Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sDflTDPSLw.exe

Overview

General Information

Sample name:sDflTDPSLw.exe
renamed because original name is a hash value
Original sample name:e37912d2a69722ef19ff3567bae3a77b9bdfc2cbb52617b618ede211fa5bb0bc.exe
Analysis ID:1587622
MD5:1b024a71a37ea700d40a76071ca192ea
SHA1:0129937d3bc300c2b493348b30c0d1ae77de8aed
SHA256:e37912d2a69722ef19ff3567bae3a77b9bdfc2cbb52617b618ede211fa5bb0bc
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • sDflTDPSLw.exe (PID: 7944 cmdline: "C:\Users\user\Desktop\sDflTDPSLw.exe" MD5: 1B024A71A37EA700D40A76071CA192EA)
    • powershell.exe (PID: 8168 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\sDflTDPSLw.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5968 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • sDflTDPSLw.exe (PID: 8176 cmdline: "C:\Users\user\Desktop\sDflTDPSLw.exe" MD5: 1B024A71A37EA700D40A76071CA192EA)
    • sDflTDPSLw.exe (PID: 1472 cmdline: "C:\Users\user\Desktop\sDflTDPSLw.exe" MD5: 1B024A71A37EA700D40A76071CA192EA)
    • sDflTDPSLw.exe (PID: 7232 cmdline: "C:\Users\user\Desktop\sDflTDPSLw.exe" MD5: 1B024A71A37EA700D40A76071CA192EA)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.apexrnun.com", "Username": "testlab@apexrnun.com", "Password": "%qroUozO;(C2Rlyb"}
SourceRuleDescriptionAuthorStrings
00000007.00000002.2563481165.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000007.00000002.2563481165.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000007.00000002.2565454718.0000000002D33000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000007.00000002.2565454718.0000000002D33000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1336739093.0000000003CF9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 7 entries
            SourceRuleDescriptionAuthorStrings
            0.2.sDflTDPSLw.exe.3d4c010.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.sDflTDPSLw.exe.3d4c010.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.sDflTDPSLw.exe.3d4c010.4.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x32363:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x323d5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3245f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x324f1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x3255b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x325cd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x32663:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x326f3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.sDflTDPSLw.exe.3d109f0.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.sDflTDPSLw.exe.3d109f0.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 13 entries

                    System Summary

                    barindex
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\sDflTDPSLw.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\sDflTDPSLw.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\sDflTDPSLw.exe", ParentImage: C:\Users\user\Desktop\sDflTDPSLw.exe, ParentProcessId: 7944, ParentProcessName: sDflTDPSLw.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\sDflTDPSLw.exe", ProcessId: 8168, ProcessName: powershell.exe
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\sDflTDPSLw.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\sDflTDPSLw.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\sDflTDPSLw.exe", ParentImage: C:\Users\user\Desktop\sDflTDPSLw.exe, ParentProcessId: 7944, ParentProcessName: sDflTDPSLw.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\sDflTDPSLw.exe", ProcessId: 8168, ProcessName: powershell.exe
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\sDflTDPSLw.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\sDflTDPSLw.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\sDflTDPSLw.exe", ParentImage: C:\Users\user\Desktop\sDflTDPSLw.exe, ParentProcessId: 7944, ParentProcessName: sDflTDPSLw.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\sDflTDPSLw.exe", ProcessId: 8168, ProcessName: powershell.exe
                    No Suricata rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: sDflTDPSLw.exeAvira: detected
                    Source: 0.2.sDflTDPSLw.exe.3d4c010.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.apexrnun.com", "Username": "testlab@apexrnun.com", "Password": "%qroUozO;(C2Rlyb"}
                    Source: sDflTDPSLw.exeVirustotal: Detection: 79%Perma Link
                    Source: sDflTDPSLw.exeReversingLabs: Detection: 78%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Source: sDflTDPSLw.exeJoe Sandbox ML: detected
                    Source: sDflTDPSLw.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: sDflTDPSLw.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: dgdO.pdbSHA256U[FN source: sDflTDPSLw.exe
                    Source: Binary string: dgdO.pdb source: sDflTDPSLw.exe

