234 2233->2226 2236 14f491f-14f4929 2234->2236 2237 14f4940-14f494a 2234->2237 2243 14f499b-14f49a9 2235->2243 2238 14f492d-14f493c 2236->2238 2239 14f492b 2236->2239 2237->2235 2238->2238 2241 14f493e 2238->2241 2239->2238 2241->2237 2244 14f49ab-14f49b1 2243->2244 2245 14f49b2-14f4a0f 2243->2245 2244->2245 2252 14f4a1f-14f4a23 2245->2252 2253 14f4a11-14f4a15 2245->2253 2255 14f4a25-14f4a29 2252->2255 2256 14f4a33-14f4a37 2252->2256 2253->2252 2254 14f4a17-14f4a1a call 14f0ab8 2253->2254 2254->2252 2255->2256 2257 14f4a2b-14f4a2e call 14f0ab8 2255->2257 2258 14f4a39-14f4a3d 2256->2258 2259 14f4a47-14f4a4b 2256->2259 2257->2256 2258->2259 2262 14f4a3f 2258->2262 2263 14f4a4d-14f4a51 2259->2263 2264 14f4a5b 2259->2264 2262->2259 2263->2264 2265 14f4a53 2263->2265 2266 14f4a5c 2264->2266 2265->2264 2266->2266
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \V,m$\V,m
                                                    • API String ID: 0-2328366710
                                                    • Opcode ID: 0897c4ee97391bc8def914861f9b2f254ad7d7fcec6b1b3e1668ca16105d2965
                                                    • Instruction ID: 00e6662efee9a75d1d98b810fd7d59b7d319e7cf37730cdd1423f2a6eb65bd25
                                                    • Opcode Fuzzy Hash: 0897c4ee97391bc8def914861f9b2f254ad7d7fcec6b1b3e1668ca16105d2965
                                                    • Instruction Fuzzy Hash: CF715070E00249DFDB14CFA9C98479FBBF2AF88314F18812EE515A7364EB749845CB95
                                                    Function 014F6ED8 Relevance: 2.6, Strings: 2, Instructions: 148COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2335 14f6ed8-14f6f42 call 14f6c40 2344 14f6f5e-14f6f6a 2335->2344 2345 14f6f44-14f6f5d call 14f6764 2335->2345 2349 14f6f6e 2344->2349 2350 14f6f6c 2344->2350 2352 14f6f72 2349->2352 2353 14f6f70-14f6f71 2349->2353 2350->2349 2354 14f6f76-14f6f8c 2352->2354 2355 14f6f74 2352->2355 2353->2352 2357 14f6f8e-14f6f91 2354->2357 2355->2354 2358 14f6fcd-14f6fd0 2357->2358 2359 14f6f93-14f6fc8 2357->2359 2360 14f6fd2 2358->2360 2361 14f6fe0-14f6fe3 2358->2361 2359->2358 2384 14f6fd2 call 14f7908 2360->2384 2385 14f6fd2 call 14f80f1 2360->2385 2362 14f7016-14f7019 2361->2362 2363 14f6fe5-14f6ff9 2361->2363 2365 14f702d-14f702f 2362->2365 2366 14f701b-14f7022 2362->2366 2373 14f6fff 2363->2373 2374 14f6ffb-14f6ffd 2363->2374 2364 14f6fd8-14f6fdb 2364->2361 2370 14f7036-14f7039 2365->2370 2371 14f7031 2365->2371 2368 14f70eb-14f70f1 2366->2368 2369 14f7028 2366->2369 2369->2365 2370->2357 2372 14f703f-14f704e 2370->2372 2371->2370 2377 14f7078-14f708d 2372->2377 2378 14f7050-14f7053 2372->2378 2375 14f7002-14f7011 2373->2375 2374->2375 2375->2362 2377->2368 2381 14f705b-14f7076 2378->2381 2381->2377 2381->2378 2384->2364 2385->2364
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LRcq$LRcq
                                                    • API String ID: 0-1357215051
                                                    • Opcode ID: c7c4a32e09199b2e52f18bb7e7e03c98b1defcafdc7387d5ecba9fde59dc2c4b
                                                    • Instruction ID: 7ad141b92b318d446745f95626d47ebb9ec1639939d1448cd49d6aa4c1baeb6b
                                                    • Opcode Fuzzy Hash: c7c4a32e09199b2e52f18bb7e7e03c98b1defcafdc7387d5ecba9fde59dc2c4b
                                                    • Instruction Fuzzy Hash: 0651D070A002059FDB15DF79C45069EBBB2EF8A300F61846EE502EB3A0DB759C46CB91
                                                    Function 0640E278 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 3012 640e278-640e27c 3013 640e245-640e266 3012->3013 3014 640e27e-640e2be 3012->3014 3017 640e2c6-640e2f4 GlobalMemoryStatusEx 3014->3017 3018 640e2f6-640e2fc 3017->3018 3019 640e2fd-640e325 3017->3019 3018->3019
                                                    APIs
                                                    • GlobalMemoryStatusEx.KERNELBASE ref: 0640E2E7
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3318710704.0000000006400000.00000040.00000800.00020000.00000000.sdmp, Offset: 06400000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_6400000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemoryStatus
                                                    • String ID:
                                                    • API String ID: 1890195054-0
                                                    • Opcode ID: 36c26a24dbf2597cb27fa9a2b26f3b10e8591fb46d282477646dab365254ee55
                                                    • Instruction ID: d31f519ea3bd367bccba7033ddf74d07ec38b5de6036b337841d7593c21da3cd
                                                    • Opcode Fuzzy Hash: 36c26a24dbf2597cb27fa9a2b26f3b10e8591fb46d282477646dab365254ee55
                                                    • Instruction Fuzzy Hash: 2F2148B5C0025A9FDB10CFAAD444BDEFBF4AF48310F14856AD854A7640D7349940CFA1
                                                    Function 0640E280 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GlobalMemoryStatusEx.KERNELBASE ref: 0640E2E7
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3318710704.0000000006400000.00000040.00000800.00020000.00000000.sdmp, Offset: 06400000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_6400000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemoryStatus
                                                    • String ID:
                                                    • API String ID: 1890195054-0
                                                    • Opcode ID: 321c51215e83f412598a40ae5b04d3fc640971073a01d044fabe3ef572e2e206
                                                    • Instruction ID: 70361346362c171ea3e649892df3427ef426e783099a173b12f2673a3903b00c
                                                    • Opcode Fuzzy Hash: 321c51215e83f412598a40ae5b04d3fc640971073a01d044fabe3ef572e2e206
                                                    • Instruction Fuzzy Hash: 121123B1C0026A9FCB10CF9AC444BDEFBF4AF48320F11816AD818A7240D378A954CFA5
                                                    Function 014F3E74 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \V,m
                                                    • API String ID: 0-3265022799
                                                    • Opcode ID: 84f54a0bc2aed91d8b15c36d74d5a4d5a5f169b15d3fd2b8acbd90303281bc70
                                                    • Instruction ID: ee076f4d53daaa92208554a974c69708ff5107eb76ec77830c2b16e1d4777531
                                                    • Opcode Fuzzy Hash: 84f54a0bc2aed91d8b15c36d74d5a4d5a5f169b15d3fd2b8acbd90303281bc70
                                                    • Instruction Fuzzy Hash: DDA14FB0E002099FDB10CFA9C9957DEBBF1BF98314F18812EE515A7364EB749846CB91
                                                    Function 014FF2ED Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: PHcq
                                                    • API String ID: 0-4245845256
                                                    • Opcode ID: fbee3fc2ef3a186cff0a542fec16eeea7c09444a3561614a74a27e7cc00bbeeb
                                                    • Instruction ID: 7b2ec42e93d3efff7d27a7eed89e52abe9fc15bac1daedba5d8a92d8a1559d2b
                                                    • Opcode Fuzzy Hash: fbee3fc2ef3a186cff0a542fec16eeea7c09444a3561614a74a27e7cc00bbeeb
                                                    • Instruction Fuzzy Hash: 1341F1717002058FDB16AB78D55466F3BF2AF89200F24447EE506DB3A6EE39DC4ACB91
                                                    Function 014F6F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LRcq
                                                    • API String ID: 0-4134321033
                                                    • Opcode ID: c00a5cdc9ed1f06ca549f7d95fe66f11d8c169126bad8e2c1d2e22901ccdb480
                                                    • Instruction ID: 852519b91ff631ac716ce41f46c43f2941a96fb4e5af3e968c827e66bd632a31
                                                    • Opcode Fuzzy Hash: c00a5cdc9ed1f06ca549f7d95fe66f11d8c169126bad8e2c1d2e22901ccdb480
                                                    • Instruction Fuzzy Hash: 20318174E002099FDB15CF69D45079EB7B2FF85301F50852AEA06E7360EB759D46CB50
                                                    Function 014F6B9F Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LRcq
                                                    • API String ID: 0-4134321033
                                                    • Opcode ID: eda03311f564468b55d374c3dfd85d29563fbe82664ba22abda1332e356028ef
                                                    • Instruction ID: 8ba686119795b7fef80ded0214decb6d36d10bad61e98447efcff9b26433423a
                                                    • Opcode Fuzzy Hash: eda03311f564468b55d374c3dfd85d29563fbe82664ba22abda1332e356028ef
                                                    • Instruction Fuzzy Hash: 591127717082865FC702AB7D842029E7FB1EF8B200B1684EFC585CB3A6DE355C06C7A2
                                                    Function 014F7908 Relevance: .6, Instructions: 557COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c04827b9cfd94d41f72ba61e1eb594b0b4a05acfda86da376cdcbb0c3c76dca5
                                                    • Instruction ID: 88b30b05d4bb616c38b9d6707196a322eea1a42742c34ea305691e39985e1673
                                                    • Opcode Fuzzy Hash: c04827b9cfd94d41f72ba61e1eb594b0b4a05acfda86da376cdcbb0c3c76dca5
                                                    • Instruction Fuzzy Hash: DE1262747002069BCB19AB3CE45462977A7FB9A345F20893EEA06CB365CF75DC469BC0
                                                    Function 014F9364 Relevance: .4, Instructions: 392COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5e12e0e02bdb923ff4e755305ce807b690ba446b8e9da324e503626c08b04652
                                                    • Instruction ID: 6421ec97cd0bdd6061ce5fc4f3421513e784cb43ec81d2e14a6d54fcda722537
                                                    • Opcode Fuzzy Hash: 5e12e0e02bdb923ff4e755305ce807b690ba446b8e9da324e503626c08b04652
                                                    • Instruction Fuzzy Hash: 7CE17034B002058FDB15DF68D594B6EBBB2EB89314F24442EEA0AD73A5DB35DD42CB80
                                                    Function 014F96E0 Relevance: .4, Instructions: 358COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a5b2ee3156f27a619c7c057f9bb505174c8a2e531e5dd255a619277b7d067055
                                                    • Instruction ID: eb6c4e4c45d77d1a5d7c9908c54aa11c37b5b068d53b1defa3fe19600d05314c
                                                    • Opcode Fuzzy Hash: a5b2ee3156f27a619c7c057f9bb505174c8a2e531e5dd255a619277b7d067055
                                                    • Instruction Fuzzy Hash: EAC19C71A002058FDF11DF6DD8807AEBBB6FB89314F20856EEA09DB3A5D7309845CB91
                                                    Function 014F4A8C Relevance: .3, Instructions: 263COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4b9fdaf1895ee2ea338d3a09579516466d3c230261e13ac824345ba21bb0ea28
                                                    • Instruction ID: 13753a1a1bb9d3810984e795ad031a364fa35999ba5d15934218b81eb71a088f
                                                    • Opcode Fuzzy Hash: 4b9fdaf1895ee2ea338d3a09579516466d3c230261e13ac824345ba21bb0ea28
                                                    • Instruction Fuzzy Hash: 4EB14E70E002499FDB10CFA9C98579EBBF1AF88314F18812ED915E73A5EB749846CB81
                                                    Function 014FCB30 Relevance: .2, Instructions: 196COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a3b75763a8dc89887b12459beb1892c0e1eb5ef4ea9f03e6de6b378e76a419fd
                                                    • Instruction ID: ff27be1f25c8f6ae050dd2c45d2ca432b421f12e0024bf4c98332fad48fa1554
                                                    • Opcode Fuzzy Hash: a3b75763a8dc89887b12459beb1892c0e1eb5ef4ea9f03e6de6b378e76a419fd
                                                    • Instruction Fuzzy Hash: 0C61AF32E1055D8BDB25CB58C5C0BBEFBB2EB84310F19856BC645AB792C334AD81DB90
                                                    Function 014F6CDF Relevance: .1, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9138f8eceed1d6bbc02d70a3b82703d91416e6ff8c085ed55fd413e5bb6c1298
                                                    • Instruction ID: b63449ee3f3640ae2db410bc014a9732b4372fb9a5b707c5c589436dd202f9b4
                                                    • Opcode Fuzzy Hash: 9138f8eceed1d6bbc02d70a3b82703d91416e6ff8c085ed55fd413e5bb6c1298
                                                    • Instruction Fuzzy Hash: 18513571D002198FDB14CFA9C884B9EBBB1FF48310F15802ED919BB3A5D774A845CB51
                                                    Function 014F6CE8 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1362d8af7c3023692870aa58f97dc540875ae7c836403643cd8822c00fcd616a
                                                    • Instruction ID: a1dfc5266b94be0bfa8dc1e61e31c9d991fa4157b7d9e21cf2e9c9e80196b5ef
                                                    • Opcode Fuzzy Hash: 1362d8af7c3023692870aa58f97dc540875ae7c836403643cd8822c00fcd616a
                                                    • Instruction Fuzzy Hash: 8F512471E002198FDB18CFA9C884B9EBBB1BF48310F15811EE919BB3A5D774A845CF95
                                                    Function 014F1128 Relevance: .1, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c850d738e459919dcbcc0b278c4051fad47e9230d221b9e4f8cc7c1c2f31fb0d
                                                    • Instruction ID: 9208dedd6c01ae10abbaad98bc2f342937dd8eddbd913f05cff99ac13ea88411
                                                    • Opcode Fuzzy Hash: c850d738e459919dcbcc0b278c4051fad47e9230d221b9e4f8cc7c1c2f31fb0d
                                                    • Instruction Fuzzy Hash: 93513C7124134ADFC706FF2CF8A59583F66F7623047695EB9E2008B23EDB606859CB90
                                                    Function 014F1138 Relevance: .1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8fa8aea377ff410f6422b9232e6e73e3539b8d92452c333ccd19d0e4fd81b49c
                                                    • Instruction ID: 2d4646e3fd57997ab9ec815f335b09bfd541e9b25435a8edcf9b6a54f14b71fc
                                                    • Opcode Fuzzy Hash: 8fa8aea377ff410f6422b9232e6e73e3539b8d92452c333ccd19d0e4fd81b49c
                                                    • Instruction Fuzzy Hash: AC51DC7124174ADFC706FF2CF8A5A483F66F7613047695E79E2008B23EDA606959CBD0
                                                    Function 014FF1B0 Relevance: .1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 412d8acaf7a1495f5953597ec568422e52f45e614def332ef684f7f3add8f268
                                                    • Instruction ID: e9d1e0e694421abb8dc4d33fb1a85b87d845755bd56dcf69462236635b18caf7
                                                    • Opcode Fuzzy Hash: 412d8acaf7a1495f5953597ec568422e52f45e614def332ef684f7f3add8f268
                                                    • Instruction Fuzzy Hash: D631A73AE102059BDB15CFA8C55469FB7B6FF89300F10852EDA06E7765DB719C46CB40
                                                    Function 014F26DC Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 41bd2b66adbdbd1aea1215de11938e184694dea4f847bc2473dfd6ed14a0ef76
                                                    • Instruction ID: c4eac1db1ff7660f79d5d94896d2f36b94811fb682717b8addbd33d312523d14
                                                    • Opcode Fuzzy Hash: 41bd2b66adbdbd1aea1215de11938e184694dea4f847bc2473dfd6ed14a0ef76
                                                    • Instruction Fuzzy Hash: 8D41EDB5D003499FDB10CFA9C884ADEBFF5EF48310F10842AE509AB360DB75A946CB91
                                                    Function 014FF1C0 Relevance: .1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a6a142cd2a9b43cee7fb5384b29d04914534c5c4c8c554d2503d6687519f010c
                                                    • Instruction ID: dcd7804c2ed9024be974a553d4adf6925d6c6ddf6cd2bdc6b049c437344cb787
                                                    • Opcode Fuzzy Hash: a6a142cd2a9b43cee7fb5384b29d04914534c5c4c8c554d2503d6687519f010c
                                                    • Instruction Fuzzy Hash: 14319239E002069BDB09CFA8C55469FB7B6FF89300F10852EE906E7764DB71AC46CB80
                                                    Function 014F26E8 Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 53fef1b52ad292794e9c1a0076a160d7a1a80bafcfd16083968bc2ec94ac3acd
                                                    • Instruction ID: 671d7f775e80661bd2c99c084b8869d891d766e55da3587ed28986a0d356b71d
                                                    • Opcode Fuzzy Hash: 53fef1b52ad292794e9c1a0076a160d7a1a80bafcfd16083968bc2ec94ac3acd
                                                    • Instruction Fuzzy Hash: 2741DEB0D003499FDB14DFA9C484ADEBFF5EF48314F20842AE919AB360DB75A945CB91
                                                    Function 014F5099 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f98eaab1115b3c8bdecc0d671d3b710ebd2b70f16aad8c630c4dd0128ccc37c0
                                                    • Instruction ID: 6fe540f2df271f8947c424c1c53a09af9f6e299fe4cfd1fdad4a7cc028bb3bfd
                                                    • Opcode Fuzzy Hash: f98eaab1115b3c8bdecc0d671d3b710ebd2b70f16aad8c630c4dd0128ccc37c0
                                                    • Instruction Fuzzy Hash: 3D316F30B04305CFDB15EB78C6646AE77B2AF89244F1005AECA01EB3B9DB369C01CB91
                                                    Function 014F50A8 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 26cb9787d60ef34412622d4d3db0b4c235a7df592336fece231ee89e9dd7f5f5
                                                    • Instruction ID: 0d2277d4303b40664f999b0bfe9309c6f19104575133f04fedc95269116f6c78
                                                    • Opcode Fuzzy Hash: 26cb9787d60ef34412622d4d3db0b4c235a7df592336fece231ee89e9dd7f5f5
                                                    • Instruction Fuzzy Hash: 9D312F70B00319CFDB15EB78C6646AE77B2AB99644F1005BDD601EB3A8DB36DC41CB91
                                                    Function 014F9250 Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6d1bdc7e73a3920a01e0723df2597494ac2367528885fdff53e16fb1abd239e6
                                                    • Instruction ID: dc3934680ef99b3da1f76ca9b399527427b826fa5d9b40c46618a8a3d5a90226
                                                    • Opcode Fuzzy Hash: 6d1bdc7e73a3920a01e0723df2597494ac2367528885fdff53e16fb1abd239e6
                                                    • Instruction Fuzzy Hash: 2131B135E0020A9BDB09CFA9C55079FFBB2FF89304F54C51AE905AB365DB719846CB90
                                                    Function 014F9260 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f5b135734dc3378af0126f02c2d430c89778310745ba563bfecf6b51aa2ca5c1
                                                    • Instruction ID: cb8d1f132dad4fb6a852d469bda5972e9e8fa11c6732bf8778969aae88fef7bd
                                                    • Opcode Fuzzy Hash: f5b135734dc3378af0126f02c2d430c89778310745ba563bfecf6b51aa2ca5c1
                                                    • Instruction Fuzzy Hash: 96217E34E0020A9BDB09CFA9D59079FF7B2FF89304F14851AE905EB365DB719842CB90
                                                    Function 014F16A0 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ea5f8afbfee496d7a2abc77a55c9bf00edac7eddf84fc96802daf427a4cc6499
                                                    • Instruction ID: c315afe1dac8e152710b31545461b92c4833e3660e72b5fa2dfd88cfcf85023a
                                                    • Opcode Fuzzy Hash: ea5f8afbfee496d7a2abc77a55c9bf00edac7eddf84fc96802daf427a4cc6499
                                                    • Instruction Fuzzy Hash: 6E21C4796002068FEB13EF2CE864B5A3762EB41754F241A6BE60AC737AD734CC51CB81
                                                    Function 014F9150 Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1bcb4255f7d513215a5904c5c70e0af0c827a8ddff63234f6bbc6130f55c0850
                                                    • Instruction ID: 9ddfc2f363339f549ec95e607b8ea50ff0e4340877021cc34245dea696ddaf32
                                                    • Opcode Fuzzy Hash: 1bcb4255f7d513215a5904c5c70e0af0c827a8ddff63234f6bbc6130f55c0850
                                                    • Instruction Fuzzy Hash: F321A334E002099BDB19CFA8D5446DFFBB2AF85304F148A2FF902A7361DB719946CB80
                                                    Function 014F1380 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b6fd94559d917136809e074e0440bcad3548ec0b806ac683f91a21dbe464cbb1
                                                    • Instruction ID: 0d33fcd2faf91251902c003b8b0961a639579594b643ab2299eb1f25f1eb1945
                                                    • Opcode Fuzzy Hash: b6fd94559d917136809e074e0440bcad3548ec0b806ac683f91a21dbe464cbb1
                                                    • Instruction Fuzzy Hash: 3521D270A01241CBEB376A7CD46876E7B21E743B11F11083FE646CB3A5D6358C91C742
                                                    Function 014F4F88 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ae2be6b793dd9c6917da2b1ce989c880ed7b6a549eee0677e1d451d577426223
                                                    • Instruction ID: f73effcc254991ace32298a2d822d64b04db607114f9b706b4ab7fc567f3c963
                                                    • Opcode Fuzzy Hash: ae2be6b793dd9c6917da2b1ce989c880ed7b6a549eee0677e1d451d577426223
                                                    • Instruction Fuzzy Hash: 67216974700209CFCB14EF78D4A8AAE77F1AF4D201B1004A9E606EB3B5DB369D01CBA1
                                                    Function 014AD01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3308781308.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14ad000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a99bc9ac4cbe21047e78c8819188ded12eea9abfc41d7ac60d9a723f94a3529b
                                                    • Instruction ID: 5584360c3be1276db735f5bea0aaf53825063dcee706198d55967c612d489e70
                                                    • Opcode Fuzzy Hash: a99bc9ac4cbe21047e78c8819188ded12eea9abfc41d7ac60d9a723f94a3529b
                                                    • Instruction Fuzzy Hash: 322145B0948200DFCB15CF58D9C0B16BBA5EB94318F60C56ED80A0B766C336C407CA61
                                                    Function 014F9160 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: da27601eab8f05b2f2e0d49263cf04ff8dbaf2964cbc3eafd6aee614a6f23c65
                                                    • Instruction ID: 15575523e02f11ae4f32ef7d4603af55105d139450be5842e5d3a0004ee913fa
                                                    • Opcode Fuzzy Hash: da27601eab8f05b2f2e0d49263cf04ff8dbaf2964cbc3eafd6aee614a6f23c65
                                                    • Instruction Fuzzy Hash: D9217134E0020A9BDB19CFA9D54469FB7B2AF89304F10852FF915B7361DB709946CB50
                                                    Function 014F1888 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5b3727f78d1381417f37bdbc16a603f56180ea7e2942ed1a30e470a2dfdcfaf2
                                                    • Instruction ID: f8c0064c8d983dcf0487d411b3f60e5f5ba20ab136b04eb87f4b82b8a5cb4278
                                                    • Opcode Fuzzy Hash: 5b3727f78d1381417f37bdbc16a603f56180ea7e2942ed1a30e470a2dfdcfaf2
                                                    • Instruction Fuzzy Hash: BD213E30B00209CFDB55EB78C564BAF77F1AB49645F10056DD606EB364DB329D41CBA1
                                                    Function 014F16B0 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5e9bf0302755fcc8e9c7907de7eb350bd344bda9d8e2e0716218b15c57ada9f4
                                                    • Instruction ID: 69c0018e0477bc26d6219b2188134ebab2c3d314ddeff07dd1982db93cd1e533
                                                    • Opcode Fuzzy Hash: 5e9bf0302755fcc8e9c7907de7eb350bd344bda9d8e2e0716218b15c57ada9f4
                                                    • Instruction Fuzzy Hash: B22193746002078BDF13EB2CE8A4B5A3766E745754F205A2BE60AC737ADB34DC518B91
                                                    Function 014F1879 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f52c8a60065032c9fb5ea412fcd4396d324411801458c696fe199fa205e3ae3f
                                                    • Instruction ID: b3240f89348d7b4dd5dcef546b4ab9220a84673fac86163a9857d06727d82ffc
                                                    • Opcode Fuzzy Hash: f52c8a60065032c9fb5ea412fcd4396d324411801458c696fe199fa205e3ae3f
                                                    • Instruction Fuzzy Hash: CE216D30B00209CFEB55EB78C564BAE77F1AF59645F10056ED606EB3A4DB368D01CB91
                                                    Function 014F4F98 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e200d46441950a91f96516a2f030ddb96518718bb11a1d40897e2091dd158b5f
                                                    • Instruction ID: 75282fc471a8af90db4cf6f5668d5b751c4c16ce61bf0d17ff770b18ff1babba
                                                    • Opcode Fuzzy Hash: e200d46441950a91f96516a2f030ddb96518718bb11a1d40897e2091dd158b5f
                                                    • Instruction Fuzzy Hash: 44211670700209CFCB14EF79D5A8AAE77F1AB49645B104569E606EB3B4DB329D00CBA1
                                                    Function 014F148B Relevance: .1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2b772264d5ac145f64a4a0d325f6f2a15ffbfb1dc999aeaad81c5d272b9b51a0
                                                    • Instruction ID: 3b92276c980603385b189467096e91452e8a306379f3fab043207de8e9677f44
                                                    • Opcode Fuzzy Hash: 2b772264d5ac145f64a4a0d325f6f2a15ffbfb1dc999aeaad81c5d272b9b51a0
                                                    • Instruction Fuzzy Hash: DB11B231A01255CFCB11EFB888545FE7FB6EF98610B1844BFD605E7322E635D8428BA1
                                                    Function 014F17C3 Relevance: .1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f714132f8c483a00aaaf66903a9f5bf1183bb126188dc4722bf982f14ef01b41