                    Networking

                    barindex
                    Source: Yara matchFile source: 7.2.sDflTDPSLw.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sDflTDPSLw.exe.3d4c010.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sDflTDPSLw.exe.3d109f0.2.raw.unpack, type: UNPACKEDPE
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: mail.apexrnun.com
                    Source: sDflTDPSLw.exe, 00000007.00000002.2565454718.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: sDflTDPSLw.exe, 00000000.00000002.1336739093.0000000003CF9000.00000004.00000800.00020000.00000000.sdmp, sDflTDPSLw.exe, 00000007.00000002.2565454718.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, sDflTDPSLw.exe, 00000007.00000002.2563481165.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: sDflTDPSLw.exe, 00000000.00000002.1334523795.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, sDflTDPSLw.exe, 00000007.00000002.2565454718.0000000002D01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: sDflTDPSLw.exeString found in binary or memory: http://tempuri.org/DataSet1.xsdQdelete
                    Source: sDflTDPSLw.exe, 00000000.00000002.1336739093.0000000003CF9000.00000004.00000800.00020000.00000000.sdmp, sDflTDPSLw.exe, 00000007.00000002.2563481165.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    System Summary

                    barindex
                    Source: 0.2.sDflTDPSLw.exe.3d4c010.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.sDflTDPSLw.exe.3d109f0.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 7.2.sDflTDPSLw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.sDflTDPSLw.exe.3d4c010.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.sDflTDPSLw.exe.3d109f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 0_2_0139D5BC0_2_0139D5BC
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 0_2_08D2C9A00_2_08D2C9A0
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 0_2_08D2C9990_2_08D2C999
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 0_2_08D2FA400_2_08D2FA40
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 0_2_08D2F6080_2_08D2F608
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_011FA8A87_2_011FA8A8
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_011F4AC07_2_011F4AC0
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_011FAD007_2_011FAD00
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_011FEC187_2_011FEC18
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_011F3EA87_2_011F3EA8
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_011F41F07_2_011F41F0
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_0670AAFC7_2_0670AAFC
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_067092C87_2_067092C8
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_0670A7DC7_2_0670A7DC
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_0670C0587_2_0670C058
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_0670AAF07_2_0670AAF0
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_0670DC107_2_0670DC10
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_067255687_2_06725568
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_067265C07_2_067265C0
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_0672B2087_2_0672B208
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_067223507_2_06722350
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_0672C1487_2_0672C148
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_06727D507_2_06727D50
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_067276707_2_06727670
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_0672E3787_2_0672E378
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_067200407_2_06720040
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_06725CC87_2_06725CC8
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_067200077_2_06720007
                    Source: sDflTDPSLw.exe, 00000000.00000000.1306971999.00000000008A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedgdO.exe8 vs sDflTDPSLw.exe
                    Source: sDflTDPSLw.exe, 00000000.00000002.1341653467.00000000075C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs sDflTDPSLw.exe