                                                    • Instruction ID: 83f1cec427cb2e6c40d3d0cfa72cd82fa4cc47afb4f2e11dd2bc3b38d697706d
                                                    • Opcode Fuzzy Hash: f714132f8c483a00aaaf66903a9f5bf1183bb126188dc4722bf982f14ef01b41
                                                    • Instruction Fuzzy Hash: 6B110376F00601DBCF00ABB9999869E7FF5EB48A10F00097AD609D3355EA318C028781
                                                    Function 014F0838 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8a8d7656b0033f654b4bb5cfe22149de7e99332a21bcf054508972ef5eb95289
                                                    • Instruction ID: 516610743e13bfe976b97ee08f0130fa3d7cf6dcdbc00985eb399d7255905f9c
                                                    • Opcode Fuzzy Hash: 8a8d7656b0033f654b4bb5cfe22149de7e99332a21bcf054508972ef5eb95289
                                                    • Instruction Fuzzy Hash: 23118230A052054BEF265A7C941036E3766EBC1254F24897FF606DB3A3D674CC858BD1
                                                    Function 014F80F1 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 21e2770196b59a7644b5eff5bbb55440fada1cdc7935fbdc6c2097b9e5eda160
                                                    • Instruction ID: b2fd66fb7041e233fb032dc67adf06ac9efe4b74a30886d92e3a06c2526d0a7e
                                                    • Opcode Fuzzy Hash: 21e2770196b59a7644b5eff5bbb55440fada1cdc7935fbdc6c2097b9e5eda160
                                                    • Instruction Fuzzy Hash: 0911B47460020A9FDF01EF6CF95065E7BA2EB84300F20496BDA05CB369DB359E458B81
                                                    Function 014F0848 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0cdce14fdf43229538d58874062d94da1933cdac5ae318d5ac398320298c8264
                                                    • Instruction ID: 27a37061f6bd5363e1d1544fb33c452d36a926e50abe7dc7df4230ee329a11bf
                                                    • Opcode Fuzzy Hash: 0cdce14fdf43229538d58874062d94da1933cdac5ae318d5ac398320298c8264
                                                    • Instruction Fuzzy Hash: AE118C30B012098BEF269A7DD45472A36A6EBC5250F20497FF606CB363DA74DC828BC1
                                                    Function 014AD006 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3308781308.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14ad000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 16d6fcbfad7cdab167ad1424f0abccfa7212cc846885a93592e2eb874392961e
                                                    • Instruction ID: b1857c74e780ec5462b6a66449801ec65bfea1daecea0599b29398cc3f47367f
                                                    • Opcode Fuzzy Hash: 16d6fcbfad7cdab167ad1424f0abccfa7212cc846885a93592e2eb874392961e
                                                    • Instruction Fuzzy Hash: C22192755493808FDB03CF24D594716BF71EB46214F29C5DBD8498F6A7C33A980ACB62
                                                    Function 014F1498 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9719f7f7fdf8140a1c06e5fee2b0f203b9dccb895044bf78e8229527bc6cae05
                                                    • Instruction ID: 5fb1b47f725390814ead6f47e995d0f68c8984b51f54d837b59d553035b366e8
                                                    • Opcode Fuzzy Hash: 9719f7f7fdf8140a1c06e5fee2b0f203b9dccb895044bf78e8229527bc6cae05
                                                    • Instruction Fuzzy Hash: 97018071A00215CFCB21EFB988541AF7BF6EF98614F28047FEA05E7311E635D8428BA1
                                                    Function 014F1524 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 31c86ffd569b7c048d71faef38fd39524f2469497319cd2fe9428dc666902a02
                                                    • Instruction ID: f68c728652b773cbfd44c409c9113587306d07092872be4c1c81f110b076370c
                                                    • Opcode Fuzzy Hash: 31c86ffd569b7c048d71faef38fd39524f2469497319cd2fe9428dc666902a02
                                                    • Instruction Fuzzy Hash: 93F02B77A04111CFD7228FA888A41AD7F61EEA451172C00AFDA06DB336D635D443C711
                                                    Function 014F7090 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 54c5c677e24d3a49dfe1adc06d6ae21ca21a2b04e1f54ab938e6da0235677a45
                                                    • Instruction ID: 63296eaf15b34091977af072af1eb4f772a786ff41fd5704a84ad2fc467fb2c0
                                                    • Opcode Fuzzy Hash: 54c5c677e24d3a49dfe1adc06d6ae21ca21a2b04e1f54ab938e6da0235677a45
                                                    • Instruction Fuzzy Hash: DDF0EC39B40208CFC704DB64D6A8BAD77B2EF88715F104469E606DB3A5DF35AD42CB40
                                                    Function 014F8100 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.3309147931.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_14f0000_0PPJsQE4wD.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 23a5dbbfb2a8ac51fc81143f6b01f16d81aabde8b3495f4ec383cbc2c35044c0
                                                    • Instruction ID: 7ed2246b026587d428683c3a0ba34ebadf2c7a4f429caf54f9f998c0965031d4
                                                    • Opcode Fuzzy Hash: 23a5dbbfb2a8ac51fc81143f6b01f16d81aabde8b3495f4ec383cbc2c35044c0
                                                    • Instruction Fuzzy Hash: 01F0317490020EEFCF41FFBCFA5069D7BB2EB40300F205AA9D90597268EB312E549B81

                                                    Execution Graph

                                                    Execution Coverage:8.4%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:160
                                                    Total number of Limit Nodes:10
                                                    execution_graph 28631 4f6acd0 28635 4f6adc8 28631->28635 28640 4f6adb8 28631->28640 28632 4f6acdf 28636 4f6adfc 28635->28636 28637 4f6add9 28635->28637 28636->28632 28637->28636 28638 4f6b000 GetModuleHandleW 28637->28638 28639 4f6b02d 28638->28639 28639->28632 28641 4f6adfc 28640->28641 28642 4f6add9 28640->28642 28641->28632 28642->28641 28643 4f6b000 GetModuleHandleW 28642->28643 28644 4f6b02d 28643->28644 28644->28632 28659 566e610 28660 566e79b 28659->28660 28661 566e636 28659->28661 28661->28660 28663 5669be0 28661->28663 28664 566e890 PostMessageW 28663->28664 28665 566e8fc 28664->28665 28665->28661 28455 566bbea 28459 566d366 28455->28459 28473 566d368 28455->28473 28456 566bbf9 28460 566d382 28459->28460 28468 566d38a 28460->28468 28487 566d831 28460->28487 28493 566dae3 28460->28493 28498 566d805 28460->28498 28503 566dc44 28460->28503 28511 566dcbb 28460->28511 28515 566db9b 28460->28515 28524 566de5a 28460->28524 28529 566d7dd 28460->28529 28534 566d76c 28460->28534 28542 566d9af 28460->28542 28547 566dd5e 28460->28547 28468->28456 28474 566d382 28473->28474 28475 566dc44 4 API calls 28474->28475 28476 566d805 2 API calls 28474->28476 28477 566dae3 2 API calls 28474->28477 28478 566d831 2 API calls 28474->28478 28479 566dd5e 2 API calls 28474->28479 28480 566d9af 2 API calls 28474->28480 28481 566d76c 4 API calls 28474->28481 28482 566d38a 28474->28482 28483 566d7dd 2 API calls 28474->28483 28484 566de5a 2 API calls 28474->28484 28485 566db9b 4 API calls 28474->28485 28486 566dcbb 2 API calls 28474->28486 28475->28482 28476->28482 28477->28482 28478->28482 28479->28482 28480->28482 28481->28482 28482->28456 28483->28482 28484->28482 28485->28482 28486->28482 28489 566d7c4 28487->28489 28488 566e145 28490 566db87 28489->28490 28552 566b470 28489->28552 28556 566b46a 28489->28556 28490->28468 28494 566df74 28493->28494 28496 566b470 WriteProcessMemory 28494->28496 28497 566b46a WriteProcessMemory 28494->28497 28495 566df98 28496->28495 28497->28495 28499 566d817 28498->28499 28560 566e3b2 28499->28560 28565 566e3b0 28499->28565 28500 566dbcf 28578 566b560 28503->28578 28582 566b55a 28503->28582 28504 566d7c4 28506 566db87 28504->28506 28507 566b470 WriteProcessMemory 28504->28507 28508 566b46a WriteProcessMemory 28504->28508 28505 566e145 28506->28468 28507->28505 28508->28505 28586 566b2d0 28511->28586 28590 566b2d8 28511->28590 28512 566dcd5 28516 566dda9 28515->28516 28518 566d7c4 28515->28518 28522 566b2d0 Wow64SetThreadContext 28516->28522 28523 566b2d8 Wow64SetThreadContext 28516->28523 28517 566e145 28519 566db87 28518->28519 28520 566b470 WriteProcessMemory 28518->28520 28521 566b46a WriteProcessMemory 28518->28521 28519->28468 28520->28517 28521->28517 28522->28518 28523->28518 28525 566dd75 28524->28525 28526 566dd8a 28524->28526 28594 566b228 28525->28594 28598 566b220 28525->28598 28526->28468 28530 566d7ed 28529->28530 28532 566b470 WriteProcessMemory 28530->28532 28533 566b46a WriteProcessMemory 28530->28533 28531 566e145 28532->28531 28533->28531 28602 566b6ec 28534->28602 28606 566b6f8 28534->28606 28535 566d98c 28535->28468 28536 566d79f 28536->28535 28540 566b470 WriteProcessMemory 28536->28540 28541 566b46a WriteProcessMemory 28536->28541 28537 566e145 28540->28537 28541->28537 28543 566d9bc 28542->28543 28545 566b470 WriteProcessMemory 28543->28545 28546 566b46a WriteProcessMemory 28543->28546 28544 566dea5 28545->28544 28546->28544 28548 566dd64 28547->28548 28550 566b220 ResumeThread 28548->28550 28551 566b228 ResumeThread 28548->28551 28549 566dd8a 28549->28468 28550->28549 28551->28549 28553 566b4b8 WriteProcessMemory 28552->28553 28555 566b50f 28553->28555 28555->28488 28557 566b4b8 WriteProcessMemory 28556->28557 28559 566b50f 28557->28559 28559->28488 28561 566e3c5 28560->28561 28570 566b3b0 28561->28570 28574 566b3aa 28561->28574 28562 566e3e4 28562->28500 28566 566e3c5 28565->28566 28568 566b3b0 VirtualAllocEx 28566->28568 28569 566b3aa VirtualAllocEx 28566->28569 28567 566e3e4 28567->28500 28568->28567 28569->28567 28571 566b3f0 VirtualAllocEx 28570->28571 28573 566b42d 28571->28573 28573->28562 28575 566b3f0 VirtualAllocEx 28574->28575 28577 566b42d 28575->28577 28577->28562 28579 566b5ab ReadProcessMemory 28578->28579 28581 566b5ef 28579->28581 28581->28504 28583 566b560 ReadProcessMemory 28582->28583 28585 566b5ef 28583->28585 28585->28504 28587 566b31d Wow64SetThreadContext 28586->28587 28589 566b365 28587->28589 28589->28512 28591 566b31d Wow64SetThreadContext 28590->28591 28593 566b365 28591->28593 28593->28512 28595 566b268 ResumeThread 28594->28595 28597 566b299 28595->28597 28597->28526 28599 566b268 ResumeThread 28598->28599 28601 566b299 28599->28601 28601->28526 28603 566b781 CreateProcessA 28602->28603 28605 566b943 28603->28605 28605->28605 28607 566b781 CreateProcessA 28606->28607 28609 566b943 28607->28609 28609->28609 28610 4f64668 28611 4f6467a 28610->28611 28612 4f64686 28611->28612 28614 4f64781 28611->28614 28615 4f647a5 28614->28615 28619 4f64890 28615->28619 28623 4f64881 28615->28623 28620 4f648b7 28619->28620 28621 4f64994 28620->28621 28627 4f644b4 28620->28627 28621->28621 28625 4f648b7 28623->28625 28624 4f64994 28624->28624 28625->28624 28626 4f644b4 CreateActCtxA 28625->28626 28626->28624 28628 4f65920 CreateActCtxA 28627->28628 28630 4f659e3 28628->28630 28645 4f6d458 28646 4f6d49e 28645->28646 28650 4f6d627 28646->28650 28653 4f6d638 28646->28653 28647 4f6d58b 28651 4f6d666 28650->28651 28656 4f6b7b0 28650->28656 28651->28647 28654 4f6b7b0 DuplicateHandle 28653->28654 28655 4f6d666 28654->28655 28655->28647 28657 4f6d6a0 DuplicateHandle 28656->28657 28658 4f6d736 28657->28658 28658->28651

                                                    Executed Functions

                                                    Function 0566B6EC Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 316 566b6ec-566b78d 318 566b7c6-566b7e6 316->318 319 566b78f-566b799 316->319 326 566b81f-566b84e 318->326 327 566b7e8-566b7f2 318->327 319->318 320 566b79b-566b79d 319->320 321 566b7c0-566b7c3 320->321 322 566b79f-566b7a9 320->322 321->318 324 566b7ad-566b7bc 322->324 325 566b7ab 322->325 324->324 329 566b7be 324->329 325->324 335 566b887-566b941 CreateProcessA 326->335 336 566b850-566b85a 326->336 327->326 328 566b7f4-566b7f6 327->328 330 566b7f8-566b802 328->330 331 566b819-566b81c 328->331 329->321 333 566b806-566b815 330->333 334 566b804 330->334 331->326 333->333 337 566b817 333->337 334->333 347 566b943-566b949 335->347 348 566b94a-566b9d0 335->348 336->335 338 566b85c-566b85e 336->338 337->331 340 566b860-566b86a 338->340 341 566b881-566b884 338->341 342 566b86e-566b87d 340->342 343 566b86c 340->343 341->335 342->342 345 566b87f 342->345 343->342 345->341 347->348 358 566b9d2-566b9d6 348->358 359 566b9e0-566b9e4 348->359 358->359 360 566b9d8 358->360 361 566b9e6-566b9ea 359->361 362 566b9f4-566b9f8 359->362 360->359 361->362 365 566b9ec 361->365 363 566b9fa-566b9fe 362->363 364 566ba08-566ba0c 362->364 363->364 366 566ba00 363->366 367 566ba1e-566ba25 364->367 368 566ba0e-566ba14 364->368 365->362 366->364 369 566ba27-566ba36 367->369 370 566ba3c 367->370 368->367 369->370 372 566ba3d 370->372 372->372
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0566B92E
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2139122120.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_5660000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: b698e4db3bca845013319e7ba5194faa32cba8bc3ab3f63009ea6816d5008ed2
                                                    • Instruction ID: d1e3c81a23a86bdb57c6c3dcc237227c89b26aebdecdc2317c6a1a14ac63b250
                                                    • Opcode Fuzzy Hash: b698e4db3bca845013319e7ba5194faa32cba8bc3ab3f63009ea6816d5008ed2
                                                    • Instruction Fuzzy Hash: 83A17971D00219CFDB20CF69C881BEDBBB2BF48314F1485A9E849E7290DB749985CF92
                                                    Function 0566B6F8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 373 566b6f8-566b78d 375 566b7c6-566b7e6 373->375 376 566b78f-566b799 373->376 383 566b81f-566b84e 375->383 384 566b7e8-566b7f2 375->384 376->375 377 566b79b-566b79d 376->377 378 566b7c0-566b7c3 377->378 379 566b79f-566b7a9 377->379 378->375 381 566b7ad-566b7bc 379->381 382 566b7ab 379->382 381->381 386 566b7be 381->386 382->381 392 566b887-566b941 CreateProcessA 383->392 393 566b850-566b85a 383->393 384->383 385 566b7f4-566b7f6 384->385 387 566b7f8-566b802 385->387 388 566b819-566b81c 385->388 386->378 390 566b806-566b815 387->390 391 566b804 387->391 388->383 390->390 394 566b817 390->394 391->390 404 566b943-566b949 392->404 405 566b94a-566b9d0 392->405 393->392 395 566b85c-566b85e 393->395 394->388 397 566b860-566b86a 395->397 398 566b881-566b884 395->398 399 566b86e-566b87d 397->399 400 566b86c 397->400 398->392 399->399 402 566b87f 399->402 400->399 402->398 404->405 415 566b9d2-566b9d6 405->415 416 566b9e0-566b9e4 405->416 415->416 417 566b9d8 415->417 418 566b9e6-566b9ea 416->418 419 566b9f4-566b9f8 416->419 417->416 418->419 422 566b9ec 418->422 420 566b9fa-566b9fe 419->420 421 566ba08-566ba0c 419->421 420->421 423 566ba00 420->423 424 566ba1e-566ba25 421->424 425 566ba0e-566ba14 421->425 422->419 423->421 426 566ba27-566ba36 424->426 427 566ba3c 424->427 425->424 426->427 429 566ba3d 427->429 429->429
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0566B92E
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2139122120.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_5660000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: 06e5711139a4d06df7d1eb9586289f7279910abbf64c6a48a08473095458dd25
                                                    • Instruction ID: 0fc068182ca1a68808a2f2b50a4660d5ebfcae4ac40f40568b85b14873040569
                                                    • Opcode Fuzzy Hash: 06e5711139a4d06df7d1eb9586289f7279910abbf64c6a48a08473095458dd25
                                                    • Instruction Fuzzy Hash: 6E914871D00219DFDB20DF69C881BEDBBB2BF48314F1485A9E819E7290DB749985CF92
                                                    Function 04F6ADC8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 430 4f6adc8-4f6add7 431 4f6ae03-4f6ae07 430->431 432 4f6add9-4f6ade6 call 4f693f4 430->432 434 4f6ae1b-4f6ae5c 431->434 435 4f6ae09-4f6ae13 431->435 438 4f6adfc 432->438 439 4f6ade8 432->439 441 4f6ae5e-4f6ae66 434->441 442 4f6ae69-4f6ae77 434->442 435->434 438->431 485 4f6adee call 4f6b060 439->485 486 4f6adee call 4f6b051 439->486 441->442 443 4f6ae9b-4f6ae9d 442->443 444 4f6ae79-4f6ae7e 442->444 449 4f6aea0-4f6aea7 443->449 446 4f6ae80-4f6ae87 call 4f6a130 444->446 447 4f6ae89 444->447 445 4f6adf4-4f6adf6 445->438 448 4f6af38-4f6aff8 445->448 451 4f6ae8b-4f6ae99 446->451 447->451 480 4f6b000-4f6b02b GetModuleHandleW 448->480 481 4f6affa-4f6affd 448->481 452 4f6aeb4-4f6aebb 449->452 453 4f6aea9-4f6aeb1 449->453 451->449 456 4f6aebd-4f6aec5 452->456 457 4f6aec8-4f6aed1 call 4f6a140 452->457 453->452 456->457 461 4f6aed3-4f6aedb 457->461 462 4f6aede-4f6aee3 457->462 461->462 463 4f6aee5-4f6aeec 462->463 464 4f6af01-4f6af0e 462->464 463->464 466 4f6aeee-4f6aefe call 4f6a150 call 4f6a160 463->466 471 4f6af10-4f6af2e 464->471 472 4f6af31-4f6af37 464->472 466->464 471->472 482 4f6b034-4f6b048 480->482 483 4f6b02d-4f6b033 480->483 481->480 483->482 485->445 486->445
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 04F6B01E
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2137314201.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_4f60000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: fecea31609d1ad31e08e418c516aaab4dbc2a9e393a2919430ef8d6e4d606d73
                                                    • Instruction ID: 4af3f9a61741b7f74fddd7932a60791630322b0c3beb1342a593468ceff5d69b
                                                    • Opcode Fuzzy Hash: fecea31609d1ad31e08e418c516aaab4dbc2a9e393a2919430ef8d6e4d606d73
                                                    • Instruction Fuzzy Hash: 4B7113B0A00B058FDB24DF2AD45575ABBF1FF89304F10892DD48AE7A40D775F9468B91
                                                    Function 04F65914 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 487 4f65914-4f659e1 CreateActCtxA 489 4f659e3-4f659e9 487->489 490 4f659ea-4f65a44 487->490 489->490 497 4f65a46-4f65a49 490->497 498 4f65a53-4f65a57 490->498 497->498 499 4f65a68 498->499 500 4f65a59-4f65a65 498->500 501 4f65a69 499->501 500->499 501->501
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 04F659D1
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2137314201.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_4f60000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 293bd08ad0983a7e910a30dd70371d35133ded745564f25ed3c1637f142f741c
                                                    • Instruction ID: 6208c8a26f922ca410b2107e5e99d5517817707e428f7e590d6ca2cb43111ce7
                                                    • Opcode Fuzzy Hash: 293bd08ad0983a7e910a30dd70371d35133ded745564f25ed3c1637f142f741c
                                                    • Instruction Fuzzy Hash: 6541E0B4C00619CBDB25DFA9D884BCDBBB1BF49304F20805AD409BB255DBB5694ACF91
                                                    Function 04F644B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 503 4f644b4-4f659e1 CreateActCtxA 506 4f659e3-4f659e9 503->506 507 4f659ea-4f65a44 503->507 506->507 514 4f65a46-4f65a49 507->514 515 4f65a53-4f65a57 507->515 514->515 516 4f65a68 515->516 517 4f65a59-4f65a65 515->517 518 4f65a69 516->518 517->516 518->518
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 04F659D1
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2137314201.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_4f60000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 0f51f42524f11714a7fb7458c950ec484be28752eb015655803950a6bcee16cc
                                                    • Instruction ID: 9575be3f822efcca74b0b7b82ece5424b37023649be8053d9c793911b04bb2ab
                                                    • Opcode Fuzzy Hash: 0f51f42524f11714a7fb7458c950ec484be28752eb015655803950a6bcee16cc
                                                    • Instruction Fuzzy Hash: C641DEB0D0061DDBDB24DFA9C884BCEBBB5BF49304F20806AD409BB255DBB56946CF91
                                                    Function 0566B46A Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 520 566b46a-566b4be 522 566b4c0-566b4cc 520->522 523 566b4ce-566b50d WriteProcessMemory 520->523 522->523 525 566b516-566b546 523->525 526 566b50f-566b515 523->526 526->525
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0566B500
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2139122120.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_5660000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: bb5a96ee4673ec2373d128d3381c89c7c4da8fd3f1742a62abe9787e0eaa6ac9
                                                    • Instruction ID: 2ef30a33995dda701ab1ae87dac272e26aef64fda011d5f7838b85a8bb4d4f16
                                                    • Opcode Fuzzy Hash: bb5a96ee4673ec2373d128d3381c89c7c4da8fd3f1742a62abe9787e0eaa6ac9
                                                    • Instruction Fuzzy Hash: AA2126B5D003499FCB10CFA9C885BEEBBF5FF48310F14842AE959A7250C7789554CBA1
                                                    Function 0566B470 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 530 566b470-566b4be 532 566b4c0-566b4cc 530->532 533 566b4ce-566b50d WriteProcessMemory 530->533 532->533 535 566b516-566b546 533->535 536 566b50f-566b515 533->536 536->535
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0566B500
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2139122120.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_5660000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: 196fc6aa9973ba3ee935f5679aad082866a47f99190fd99e5b7bcc7ed6c46b6b
                                                    • Instruction ID: 7937ca01056734ef4fef02a3f053ab7887c051f275522bcebd8bf17b2c551aa2
                                                    • Opcode Fuzzy Hash: 196fc6aa9973ba3ee935f5679aad082866a47f99190fd99e5b7bcc7ed6c46b6b
                                                    • Instruction Fuzzy Hash: A72127B1D003499FCB10DFA9C885BDEBBF5FF48310F108429E919A7250C7789944CBA1
                                                    Function 0566B55A Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 540 566b55a-566b5ed ReadProcessMemory 544 566b5f6-566b626 540->544 545 566b5ef-566b5f5 540->545 545->544
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0566B5E0
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2139122120.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_5660000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: 84b9d30bfd09ac5dd5a772d628b2adae71d6c6ca77dde3c0e6eb7f8dc4f97b96
                                                    • Instruction ID: 1e5e2e04a85d071cffe73edb738025e2404bce09d686b2c900cc81a2629ffbc7
                                                    • Opcode Fuzzy Hash: 84b9d30bfd09ac5dd5a772d628b2adae71d6c6ca77dde3c0e6eb7f8dc4f97b96
                                                    • Instruction Fuzzy Hash: 512124B1C002499FCB10DFAAC885AEEFBF4FF88310F10842AE559A3240C7349545CBA1
                                                    Function 04F6B7B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 549 4f6b7b0-4f6d734 DuplicateHandle 551 4f6d736-4f6d73c 549->551 552 4f6d73d-4f6d75a 549->552 551->552
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04F6D666,?,?,?,?,?), ref: 04F6D727
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2137314201.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_4f60000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 6bbdfcf31b433dc185f30f6fd7d22dcf34026cbef7c7b0aa4eb81784ebf1a3c5
                                                    • Instruction ID: 7ae052ef81a49e2db688947122daec1c0f45f925d09ef381a86b7714f2b7b134
                                                    • Opcode Fuzzy Hash: 6bbdfcf31b433dc185f30f6fd7d22dcf34026cbef7c7b0aa4eb81784ebf1a3c5
                                                    • Instruction Fuzzy Hash: 5021E4B5D00249EFDB10CF9AD984ADEBBF8EB48310F14841AE919B7350D374A954CFA5
                                                    Function 04F6D698 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 555 4f6d698-4f6d734 DuplicateHandle 556 4f6d736-4f6d73c 555->556 557 4f6d73d-4f6d75a 555->557 556->557
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04F6D666,?,?,?,?,?), ref: 04F6D727
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2137314201.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_4f60000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: a56bc46704f9e91de6aaee3c965ad088883426186635b419b3688561193fafb9
                                                    • Instruction ID: 3d284b6d194031409442008f8dfcf5094693cff693405fcedab56d60c4c1e9d2
                                                    • Opcode Fuzzy Hash: a56bc46704f9e91de6aaee3c965ad088883426186635b419b3688561193fafb9
                                                    • Instruction Fuzzy Hash: 5A2123B5D002489FDB10CFAAD985ADEBFF4FB48310F25801AE959A3310C378A941CFA5
                                                    Function 0566B2D0 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 560 566b2d0-566b323 562 566b325-566b331 560->562 563 566b333-566b363 Wow64SetThreadContext 560->563 562->563 565 566b365-566b36b 563->565 566 566b36c-566b39c 563->566 565->566
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0566B356
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2139122120.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_5660000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: d395c241df594d03f6e0df52e1c317e47f181ceb71bd3056a2316f5d8a3ada09
                                                    • Instruction ID: 1d280a7fa8cd6ba17968fac90baf716acdb1c9015cccada54f50f203b19a1221
                                                    • Opcode Fuzzy Hash: d395c241df594d03f6e0df52e1c317e47f181ceb71bd3056a2316f5d8a3ada09
                                                    • Instruction Fuzzy Hash: FE215771D002098FDB10DFAAC4857EEBBF4AB88314F24842AD819B7240CB789945CFA1
                                                    Function 0566B560 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 580 566b560-566b5ed ReadProcessMemory 583 566b5f6-566b626 580->583 584 566b5ef-566b5f5 580->584 584->583
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0566B5E0
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2139122120.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_5660000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: 8674c9aceb906906da0e215a47a60c05193aec6bc5e0111f8678bff6caf46c9f