                    Source: sDflTDPSLw.exe, 00000000.00000002.1332561620.0000000000E0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs sDflTDPSLw.exe
                    Source: sDflTDPSLw.exe, 00000000.00000002.1334523795.0000000002D24000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec8656b0c-2aa3-4d56-9386-3f68d83183ee.exe4 vs sDflTDPSLw.exe
                    Source: sDflTDPSLw.exe, 00000000.00000002.1336739093.0000000003CF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec8656b0c-2aa3-4d56-9386-3f68d83183ee.exe4 vs sDflTDPSLw.exe
                    Source: sDflTDPSLw.exe, 00000000.00000002.1336739093.0000000003CF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs sDflTDPSLw.exe
                    Source: sDflTDPSLw.exe, 00000007.00000002.2563706178.0000000000D59000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs sDflTDPSLw.exe
                    Source: sDflTDPSLw.exe, 00000007.00000002.2563481165.000000000043E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec8656b0c-2aa3-4d56-9386-3f68d83183ee.exe4 vs sDflTDPSLw.exe
                    Source: sDflTDPSLw.exeBinary or memory string: OriginalFilenamedgdO.exe8 vs sDflTDPSLw.exe
                    Source: sDflTDPSLw.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.sDflTDPSLw.exe.3d4c010.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.sDflTDPSLw.exe.3d109f0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 7.2.sDflTDPSLw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.sDflTDPSLw.exe.3d4c010.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.sDflTDPSLw.exe.3d109f0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: sDflTDPSLw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/6@2/1
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sDflTDPSLw.exe.logJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeMutant created: NULL
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o1dczylb.whc.ps1Jump to behavior
                    Source: sDflTDPSLw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: sDflTDPSLw.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: sDflTDPSLw.exeVirustotal: Detection: 79%
                    Source: sDflTDPSLw.exeReversingLabs: Detection: 78%
                    Source: sDflTDPSLw.exeString found in binary or memory: -Add Fertilizer Details
                    Source: sDflTDPSLw.exeString found in binary or memory: /Add Transaction Details!Transaction Name!Transaction Type/Transaction Description
                    Source: unknownProcess created: C:\Users\user\Desktop\sDflTDPSLw.exe "C:\Users\user\Desktop\sDflTDPSLw.exe"
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\sDflTDPSLw.exe"
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess created: C:\Users\user\Desktop\sDflTDPSLw.exe "C:\Users\user\Desktop\sDflTDPSLw.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess created: C:\Users\user\Desktop\sDflTDPSLw.exe "C:\Users\user\Desktop\sDflTDPSLw.exe"
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess created: C:\Users\user\Desktop\sDflTDPSLw.exe "C:\Users\user\Desktop\sDflTDPSLw.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\sDflTDPSLw.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess created: C:\Users\user\Desktop\sDflTDPSLw.exe "C:\Users\user\Desktop\sDflTDPSLw.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess created: C:\Users\user\Desktop\sDflTDPSLw.exe "C:\Users\user\Desktop\sDflTDPSLw.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess created: C:\Users\user\Desktop\sDflTDPSLw.exe "C:\Users\user\Desktop\sDflTDPSLw.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: sDflTDPSLw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: sDflTDPSLw.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: sDflTDPSLw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: dgdO.pdbSHA256U[FN source: sDflTDPSLw.exe
                    Source: Binary string: dgdO.pdb source: sDflTDPSLw.exe
                    Source: sDflTDPSLw.exeStatic PE information: 0xC4910581 [Tue Jul 3 10:14:25 2074 UTC]
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 0_2_0139CC90 push ebp; retf 0_2_0139CC91
                    Source: sDflTDPSLw.exeStatic PE information: section name: .text entropy: 7.542917414925076