                                                    • Instruction ID: 0175fafa01dd359f08054403fbd1449736e86184267a843d2c1beec0deac4baf
                                                    • Opcode Fuzzy Hash: 8674c9aceb906906da0e215a47a60c05193aec6bc5e0111f8678bff6caf46c9f
                                                    • Instruction Fuzzy Hash: 0C2128B1C003499FCB10DFAAC885ADEFBF5FF88310F508429E519A7250C7349545DBA1
                                                    Function 0566B2D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 570 566b2d8-566b323 572 566b325-566b331 570->572 573 566b333-566b363 Wow64SetThreadContext 570->573 572->573 575 566b365-566b36b 573->575 576 566b36c-566b39c 573->576 575->576
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0566B356
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2139122120.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_5660000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: c14de5d411fc4d31ef0b2e4396b4c3c1a211ec9d6299702825446e8cfc548306
                                                    • Instruction ID: 57fb30fc395fb8a3c29452a40840fe38765493a2b798053584948678db86e1fc
                                                    • Opcode Fuzzy Hash: c14de5d411fc4d31ef0b2e4396b4c3c1a211ec9d6299702825446e8cfc548306
                                                    • Instruction Fuzzy Hash: 392115B1D003098FDB10DFAAC4857EEBBF4EF88324F54842AD459A7241DB78A945CFA5
                                                    Function 0566B3AA Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0566B41E
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2139122120.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_5660000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 24a43525c0618de8ff607533a3d17ab345d10baf2e964842a0c3cd6416d24491
                                                    • Instruction ID: 15dcc769050ac9e814f1f3446c0e80765b531b961c723dcb0c98f5be2edde78c
                                                    • Opcode Fuzzy Hash: 24a43525c0618de8ff607533a3d17ab345d10baf2e964842a0c3cd6416d24491
                                                    • Instruction Fuzzy Hash: CB116472C002498FCB10DFAAC844AEFBFF5EF88324F24881AE459A7250C7359954DFA1
                                                    Function 0566B3B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0566B41E
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2139122120.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_5660000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 5ab8d22b17e1d4f455b2e11afde9b4898c8ac59191c4785f89717d8139efcc82
                                                    • Instruction ID: a5a98d66f4f31d4c525e58539edcd98c9300b7384ac3a63c52591cac7cfd2c5f
                                                    • Opcode Fuzzy Hash: 5ab8d22b17e1d4f455b2e11afde9b4898c8ac59191c4785f89717d8139efcc82
                                                    • Instruction Fuzzy Hash: 7B113472D002499FCB10DFAAC845AEFBFF5EF88324F248419E519A7250C775A944DFA1
                                                    Function 0566B220 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2139122120.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_5660000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: cabd5607bde5086e1bba677274be3fc38f55dbd0371c76454976b5212385b30f
                                                    • Instruction ID: 24bfa82f9959f0a794e096a3bbf8127c5baab9e6a2bdba45a8ea3fd03a2c935d
                                                    • Opcode Fuzzy Hash: cabd5607bde5086e1bba677274be3fc38f55dbd0371c76454976b5212385b30f
                                                    • Instruction Fuzzy Hash: 351143B1D002498FCB20DFAAD8457EEFBF8EB88324F24841AC419A7240C734A945CFA5
                                                    Function 0566B228 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2139122120.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_5660000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: 6bea5cc601ecb1e2a430ff2ce1e0d7b2a07d0c0b08fa091c0cb2a929a2ea0784
                                                    • Instruction ID: 644d925686c592f06994562c56098611881d63b4341db71e3eb5ce5dea9fb7ba
                                                    • Opcode Fuzzy Hash: 6bea5cc601ecb1e2a430ff2ce1e0d7b2a07d0c0b08fa091c0cb2a929a2ea0784
                                                    • Instruction Fuzzy Hash: 081125B1D002498FCB20DFAAC8457AEFBF8AB88324F208419D419A7240CB75A944CFA5
                                                    Function 0566E889 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0566E8ED
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2139122120.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_5660000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: e2dc5e0b82593d3a65363d3e508c49c6ae87342ca692d1bbedff90e207c79651
                                                    • Instruction ID: a46f45b5725a1835f3355be8ce46dc7610bb140ef2f152d0e2beb1d5f1a3276a
                                                    • Opcode Fuzzy Hash: e2dc5e0b82593d3a65363d3e508c49c6ae87342ca692d1bbedff90e207c79651
                                                    • Instruction Fuzzy Hash: 5611F8B58003499FCB10DF99D849BDEBFF8FB48310F10845AD554A7641C375A584CFA5
                                                    Function 04F6AFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 04F6B01E
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2137314201.0000000004F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F60000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_4f60000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: e6a1d331eb81d493134518f074372d980de36bd7c93bf3a530b61bb3c2d84860
                                                    • Instruction ID: 1b9f5a7e43314e9bea580a7c0d3a3314ce887a755e7e1c4b9ff0d4f632ad0d91
                                                    • Opcode Fuzzy Hash: e6a1d331eb81d493134518f074372d980de36bd7c93bf3a530b61bb3c2d84860
                                                    • Instruction Fuzzy Hash: 1511E0B5C003599FDB10DF9AD844BDEFBF4EB88314F11841AD829A7210D375A545CFA5
                                                    Function 05669BE0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0566E8ED
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2139122120.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_5660000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: c7e06ff6c75894df196fab0699bcd39498e5cf85e7c10b0dcaccb1afe5afbcd4
                                                    • Instruction ID: 38344b9b18c6ad1bf40b8f7f2acf0d32ccdea363c282ebbea2c13afb1332662d
                                                    • Opcode Fuzzy Hash: c7e06ff6c75894df196fab0699bcd39498e5cf85e7c10b0dcaccb1afe5afbcd4
                                                    • Instruction Fuzzy Hash: B011F2B5C003499FCB50DF9AD888BDEBBF8EB48310F208459E919A7240D375A954CFA5
                                                    Function 071C0140 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2139766704.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_71c0000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: <
                                                    • API String ID: 0-4251816714
                                                    • Opcode ID: a37eb5daa90c399d5086ce9ba169df3a86c07ce0b193f1e53fb2a9dba361c313
                                                    • Instruction ID: 6f23a1d1e1a47761d81cae6224c8c2797a2fe4fa86d5269bed947f68e314b2b5
                                                    • Opcode Fuzzy Hash: a37eb5daa90c399d5086ce9ba169df3a86c07ce0b193f1e53fb2a9dba361c313
                                                    • Instruction Fuzzy Hash: E9E0486054E2C4C9DB02C7B85D156FABF74CF07204F1958CBC48557093E7754919D702
                                                    Function 071C0150 Relevance: 1.3, Strings: 1, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2139766704.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_71c0000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: <
                                                    • API String ID: 0-4251816714
                                                    • Opcode ID: 61c47a21f264db7cb818844fc3b4d1c6be5eb00790f1c3996f5b547fc4bd98e5
                                                    • Instruction ID: 4e548fc9a6dfc9eefb14fa29a7a0734f55ee7769f6b6c13d75e00c6d69e9db6e
                                                    • Opcode Fuzzy Hash: 61c47a21f264db7cb818844fc3b4d1c6be5eb00790f1c3996f5b547fc4bd98e5
                                                    • Instruction Fuzzy Hash: 9DD0A7B054A108D6DA04E6E9DD09ABAF7ACCB07210F04585DD805231D09BB04914DA46
                                                    Function 00EED3D8 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2127637166.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_eed000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac2bccc0709eb7ecf6150f1d5125e7ed42bc7ce3bc78000aa80c71fbaa4e548d
                                                    • Instruction ID: 1e5482d5d358fef12658db2d37dab34dd03b2f2fb5b597806a4ef02d8ebf03a1
                                                    • Opcode Fuzzy Hash: ac2bccc0709eb7ecf6150f1d5125e7ed42bc7ce3bc78000aa80c71fbaa4e548d
                                                    • Instruction Fuzzy Hash: 372148B1508288DFDB01DF04DDC0B16BFA5FBA4324F24C569E8095B286C336E816C6A2
                                                    Function 00EFD01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2129406999.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_efd000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 31ad2288f5a85c2327e85754d491782b9530a0ca32696561050fe99560042733
                                                    • Instruction ID: 1a1bb907352e6463d3d4d940fb7641a4a115e18b3205e6612040b4539ea73810
                                                    • Opcode Fuzzy Hash: 31ad2288f5a85c2327e85754d491782b9530a0ca32696561050fe99560042733
                                                    • Instruction Fuzzy Hash: 0921F571608248DFDB15DF14D9C4B26BF67EB84318F34C56DDA0A5B286CB36D807CA61
                                                    Function 00EFD1D4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2129406999.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_efd000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a2d5955f15c1281bd931c5527189ce42df5a97bf22f3e1d38c36c98ac251dd9a
                                                    • Instruction ID: 8b4720502dc8d329ffc3f1b38e67fa9de5f09bc9d2fa1ab34c5c5e74572146f9
                                                    • Opcode Fuzzy Hash: a2d5955f15c1281bd931c5527189ce42df5a97bf22f3e1d38c36c98ac251dd9a
                                                    • Instruction Fuzzy Hash: C32107B1508208EFEB05DF54D9C0B36BFA6FB84318F34C56DDA095B265C336D816CAA1
                                                    Function 00EFD005 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2129406999.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_efd000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9684c13a045828098d57016339ba91ac0b41d3b69b94d00840714903c0794644
                                                    • Instruction ID: 9219bcfc13b5de86a9864f2cea992b57c100747cbad30d6c04eb5b4de9586119
                                                    • Opcode Fuzzy Hash: 9684c13a045828098d57016339ba91ac0b41d3b69b94d00840714903c0794644
                                                    • Instruction Fuzzy Hash: C721807550D3848FDB02CF24D994715BF72EB46314F28C5EAD9498B6A7C33A980ACB62
                                                    Function 00EED3D3 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2127637166.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_eed000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                    • Instruction ID: 734fedb63789cff96bcb30af2bbe655d5b7caa8c9c0d21dad79cda216046ff66
                                                    • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                                                    • Instruction Fuzzy Hash: 65112676404284CFCB12CF00D9C4B16BF71FBA4324F24C2A9D8090B656C33AE85ACBA1
                                                    Function 00EFD1CF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2129406999.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_efd000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                    • Instruction ID: 6252b60aa5ee5487738412d88ab598e940bdd188d196644265f5f7e4dbd3be67
                                                    • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                                                    • Instruction Fuzzy Hash: 8F11BE75508244DFDB02CF50D9C4B25BF62FB84318F24C6AAD9494B666C33AD81ACB91
                                                    Function 00EED759 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2127637166.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_eed000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aed4b52356e3c4da314686e448046aa143a394822aff090126ad29e6b7a2c5ac
                                                    • Instruction ID: d4ce104b453ea2cc85aca4fff470146d510c806c201f41bc59ccf1c47de78c7d