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: Yara matchFile source: Process Memory Space: sDflTDPSLw.exe PID: 7944, type: MEMORYSTR
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: sDflTDPSLw.exe, 00000000.00000002.1336739093.0000000003CF9000.00000004.00000800.00020000.00000000.sdmp, sDflTDPSLw.exe, 00000007.00000002.2565454718.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, sDflTDPSLw.exe, 00000007.00000002.2563481165.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeMemory allocated: 12F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeMemory allocated: 2CF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeMemory allocated: 12F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeMemory allocated: 8D70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeMemory allocated: 7790000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeMemory allocated: 9D70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeMemory allocated: AD70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeMemory allocated: 11F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeMemory allocated: 2D00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeMemory allocated: 2B30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7338Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2117Jump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exe TID: 7964Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5980Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2112Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exe TID: 5956Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exe TID: 5956Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exe TID: 3976Thread sleep count: 195 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exe TID: 5956Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: sDflTDPSLw.exe, 00000007.00000002.2565454718.0000000002D33000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: sDflTDPSLw.exe, 00000000.00000002.1332561620.0000000000E41000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: sDflTDPSLw.exe, 00000007.00000002.2563481165.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: sDflTDPSLw.exe, 00000007.00000002.2563481165.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: sDflTDPSLw.exe, 00000007.00000002.2564160602.0000000001029000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeCode function: 7_2_011F70A0 CheckRemoteDebuggerPresent,7_2_011F70A0
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\sDflTDPSLw.exe"
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\sDflTDPSLw.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\sDflTDPSLw.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess created: C:\Users\user\Desktop\sDflTDPSLw.exe "C:\Users\user\Desktop\sDflTDPSLw.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess created: C:\Users\user\Desktop\sDflTDPSLw.exe "C:\Users\user\Desktop\sDflTDPSLw.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeProcess created: C:\Users\user\Desktop\sDflTDPSLw.exe "C:\Users\user\Desktop\sDflTDPSLw.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeQueries volume information: C:\Users\user\Desktop\sDflTDPSLw.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeQueries volume information: C:\Users\user\Desktop\sDflTDPSLw.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 0.2.sDflTDPSLw.exe.3d4c010.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sDflTDPSLw.exe.3d109f0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.sDflTDPSLw.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sDflTDPSLw.exe.3d4c010.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sDflTDPSLw.exe.3d109f0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2563481165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2565454718.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1336739093.0000000003CF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2565454718.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: sDflTDPSLw.exe PID: 7944, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: sDflTDPSLw.exe PID: 7232, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\sDflTDPSLw.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.sDflTDPSLw.exe.3d4c010.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sDflTDPSLw.exe.3d109f0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.sDflTDPSLw.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sDflTDPSLw.exe.3d4c010.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sDflTDPSLw.exe.3d109f0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2563481165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2565454718.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1336739093.0000000003CF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: sDflTDPSLw.exe PID: 7944, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: sDflTDPSLw.exe PID: 7232, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 0.2.sDflTDPSLw.exe.3d4c010.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sDflTDPSLw.exe.3d109f0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.sDflTDPSLw.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sDflTDPSLw.exe.3d4c010.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sDflTDPSLw.exe.3d109f0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.2563481165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2565454718.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1336739093.0000000003CF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2565454718.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: sDflTDPSLw.exe PID: 7944, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: sDflTDPSLw.exe PID: 7232, type: MEMORYSTR
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                    Windows Management Instrumentation
                    1
                    DLL Side-Loading
                    11
                    Process Injection
                    1
                    Masquerading
                    2
                    OS Credential Dumping
                    531
                    Security Software Discovery
                    Remote Services1
                    Email Collection
                    1
                    Encrypted Channel
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter
                    Boot or Logon Initialization Scripts1
                    DLL Side-Loading
                    11
                    Disable or Modify Tools
                    1
                    Credentials in Registry
                    1
                    Process Discovery
                    Remote Desktop Protocol1
                    Archive Collected Data
                    1
                    Ingress Tool Transfer
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)261
                    Virtualization/Sandbox Evasion
                    Security Account Manager261
                    Virtualization/Sandbox Evasion
                    SMB/Windows Admin Shares2
                    Data from Local System
                    2
                    Non-Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection
                    NTDS1
                    Application Window Discovery
                    Distributed Component Object ModelInput Capture2
                    Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information
                    LSA Secrets1
                    System Network Configuration Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Software Packing
                    Cached Domain Credentials1
                    File and Directory Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Timestomp
                    DCSync34
                    System Information Discovery
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading
                    Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587622 Sample: sDflTDPSLw.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 28 mail.apexrnun.com 2->28 30 ip-api.com 2->30 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 8 other signatures 2->40 8 sDflTDPSLw.exe 4 2->8         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\sDflTDPSLw.exe.log, ASCII 8->26 dropped 42 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->42 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->44 46 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->46 48 2 other signatures 8->48 12 sDflTDPSLw.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        18 sDflTDPSLw.exe 8->18         started        20 sDflTDPSLw.exe 8->20         started        signatures6 process7 dnsIp8 32 ip-api.com 208.95.112.1, 49732, 80 TUT-ASUS United States 12->32 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->50 52 Tries to steal Mail credentials (via file / registry access) 12->52 54 Tries to harvest and steal ftp login credentials 12->54 56 Tries to harvest and steal browser information (history, passwords, etc) 12->56 58 Loading BitLocker PowerShell Module 16->58 22 conhost.exe 16->22         started        24 WmiPrvSE.exe 16->24         started        signatures9 process10

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    sDflTDPSLw.exe79%VirustotalBrowse
                    sDflTDPSLw.exe79%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    sDflTDPSLw.exe100%AviraTR/AD.GenSteal.gsicq
                    sDflTDPSLw.exe100%Joe Sandbox ML
                    No Antivirus matches
                    No Antivirus matches
                    No Antivirus matches
                    No Antivirus matches
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    208.95.112.1
                    truefalse
                      high
                      mail.apexrnun.com
                      unknown
                      unknownfalse
                        high
                        NameMaliciousAntivirus DetectionReputation
                        http://ip-api.com/line/?fields=hostingfalse
                          high
                          NameSourceMaliciousAntivirus DetectionReputation
                          https://account.dyn.com/sDflTDPSLw.exe, 00000000.00000002.1336739093.0000000003CF9000.00000004.00000800.00020000.00000000.sdmp, sDflTDPSLw.exe, 00000007.00000002.2563481165.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namesDflTDPSLw.exe, 00000000.00000002.1334523795.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, sDflTDPSLw.exe, 00000007.00000002.2565454718.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://tempuri.org/DataSet1.xsdQdeletesDflTDPSLw.exefalse
                                high
                                http://ip-api.comsDflTDPSLw.exe, 00000007.00000002.2565454718.0000000002D01000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs
                                  IPDomainCountryFlagASNASN NameMalicious
                                  208.95.112.1
                                  ip-api.comUnited States
                                  53334TUT-ASUSfalse
                                  Joe Sandbox version:42.0.0 Malachite
                                  Analysis ID:1587622
                                  Start date and time:2025-01-10 15:53:04 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 47s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:13
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:sDflTDPSLw.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:e37912d2a69722ef19ff3567bae3a77b9bdfc2cbb52617b618ede211fa5bb0bc.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@11/6@2/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 97%
                                  • Number of executed functions: 84
                                  • Number of non-executed functions: 3
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 172.202.163.200
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  TimeTypeDescription
                                  09:54:01API Interceptor2x Sleep call for process: sDflTDPSLw.exe modified
                                  09:54:03API Interceptor15x Sleep call for process: powershell.exe modified
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  208.95.112.12HCwqwLg1G.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  CdbVaYf8jC.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  H9YFiQB7o3.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  lFlw40OH6u.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  Pago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  driver.exeGet hashmaliciousBlank GrabberBrowse
                                  • ip-api.com/json/?fields=225545
                                  XClient.exeGet hashmaliciousXWormBrowse
                                  • ip-api.com/line/?fields=hosting
                                  Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  p.exeGet hashmaliciousUnknownBrowse
                                  • ip-api.com/csv/?fields=query
                                  rNuevaorden_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  ip-api.com2HCwqwLg1G.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  CdbVaYf8jC.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  H9YFiQB7o3.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  lFlw40OH6u.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  Pago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  driver.exeGet hashmaliciousBlank GrabberBrowse
                                  • 208.95.112.1
                                  XClient.exeGet hashmaliciousXWormBrowse
                                  • 208.95.112.1
                                  Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  p.exeGet hashmaliciousUnknownBrowse
                                  • 208.95.112.1
                                  rNuevaorden_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  TUT-ASUS2HCwqwLg1G.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  CdbVaYf8jC.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  H9YFiQB7o3.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  lFlw40OH6u.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  Pago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  driver.exeGet hashmaliciousBlank GrabberBrowse
                                  • 208.95.112.1
                                  XClient.exeGet hashmaliciousXWormBrowse
                                  • 208.95.112.1
                                  Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  p.exeGet hashmaliciousUnknownBrowse
                                  • 208.95.112.1
                                  rNuevaorden_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  No context
                                  No context
                                  Process:C:\Users\user\Desktop\sDflTDPSLw.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1216
                                  Entropy (8bit):5.34331486778365
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                  Malicious:true
                                  Reputation:high, very likely benign file
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):2232
                                  Entropy (8bit):5.379736180876081
                                  Encrypted:false
                                  SSDEEP:48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:tLHyIFKL3IZ2KRH9Oug8s
                                  MD5:AE33CC731D64A142DFCC6A541D0708FC
                                  SHA1:31B0ECD28CA8892C3EF4B42D1CB1F56BECD14BEA
                                  SHA-256:776FC4031835093845318CEABF43AB13C51EC6CA69B985C45049EAE2EB6AF623
                                  SHA-512:5282E64561D28CB77C92089BEAF27D83EC55B2A673BEF6EAB4DFC49BE61A0F6653E73F07A45AFBF93C407546D04BB50D9690CCBF553227A4E6CFE4F98389C211
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.5332769457284945
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  File name:sDflTDPSLw.exe