                                                    • Opcode Fuzzy Hash: aed4b52356e3c4da314686e448046aa143a394822aff090126ad29e6b7a2c5ac
                                                    • Instruction Fuzzy Hash: 0C01F7710083889AE7104B1ADCC4766BFA8DF45324F28C81BEC081A286C3389C40C671
                                                    Function 00EED758 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2127637166.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_eed000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b1ad09f43414b1c8437ead064be9faeab29d125c4e4de5ec792103731094ef14
                                                    • Instruction ID: 652fb8fc085dc53cdc6ade4bfa987360a5e164a7d967eb1bc2ff07a05ebcaec4
                                                    • Opcode Fuzzy Hash: b1ad09f43414b1c8437ead064be9faeab29d125c4e4de5ec792103731094ef14
                                                    • Instruction Fuzzy Hash: B3F0C2714083849EE7108B0ADC84B62FFA8EF50724F18C45AED081A286C3799C44CAB0

                                                    Execution Graph

                                                    Execution Coverage:11.7%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:19
                                                    Total number of Limit Nodes:4
                                                    execution_graph 28238 1620848 28240 162084e 28238->28240 28239 162091b 28240->28239 28242 1621380 28240->28242 28243 1621396 28242->28243 28244 1621480 28243->28244 28246 1627090 28243->28246 28244->28240 28247 162709a 28246->28247 28248 16270b4 28247->28248 28251 662d388 28247->28251 28256 662d398 28247->28256 28248->28243 28252 662d3ad 28251->28252 28253 662d5c2 28252->28253 28254 662d5d8 GlobalMemoryStatusEx 28252->28254 28255 662d5e8 GlobalMemoryStatusEx 28252->28255 28253->28248 28254->28252 28255->28252 28258 662d3ad 28256->28258 28257 662d5c2 28257->28248 28258->28257 28259 662d5e8 GlobalMemoryStatusEx 28258->28259 28260 662d5d8 GlobalMemoryStatusEx 28258->28260 28259->28258 28260->28258

                                                    Executed Functions

                                                    Function 01629B38 Relevance: 2.8, Instructions: 2807COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 80db7c6728de969b542663a821e10407769176900e10731cd8c511f268f9d55d
                                                    • Instruction ID: f237a300595d3c3d96548b21d91a0ac9fdd902adef6f91ee0602e6e79c54eedc
                                                    • Opcode Fuzzy Hash: 80db7c6728de969b542663a821e10407769176900e10731cd8c511f268f9d55d
                                                    • Instruction Fuzzy Hash: F453E731D10B1A8ACB51EF68C8845A9F7B1FF99300F11D79AE45877221EB70AAD5CF81
                                                    Function 0162CDB0 Relevance: 2.3, Instructions: 2309COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e86d5d45969b76114a3b4117ca235fad9fc16fe4c444e75a7607c4f921db0578
                                                    • Instruction ID: e60b0b17a3ba043308b1c757ec33b71cfaa6b5641a47548b9cf94753077f1515
                                                    • Opcode Fuzzy Hash: e86d5d45969b76114a3b4117ca235fad9fc16fe4c444e75a7607c4f921db0578
                                                    • Instruction Fuzzy Hash: 88331E31D10B1A8EDB11DF68C8846ADF7B1FF99300F55C69AE448A7211EB70AAC5CF81
                                                    Function 01623E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \V,m
                                                    • API String ID: 0-3265022799
                                                    • Opcode ID: eb3506e01e5f7d805417dd33a8dcfae6159068cf3396a78dfaf7bd2923ac2172
                                                    • Instruction ID: 12c83a886741072710a7baf6fa43d6391f0002e3a56e92a7e8b8ff5026d25e8d
                                                    • Opcode Fuzzy Hash: eb3506e01e5f7d805417dd33a8dcfae6159068cf3396a78dfaf7bd2923ac2172
                                                    • Instruction Fuzzy Hash: F1915D70E006199FDB10CFA9D985BEEBBF2AF98314F148129E415A7354DB749886CF81
                                                    Function 01629378 Relevance: .6, Instructions: 619COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9f13606e39ce415047d00e8a7a7f4cd4004850279a49ede0c176961ad4d66d99
                                                    • Instruction ID: 979868e9b704ad142f2780a1db395939b41637ce3f92b34b6dd883aae68ee975
                                                    • Opcode Fuzzy Hash: 9f13606e39ce415047d00e8a7a7f4cd4004850279a49ede0c176961ad4d66d99
                                                    • Instruction Fuzzy Hash: 57329074A002258FDB14DFA8D984BADBBB2FF88314F148469E909EB395DB35DC41CB90
                                                    Function 01624A98 Relevance: .3, Instructions: 266COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2e2e91bd70363ad04132a2e198d8a89429defb700510d5de90ae0a1637cc4023
                                                    • Instruction ID: b1f92e051b84a54c3d57b3036aecb108cffba507f1c525e8cf4f9ef624b59c76
                                                    • Opcode Fuzzy Hash: 2e2e91bd70363ad04132a2e198d8a89429defb700510d5de90ae0a1637cc4023
                                                    • Instruction Fuzzy Hash: A1B15B71E006299FDB10CFA9CC8579DBBF2AF88354F148529D819EB394EB749846CF81
                                                    Function 01624810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2258 1624810-162489c 2261 16248e6-16248e8 2258->2261 2262 162489e-16248a9 2258->2262 2264 16248ea-1624902 2261->2264 2262->2261 2263 16248ab-16248b7 2262->2263 2265 16248da-16248e4 2263->2265 2266 16248b9-16248c3 2263->2266 2271 1624904-162490f 2264->2271 2272 162494c-162494e 2264->2272 2265->2264 2267 16248c7-16248d6 2266->2267 2268 16248c5 2266->2268 2267->2267 2270 16248d8 2267->2270 2268->2267 2270->2265 2271->2272 2274 1624911-162491d 2271->2274 2273 1624950-1624995 2272->2273 2282 162499b-16249a9 2273->2282 2275 1624940-162494a 2274->2275 2276 162491f-1624929 2274->2276 2275->2273 2278 162492b 2276->2278 2279 162492d-162493c 2276->2279 2278->2279 2279->2279 2280 162493e 2279->2280 2280->2275 2283 16249b2-1624a0f 2282->2283 2284 16249ab-16249b1 2282->2284 2291 1624a11-1624a15 2283->2291 2292 1624a1f-1624a23 2283->2292 2284->2283 2291->2292 2293 1624a17-1624a1a call 1620ab8 2291->2293 2294 1624a33-1624a37 2292->2294 2295 1624a25-1624a29 2292->2295 2293->2292 2298 1624a47-1624a4b 2294->2298 2299 1624a39-1624a3d 2294->2299 2295->2294 2297 1624a2b-1624a2e call 1620ab8 2295->2297 2297->2294 2301 1624a5b 2298->2301 2302 1624a4d-1624a51 2298->2302 2299->2298 2300 1624a3f 2299->2300 2300->2298 2305 1624a5c 2301->2305 2302->2301 2304 1624a53 2302->2304 2304->2301 2305->2305
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \V,m$\V,m
                                                    • API String ID: 0-2328366710
                                                    • Opcode ID: b3d201bdfa89fa177aed07f1a1421cd9227413f72f4620c1b9e27d1c892052d6
                                                    • Instruction ID: e75b627110a8a862f8296991a4930a7bc15630da00eceba6afd5e27a0f8179fa
                                                    • Opcode Fuzzy Hash: b3d201bdfa89fa177aed07f1a1421cd9227413f72f4620c1b9e27d1c892052d6
                                                    • Instruction Fuzzy Hash: 077159B0E006599FDB14CFA9C8847DEBBF2AF88314F148129E819A7354EB749846CF95
                                                    Function 01624804 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2306 1624804-162489c 2309 16248e6-16248e8 2306->2309 2310 162489e-16248a9 2306->2310 2312 16248ea-1624902 2309->2312 2310->2309 2311 16248ab-16248b7 2310->2311 2313 16248da-16248e4 2311->2313 2314 16248b9-16248c3 2311->2314 2319 1624904-162490f 2312->2319 2320 162494c-162494e 2312->2320 2313->2312 2315 16248c7-16248d6 2314->2315 2316 16248c5 2314->2316 2315->2315 2318 16248d8 2315->2318 2316->2315 2318->2313 2319->2320 2322 1624911-162491d 2319->2322 2321 1624950-1624962 2320->2321 2329 1624969-1624995 2321->2329 2323 1624940-162494a 2322->2323 2324 162491f-1624929 2322->2324 2323->2321 2326 162492b 2324->2326 2327 162492d-162493c 2324->2327 2326->2327 2327->2327 2328 162493e 2327->2328 2328->2323 2330 162499b-16249a9 2329->2330 2331 16249b2-1624a0f 2330->2331 2332 16249ab-16249b1 2330->2332 2339 1624a11-1624a15 2331->2339 2340 1624a1f-1624a23 2331->2340 2332->2331 2339->2340 2341 1624a17-1624a1a call 1620ab8 2339->2341 2342 1624a33-1624a37 2340->2342 2343 1624a25-1624a29 2340->2343 2341->2340 2346 1624a47-1624a4b 2342->2346 2347 1624a39-1624a3d 2342->2347 2343->2342 2345 1624a2b-1624a2e call 1620ab8 2343->2345 2345->2342 2349 1624a5b 2346->2349 2350 1624a4d-1624a51 2346->2350 2347->2346 2348 1624a3f 2347->2348 2348->2346 2353 1624a5c 2349->2353 2350->2349 2352 1624a53 2350->2352 2352->2349 2353->2353
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \V,m$\V,m
                                                    • API String ID: 0-2328366710
                                                    • Opcode ID: f5a67ee3da76f10022407447d3aa223cd90a1efcd5541a53841e580f3bc3278a
                                                    • Instruction ID: c5d9eed28134f5ba25dd26f4c33434286f7c629912ebf8ed6eb9f4eb6f9ce4c8
                                                    • Opcode Fuzzy Hash: f5a67ee3da76f10022407447d3aa223cd90a1efcd5541a53841e580f3bc3278a
                                                    • Instruction Fuzzy Hash: B07179B0E006599FDF10CFA8C9857DEBBF2AF88314F148129E819A7354EB749846CF91
                                                    Function 01626ED8 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2422 1626ed8-1626f42 call 1626c40 2431 1626f44-1626f5d call 1626764 2422->2431 2432 1626f5e-1626f8c 2422->2432 2437 1626f8e-1626f91 2432->2437 2439 1626f93-1626fc8 2437->2439 2440 1626fcd-1626fd0 2437->2440 2439->2440 2441 1626fd2 2440->2441 2442 1626fe0-1626fe3 2440->2442 2465 1626fd2 call 16280f1 2441->2465 2466 1626fd2 call 1627908 2441->2466 2467 1626fd2 call 1627918 2441->2467 2443 1627016-1627019 2442->2443 2444 1626fe5-1626ff9 2442->2444 2445 162701b-1627022 2443->2445 2446 162702d-162702f 2443->2446 2453 1626ffb-1626ffd 2444->2453 2454 1626fff 2444->2454 2448 16270eb-16270f1 2445->2448 2449 1627028 2445->2449 2450 1627031 2446->2450 2451 1627036-1627039 2446->2451 2447 1626fd8-1626fdb 2447->2442 2449->2446 2450->2451 2451->2437 2455 162703f-162704e 2451->2455 2456 1627002-1627011 2453->2456 2454->2456 2459 1627050-1627053 2455->2459 2460 1627078-162708d 2455->2460 2456->2443 2462 162705b-1627076 2459->2462 2460->2448 2462->2459 2462->2460 2465->2447 2466->2447 2467->2447
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LRcq$LRcq
                                                    • API String ID: 0-1357215051
                                                    • Opcode ID: ac06e2154457da1683f35cefc4d0ec452cd28f717b58abbdc8d325c357c9e1cb
                                                    • Instruction ID: 69078cd8160805216a46a88e620d79e5413e2c628b12c61e8e413ebda5c108f2
                                                    • Opcode Fuzzy Hash: ac06e2154457da1683f35cefc4d0ec452cd28f717b58abbdc8d325c357c9e1cb
                                                    • Instruction Fuzzy Hash: 0A41D470E006199FDB15DF78C950BAEB7B2EF89300F508429E805EB391DB759C45CB91
                                                    Function 0662E278 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 3084 662e278-662e27c 3085 662e245-662e261 3084->3085 3086 662e27e-662e2be 3084->3086 3093 662e263-662e266 3085->3093 3094 662e267-662e277 3085->3094 3089 662e2c6-662e2f4 GlobalMemoryStatusEx 3086->3089 3091 662e2f6-662e2fc 3089->3091 3092 662e2fd-662e325 3089->3092 3091->3092
                                                    APIs
                                                    • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0662E1FA), ref: 0662E2E7
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3318879354.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_6620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemoryStatus
                                                    • String ID:
                                                    • API String ID: 1890195054-0
                                                    • Opcode ID: dff24ddb6e2fba5e7de9c7b2fda8c8b28057f44e30d47067de47f765d1aa80fd
                                                    • Instruction ID: f073d08402a5199c1fc9bafe9c746b653928c34a68eb39121b20bbc50d85d721
                                                    • Opcode Fuzzy Hash: dff24ddb6e2fba5e7de9c7b2fda8c8b28057f44e30d47067de47f765d1aa80fd
                                                    • Instruction Fuzzy Hash: 052159B1C0161A9BCB14CFAAD444BDEFBF4EF48320F25856AD818A7740D778A940CFA1
                                                    Function 0662D364 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0662E1FA), ref: 0662E2E7
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3318879354.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_6620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemoryStatus
                                                    • String ID:
                                                    • API String ID: 1890195054-0
                                                    • Opcode ID: c075f103018dcd314fd169b822867cd1a1f0759122a1fd011011457e6079ddbc
                                                    • Instruction ID: 428e1c6e4c98d3da94ef923a1339bdac327d4a137f89049d56a52d3d9e860447
                                                    • Opcode Fuzzy Hash: c075f103018dcd314fd169b822867cd1a1f0759122a1fd011011457e6079ddbc
                                                    • Instruction Fuzzy Hash: C61133B1C0066A9BCB10CF9AC444B9EFBF4EB48310F11856AE918B7240D378A940CFA5
                                                    Function 01623E74 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: \V,m
                                                    • API String ID: 0-3265022799
                                                    • Opcode ID: 18da98c49808efd6462d285e0c61ba37fe5c0e27b0c6406cffff0077b6e9c818
                                                    • Instruction ID: 547ec6d0f1004910024b737c6aa2b2a44e491721cb10c80f37495b896db5632e
                                                    • Opcode Fuzzy Hash: 18da98c49808efd6462d285e0c61ba37fe5c0e27b0c6406cffff0077b6e9c818
                                                    • Instruction Fuzzy Hash: A9914D70E006199FDB10CFA8D985BDEBBF2BF58314F248129E419A7354DB749886CF81
                                                    Function 0162F2ED Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: PHcq
                                                    • API String ID: 0-4245845256
                                                    • Opcode ID: 225d95e16f2465d3cf725b54e61314faebf1092f774d5fb5f7b76c196e98a597
                                                    • Instruction ID: 495e63283dee63fec3af517a41f8803fa09a99d3fa55933ea3dcbaea5d54c7be
                                                    • Opcode Fuzzy Hash: 225d95e16f2465d3cf725b54e61314faebf1092f774d5fb5f7b76c196e98a597
                                                    • Instruction Fuzzy Hash: C1312F30B002169FCB16AB78C95466E7BF2EF85600F6444A9E406EB386DF79DC46CBD1
                                                    Function 0162F300 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: PHcq
                                                    • API String ID: 0-4245845256
                                                    • Opcode ID: 57d40c923206ced3e355987685888678f884cc5627a836a13bc787f37ba9eb48
                                                    • Instruction ID: 3ee7e533e191ff195c77ca6d6daa0d7251284f0b46aa555ee3effc8c08442ac3
                                                    • Opcode Fuzzy Hash: 57d40c923206ced3e355987685888678f884cc5627a836a13bc787f37ba9eb48
                                                    • Instruction Fuzzy Hash: CB31EF30B002169FDB15AB78C95466E7BF2AF88600F6444A8D406EB385DF79DC46CBD1
                                                    Function 01626F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LRcq
                                                    • API String ID: 0-4134321033
                                                    • Opcode ID: a99258ee79c33b94d49341bc26d6a9d2a48b19bccd0a1e15cf7efe3c82aaf212
                                                    • Instruction ID: 9f3640fb1cc42625c4c727e8493591502e6195299680a8dc9cd31f93aebf4354
                                                    • Opcode Fuzzy Hash: a99258ee79c33b94d49341bc26d6a9d2a48b19bccd0a1e15cf7efe3c82aaf212
                                                    • Instruction Fuzzy Hash: 3F318F74E006199BDB15CFA9D840BAEF7B2FF89300F508529E806EB350EB75A846CF50
                                                    Function 01626B9F Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LRcq
                                                    • API String ID: 0-4134321033
                                                    • Opcode ID: 630073ce6d3674abc00f1195a97b579814a7769efb4daa53dedf4bfce6fd7d72
                                                    • Instruction ID: 4fdab977011a41270cc7623e139f94dfe81e21ab51dde71b5a59e18223ecefb2
                                                    • Opcode Fuzzy Hash: 630073ce6d3674abc00f1195a97b579814a7769efb4daa53dedf4bfce6fd7d72
                                                    • Instruction Fuzzy Hash: 301108317042455FC705AB78C56136D7FB1EF86600F1584AAC445CB7A5DE355805DB91
                                                    Function 01627908 Relevance: .6, Instructions: 553COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 934a681053dcc8552d21484d30293c94d0d52ac7d1105adc0ab168df566f3c50
                                                    • Instruction ID: 0e40ac94b09f7c06159d01a0bd9d809fcb7ae2ae0c00b1c4823d50b3df8d3223
                                                    • Opcode Fuzzy Hash: 934a681053dcc8552d21484d30293c94d0d52ac7d1105adc0ab168df566f3c50
                                                    • Instruction Fuzzy Hash: 82127D707001029BCB15AB7CE89466976A3FFC9250F64893DE805EB351EF79EC428FA1
                                                    Function 01627918 Relevance: .6, Instructions: 550COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9ea39aae98f98e41e2b2b572ce45cdfe320abf9200e6c65db32a6d64fad8f3e7
                                                    • Instruction ID: 2236b7c2fbb4fa7759b1ff9d4129cbcf1a73fd197474bba716644dcb40a9f0bc
                                                    • Opcode Fuzzy Hash: 9ea39aae98f98e41e2b2b572ce45cdfe320abf9200e6c65db32a6d64fad8f3e7
                                                    • Instruction Fuzzy Hash: F1127C707001169BCB15AA7CE89466976E3FBC9250F60893DE805EB351EF79EC428FA1
                                                    Function 01624A8E Relevance: .3, Instructions: 259COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 681b98787475b4898b869c52fcd2241cf612be429683b5a9db99725c8cfdb536
                                                    • Instruction ID: db9523f327fc608ce5826cdd1213431fa6b138ebef72ec9f513ac7c41491ab78
                                                    • Opcode Fuzzy Hash: 681b98787475b4898b869c52fcd2241cf612be429683b5a9db99725c8cfdb536
                                                    • Instruction Fuzzy Hash: 0FA15B71E006299FDB11CFA8DC8579DBBF1AF48354F148529D818E7354EB749885CF81
                                                    Function 01629364 Relevance: .2, Instructions: 242COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3904536e4c8677404aad31dcc731ef17736567428e07b58ade2bf83baeba91cd
                                                    • Instruction ID: 5e6970c9ebec6da16ef12845a10c5ba524aeee96b042c9706d2f1210e7479302
                                                    • Opcode Fuzzy Hash: 3904536e4c8677404aad31dcc731ef17736567428e07b58ade2bf83baeba91cd
                                                    • Instruction Fuzzy Hash: A4916D74A015258FDB15DFA8D984AADBBF2EF88314F248429E805E7365DB35DC42CF90
                                                    Function 01626CDE Relevance: .1, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4fa509365e0b9b6a47c2e779c5ee15243dc8cdd46e668ea6454054f59d3e6d18
                                                    • Instruction ID: 44551351243c6af580a06ac7b49103d18d49b7b31abef756e0ff6c3bbd851ebb
                                                    • Opcode Fuzzy Hash: 4fa509365e0b9b6a47c2e779c5ee15243dc8cdd46e668ea6454054f59d3e6d18
                                                    • Instruction Fuzzy Hash: A45124B1D006298FDB18CFA9C885B9DBBB1FF48300F148519E815BB3A5D774A845CF55
                                                    Function 01626CE8 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e5c947875a75c9db599595bfb756fd65bb2c0d4a0cafe46f7faa823d2c0547c8
                                                    • Instruction ID: 0e5c4c82fa65a98731b1b41d49df2d37d407db7287b22190549ad5ae26cbaf02
                                                    • Opcode Fuzzy Hash: e5c947875a75c9db599595bfb756fd65bb2c0d4a0cafe46f7faa823d2c0547c8
                                                    • Instruction Fuzzy Hash: 725124B1D006298FDB18CFA9C884B9EBBB1FF48310F148519E815BB365D774A844CF95
                                                    Function 01621128 Relevance: .1, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5aa311ff95338bb0d4712614211edbaea38595f9413a8b40b7049e8b94325527
                                                    • Instruction ID: 1c73b32f25be2c198981e1da5d57362f40f28377c9046dcbb45126ffe4646929
                                                    • Opcode Fuzzy Hash: 5aa311ff95338bb0d4712614211edbaea38595f9413a8b40b7049e8b94325527
                                                    • Instruction Fuzzy Hash: 43514271241242CFC705FF28FAA19543FB2F7A270432059BDE480AB226DB3C6D49DB96
                                                    Function 01621138 Relevance: .1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 38b3cebbed0f88d8544f414ba087186a3489e35b51cbdf809bd8ee562e663927
                                                    • Instruction ID: fb7fca3833be8a639c071cabf8dfd2223a01582ac8ff4e43eb30ab78f97edb55
                                                    • Opcode Fuzzy Hash: 38b3cebbed0f88d8544f414ba087186a3489e35b51cbdf809bd8ee562e663927
                                                    • Instruction Fuzzy Hash: CF510E71241242CFC715EF28FAA19443FB2F7A1B0431199BDE480AB226DB3C6D49DB96
                                                    Function 0162F1B0 Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 33acb515ff0ab3baa134ced68b71b03e34e17775cd8b96c4c3fa3ebe6f73214e
                                                    • Instruction ID: 3c69b579ecb3a455102400819b856d989130783937dcf1169794a860f6aab260
                                                    • Opcode Fuzzy Hash: 33acb515ff0ab3baa134ced68b71b03e34e17775cd8b96c4c3fa3ebe6f73214e
                                                    • Instruction Fuzzy Hash: C0318134E006159BCB19CFA8C99469EB7B2FF8A710F50C929E806E7754EB70AC42CB50
                                                    Function 016226DC Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e3bb16206b75ce2d0c1ee49b133ffd768f89c785a2178f8752425a2c880a7c41
                                                    • Instruction ID: d1398d52109aa4934e0e3b3800e91b0e83cebc361b070d65cb17237dc1695d49
                                                    • Opcode Fuzzy Hash: e3bb16206b75ce2d0c1ee49b133ffd768f89c785a2178f8752425a2c880a7c41
                                                    • Instruction Fuzzy Hash: 8B410FB1D007499FDB10CFA9C884ADEBFF5EF48310F108429E41AAB254DB75A94ACF91
                                                    Function 0162F1C0 Relevance: .1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ed002ce26b85760cbd2c671f34d2f17e6eb344545694b7c146f892791824b26d
                                                    • Instruction ID: 857ac3fc69e5f5a5920425aa9689162be41cb093b9764381abd83898aa4f8bc3
                                                    • Opcode Fuzzy Hash: ed002ce26b85760cbd2c671f34d2f17e6eb344545694b7c146f892791824b26d
                                                    • Instruction Fuzzy Hash: 6D318034E006169BCB09CFE8D99469EB7B2FF8A710F50C929E806E7754DB74AC42CB50
                                                    Function 016226E8 Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d7f0a01e787bc3fa0d7a17dbec5ba8dd4f73e24cd076aab1141bcf68552c352a
                                                    • Instruction ID: 3a093c0b9c445be76bf966b527e19c1db86c3dc3fe232c63bf04e07932aa9db5
                                                    • Opcode Fuzzy Hash: d7f0a01e787bc3fa0d7a17dbec5ba8dd4f73e24cd076aab1141bcf68552c352a
                                                    • Instruction Fuzzy Hash: 5B41EEB0D003499FDB14DFA9C894ADEBFF5EF48310F208429E819AB254DB75A949CF91
                                                    Function 01629250 Relevance: .1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 79e0697367de2ddd56e6c22e9a216acbbf89371cf77f0a789b625238473e35e3
                                                    • Instruction ID: 8b383802ec2188eb58d6818be4e1fe4ecb8eb612e960b47511fdbf1d507cbe5d
                                                    • Opcode Fuzzy Hash: 79e0697367de2ddd56e6c22e9a216acbbf89371cf77f0a789b625238473e35e3
                                                    • Instruction Fuzzy Hash: 10318271E1061A9BDB05CFA9C98069EF7B2FF89304F54C529E805EB350DB719842CB90
                                                    Function 016216A0 Relevance: .1, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4e0ddbe460a0b2f331a416d955be4ceeddd358fbfbd055e5053bd863f89f5742
                                                    • Instruction ID: 74a47ac1bba5b803ea2ed5756f0771b36e4ce3dc18de3e989cc0f36c14cbc4cc
                                                    • Opcode Fuzzy Hash: 4e0ddbe460a0b2f331a416d955be4ceeddd358fbfbd055e5053bd863f89f5742
                                                    • Instruction Fuzzy Hash: 49218E706041124BDB21AE28ED84B693B66EBC2714F205E38E846DB756DB3DDC818F91
                                                    Function 01629260 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 80770434d9aae59e93de232fdd6f76a8de995a0a99f628032a12665c1a6a4b8f
                                                    • Instruction ID: a6e45308270ed7c11546fb67ebadec886965029a36d0256ceb181d3a2de1f153
                                                    • Opcode Fuzzy Hash: 80770434d9aae59e93de232fdd6f76a8de995a0a99f628032a12665c1a6a4b8f
                                                    • Instruction Fuzzy Hash: E6215170E1062A9BDB05CFA9D98069EF7B2FFCA304F50C529E805EB355DB759842CB90
                                                    Function 01629150 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ee318e4541b84d12f4bb044011daa3f6f6c64c39941cbb61f8ca1cce4cad656c
                                                    • Instruction ID: c3245fed0c19509f6e9689f190dd44dfd48cdb80fada39a953ba7fefc8ec00d8
                                                    • Opcode Fuzzy Hash: ee318e4541b84d12f4bb044011daa3f6f6c64c39941cbb61f8ca1cce4cad656c
                                                    • Instruction Fuzzy Hash: 76218130E0162A9BDB19CFA5D95469EBBB2AF85304F10C62AE815FB351DB709846CB50
                                                    Function 01624F88 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2ee357ef0deb5ca5df179a937c90de0bba97fcd2ce30d82c0a47077a34db443a
                                                    • Instruction ID: d70a4b9d5d6106b7e7c2cdf5248b2971c7d4fa3356a189dc34414589c2e251ee
                                                    • Opcode Fuzzy Hash: 2ee357ef0deb5ca5df179a937c90de0bba97fcd2ce30d82c0a47077a34db443a
                                                    • Instruction Fuzzy Hash: C3212B346016198FCB64DF78C968AADB7F1AF49200F1144ADE406EB3A4DB399D04DB91
                                                    Function 015CD01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308619833.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_15cd000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e21a2c16e8f65a0be27336c76b9c1b2068010d17c10a2c24c8f7b6af54b1a01
                                                    • Instruction ID: 8f835662c27e3b6197f5178d3d0f024dba9c163c6a2787df3d4c0b006656467e
                                                    • Opcode Fuzzy Hash: 6e21a2c16e8f65a0be27336c76b9c1b2068010d17c10a2c24c8f7b6af54b1a01
                                                    • Instruction Fuzzy Hash: 9721FFB5604200EFDB15DF98D980B2ABBB5FB84714F24C96DD80A9F246D33AD407CAA1
                                                    Function 01621380 Relevance: .1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6ae261af2e4b5b3d4fe640ca77368ff53565cd92091bf57eb324b0feb5dfcd7a
                                                    • Instruction ID: 69a93308aeb39180d5aa3d433bad89f6e16fbd0947a106ee5972423be954f9aa
                                                    • Opcode Fuzzy Hash: 6ae261af2e4b5b3d4fe640ca77368ff53565cd92091bf57eb324b0feb5dfcd7a
                                                    • Instruction Fuzzy Hash: CD213A70A0A6155FDB321A2CD99972D3A61E743721F100C39F80ACB782DF39CC81CB92
                                                    Function 01629160 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ed5c4d4b1b3d1a04b4062526a8f394d7a5db941ac148e8c338ca79e6573baeb6
                                                    • Instruction ID: c94733021ec26ed41bd196959eca233047e2ca8290d376af37c3e9f6f5971ef5
                                                    • Opcode Fuzzy Hash: ed5c4d4b1b3d1a04b4062526a8f394d7a5db941ac148e8c338ca79e6573baeb6
                                                    • Instruction Fuzzy Hash: EC217130E0062A9BDB19CFA5D95469EF7B2AFC9304F20852AE815FB350DB719846CB50
                                                    Function 01621888 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d4b829e3cb49cf9cfb089784f1f2c4bcfdf637a2d6a7805f9557badb46fa55b4
                                                    • Instruction ID: a0833bc1816dbf010ffcb7568fa6deb443d21b815cccdabf1d81138f606a2ca1
                                                    • Opcode Fuzzy Hash: d4b829e3cb49cf9cfb089784f1f2c4bcfdf637a2d6a7805f9557badb46fa55b4
                                                    • Instruction Fuzzy Hash: 3C215E30B086198FDB54DB78C9647AE77F2AB4A240F10057CD506EB394DB399D41CFA2
                                                    Function 016216B0 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: adf616e33d93e89325d26c24d04447f997f4979d6804ac101aaa2a1692d4d35f
                                                    • Instruction ID: d1bdbc9bd1c41e08d44967a7d183e8b195f95c39b19fb9f67b68566b5419e846
                                                    • Opcode Fuzzy Hash: adf616e33d93e89325d26c24d04447f997f4979d6804ac101aaa2a1692d4d35f
                                                    • Instruction Fuzzy Hash: 15219F706041124BDB21EA28ED84B693766E7C6720F205A38F806DB356DB3D9C418F91
                                                    Function 0162187A Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7ef7facbe9a8c8dbdd57a94ddc79ddc44165523edec930ebe26ee9d97de6adf0
                                                    • Instruction ID: 6b90595b8355965afceef8be187c2b5f0820b8d08a3b1e550603693d03cac010
                                                    • Opcode Fuzzy Hash: 7ef7facbe9a8c8dbdd57a94ddc79ddc44165523edec930ebe26ee9d97de6adf0
                                                    • Instruction Fuzzy Hash: 6E218C30B08629CFDB15DF78CA657AE77F2AB4A240F100468C542EB394DB3A9C01CF92
                                                    Function 01624F98 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ba3992b954ac92979bf13b3bfaf8e43ec51384d3a8e49ed5e97a17a8057367dd
                                                    • Instruction ID: aeb811d9f378ced0a9dc1d63a4b4c68c984f1073e4296cf838d943bfc0b5b429
                                                    • Opcode Fuzzy Hash: ba3992b954ac92979bf13b3bfaf8e43ec51384d3a8e49ed5e97a17a8057367dd
                                                    • Instruction Fuzzy Hash: 4421E6307016198FDB64DF79C958AAE77F1EF89200F1144A8E406EB3A4DB3A9D04CB91
                                                    Function 0162148C Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b80e25cb68dc78ab5a137be0eb92b224030fde236ef7f1a20d870ff6ecb44ed7
                                                    • Instruction ID: 400c39dd7069429943eed29139cb683a97b7da5dcbecafa3bcd28a5494a078c5
                                                    • Opcode Fuzzy Hash: b80e25cb68dc78ab5a137be0eb92b224030fde236ef7f1a20d870ff6ecb44ed7
                                                    • Instruction Fuzzy Hash: 5311A371A016269FCB21EFBC8C505AE7BF6EF49210B1404BAD80AE7341D735D9418FD5
                                                    Function 01620848 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 33b01376e77a6e81b4ce665b4db7547e2ee8eabf57606c91a5e12f8bc9678ced
                                                    • Instruction ID: f243b823b0db6f941c5ed6db275d8f8006ee59e661d4b7ea99061fdec84dad0e
                                                    • Opcode Fuzzy Hash: 33b01376e77a6e81b4ce665b4db7547e2ee8eabf57606c91a5e12f8bc9678ced
                                                    • Instruction Fuzzy Hash: 9B118F30B106294BDF255A7DC95432A36A5EB85220F214979F406DB342DBA9CC828FD1
                                                    Function 01620838 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65c15af1115e37d483d871f30e9c4d940311795f8b7ac5bc70f41b2d629d57ae
                                                    • Instruction ID: 2657b4892ecd716416601a359854c3a0a31547e3ee4b371f751b0acd65194fa8
                                                    • Opcode Fuzzy Hash: 65c15af1115e37d483d871f30e9c4d940311795f8b7ac5bc70f41b2d629d57ae
                                                    • Instruction Fuzzy Hash: AC119430B10A254BDF255A78D95437F3655EB81314F25493AF446DB342DBADC8814FC1
                                                    Function 015CD006 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308619833.00000000015CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015CD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_15cd000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 69ff66525d77365c36fa44d5882dc28d88455d86106029fa3f6fabe23f2abd05
                                                    • Instruction ID: 22d1dc2684f150eab3ff7f0f4834e4d83392d24101ee00ab7ecef2591152d3da
                                                    • Opcode Fuzzy Hash: 69ff66525d77365c36fa44d5882dc28d88455d86106029fa3f6fabe23f2abd05
                                                    • Instruction Fuzzy Hash: CA217F755093808FDB12CF68D594715BF71FB46214F28C5EAD8498F6A7C33A980ACBA2
                                                    Function 016280F1 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: db87c1d30a3066554a48791fe1eecec3d72e5ddf0db5354dc435f5baf7511f4f
                                                    • Instruction ID: ef24599e1169247d5193fff123a0b7f46c26adffb159dd3ece746a3872ff6e25
                                                    • Opcode Fuzzy Hash: db87c1d30a3066554a48791fe1eecec3d72e5ddf0db5354dc435f5baf7511f4f
                                                    • Instruction Fuzzy Hash: 1811817060010ADFDB01EF6CEA8069D7BB5EB80300F205979ED05E7260EB39AE458B91
                                                    Function 016217C2 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1e92a3fa72d2d89e8f45aea5d3c205e395d8e06a38c07a1ede0640002080e5f1
                                                    • Instruction ID: 47d0ea867fe13b5ca5209733e13ac704683eb8911cf3db488d2544d76d8f66e6
                                                    • Opcode Fuzzy Hash: 1e92a3fa72d2d89e8f45aea5d3c205e395d8e06a38c07a1ede0640002080e5f1
                                                    • Instruction Fuzzy Hash: 3B11A076F002165FCB10AEB99E4966A7BE5EB89660F150439EA49D3345EA3888028B91
                                                    Function 01621498 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9a95a513dfe1ff0f1bf2679f61619fc022468b0e0f814d6384e06f1b3b8ec501
                                                    • Instruction ID: aa4b27a34c203fd15219268141dbb46dcb11a024c1dac7e3beb2fd9cc10c3aaa
                                                    • Opcode Fuzzy Hash: 9a95a513dfe1ff0f1bf2679f61619fc022468b0e0f814d6384e06f1b3b8ec501
                                                    • Instruction Fuzzy Hash: 66014071E016259FCB21EFBC88505AE7BF6EF49210F1804BAE809E7301E735D9428FA5
                                                    Function 01621524 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6aee2eeb653ed6cf28318f88d35cadbdf1df310dae1345171312791246603a17
                                                    • Instruction ID: 77147b0849166134152aad8be050667a9fa4661cd0a58cdb5b679e5780e22008
                                                    • Opcode Fuzzy Hash: 6aee2eeb653ed6cf28318f88d35cadbdf1df310dae1345171312791246603a17
                                                    • Instruction Fuzzy Hash: BEF0F076A089308FDB228FA88C901ACBFA1EAAA21171C00DBD806EB316D725D542CF51
                                                    Function 01627090 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 49dff4b974ccd9890270c1289228b55d35b4e4e17b64ab8954ba098dc38de5a1
                                                    • Instruction ID: 07a6f97318d97f41168b35a7ed4981dab02c11ad678665b0d4837460add1c4b2
                                                    • Opcode Fuzzy Hash: 49dff4b974ccd9890270c1289228b55d35b4e4e17b64ab8954ba098dc38de5a1
                                                    • Instruction Fuzzy Hash: 93F0EC39B00218CFC704DB64D698B6C77B2EF88725F1041A8E506DB3A4DF35AD42CB40
                                                    Function 01628100 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2fe0f54644285b7322583a1998eb47729fe8c77333d8e863f8316b9e19b47f3d
                                                    • Instruction ID: cd89a158d90958d13dd3c81b40329f7fdacd71076edbb89a1e8a3b6eaad33264
                                                    • Opcode Fuzzy Hash: 2fe0f54644285b7322583a1998eb47729fe8c77333d8e863f8316b9e19b47f3d
                                                    • Instruction Fuzzy Hash: 24F0E67050010AEFCB40FFA8FA9059D7BB5EB80704F605979DD05A7164EA396E548791

                                                    Non-executed Functions

                                                    Function 01620600 Relevance: 8.9, Strings: 7, Instructions: 151COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.3308989945.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_15_2_1620000_OKTSUgBLN.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: p$p$p$p$p$p$p
                                                    • API String ID: 0-3363255238
                                                    • Opcode ID: 3beea82c414bc2152ea0c79bf361e967c3917332820ba2b3c8b9668773676882
                                                    • Instruction ID: 14d937663668f68e13319670ba5163df1c42bea919c4dbe881548d23e5d0c4e9
                                                    • Opcode Fuzzy Hash: 3beea82c414bc2152ea0c79bf361e967c3917332820ba2b3c8b9668773676882
                                                    • Instruction Fuzzy Hash: 4741076680EBF14FD3134228AC682E63F65CB63260F1A05D7DC94CF1A3E4081D0ACBE2