                                  File size:828'928 bytes
                                  MD5:1b024a71a37ea700d40a76071ca192ea
                                  SHA1:0129937d3bc300c2b493348b30c0d1ae77de8aed
                                  SHA256:e37912d2a69722ef19ff3567bae3a77b9bdfc2cbb52617b618ede211fa5bb0bc
                                  SHA512:3a35a87e9fe8a679a15ddb9fd1d59c4276eb123a2d168d9288154cfe83678e3552e48999002292abae8e71dae2f095ddee6300670981bfec6350916ac451f790
                                  SSDEEP:12288:W/Br54A1OQ1Wf5J3wdHNDTeB5VLQkK5tIuJVUmEL:ABr5ndWg5eBDEtbn/EL
                                  TLSH:9405BF1476558F53CA7887F83872E07163FC5E6EA01EF2655DC26EEB79A2F008950E83
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................
                                  Icon Hash:90cececece8e8eb0
                                  Entrypoint:0x4cb90e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0xC4910581 [Tue Jul 3 10:14:25 2074 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xcb8ba0x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xcc0000x61c.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xce0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xc78940x70.text
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000xc99140xc9a0061b7579de19ef64ccd11d1167fb4d702False0.8123220028673279data7.542917414925076IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0xcc0000x61c0x800fa25234a87f2b17e044eeeb0175bbab6False0.3369140625data3.4519572100337044IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0xce0000xc0x200adad45348b447ede749d850eb90e041cFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_VERSION0xcc0900x38cPGP symmetric key encrypted data - Plaintext or unencrypted data0.42290748898678415
                                  RT_MANIFEST0xcc42c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                  DLLImport
                                  mscoree.dll_CorExeMain
                                  TimestampSource PortDest PortSource IPDest IP
                                  Jan 10, 2025 15:54:04.163281918 CET4973280192.168.2.10208.95.112.1
                                  Jan 10, 2025 15:54:04.168178082 CET8049732208.95.112.1192.168.2.10
                                  Jan 10, 2025 15:54:04.168242931 CET4973280192.168.2.10208.95.112.1
                                  Jan 10, 2025 15:54:04.169040918 CET4973280192.168.2.10208.95.112.1
                                  Jan 10, 2025 15:54:04.173851013 CET8049732208.95.112.1192.168.2.10
                                  Jan 10, 2025 15:54:04.642059088 CET8049732208.95.112.1192.168.2.10
                                  Jan 10, 2025 15:54:04.694715977 CET4973280192.168.2.10208.95.112.1
                                  Jan 10, 2025 15:54:55.351413012 CET4973280192.168.2.10208.95.112.1
                                  Jan 10, 2025 15:54:55.356524944 CET8049732208.95.112.1192.168.2.10
                                  Jan 10, 2025 15:54:55.356637955 CET4973280192.168.2.10208.95.112.1
                                  TimestampSource PortDest PortSource IPDest IP
                                  Jan 10, 2025 15:54:04.149930954 CET5744653192.168.2.101.1.1.1
                                  Jan 10, 2025 15:54:04.156919003 CET53574461.1.1.1192.168.2.10
                                  Jan 10, 2025 15:54:05.346708059 CET5210953192.168.2.101.1.1.1
                                  Jan 10, 2025 15:54:05.358256102 CET53521091.1.1.1192.168.2.10
                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jan 10, 2025 15:54:04.149930954 CET192.168.2.101.1.1.10x37dfStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                  Jan 10, 2025 15:54:05.346708059 CET192.168.2.101.1.1.10x1808Standard query (0)mail.apexrnun.comA (IP address)IN (0x0001)false
                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jan 10, 2025 15:54:04.156919003 CET1.1.1.1192.168.2.100x37dfNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                  Jan 10, 2025 15:54:05.358256102 CET1.1.1.1192.168.2.100x1808Name error (3)mail.apexrnun.comnonenoneA (IP address)IN (0x0001)false
                                  • ip-api.com
                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.1049732208.95.112.1807232C:\Users\user\Desktop\sDflTDPSLw.exe
                                  TimestampBytes transferredDirectionData
                                  Jan 10, 2025 15:54:04.169040918 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                  Host: ip-api.com
                                  Connection: Keep-Alive
                                  Jan 10, 2025 15:54:04.642059088 CET175INHTTP/1.1 200 OK
                                  Date: Fri, 10 Jan 2025 14:54:04 GMT
                                  Content-Type: text/plain; charset=utf-8
                                  Content-Length: 6
                                  Access-Control-Allow-Origin: *
                                  X-Ttl: 60
                                  X-Rl: 44
                                  Data Raw: 66 61 6c 73 65 0a
                                  Data Ascii: false


                                  Click to jump to process

                                  Click to jump to process

                                  Click to dive into process behavior distribution

                                  Click to jump to process

                                  Target ID:0
                                  Start time:09:54:00
                                  Start date:10/01/2025
                                  Path:C:\Users\user\Desktop\sDflTDPSLw.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\sDflTDPSLw.exe"
                                  Imagebase:0x8a0000
                                  File size:828'928 bytes
                                  MD5 hash:1B024A71A37EA700D40A76071CA192EA
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1336739093.0000000003CF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1336739093.0000000003CF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  Target ID:3
                                  Start time:09:54:02
                                  Start date:10/01/2025
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\sDflTDPSLw.exe"
                                  Imagebase:0x4f0000
                                  File size:433'152 bytes
                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Target ID:4
                                  Start time:09:54:02
                                  Start date:10/01/2025
                                  Path:C:\Users\user\Desktop\sDflTDPSLw.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\Desktop\sDflTDPSLw.exe"
                                  Imagebase:0x270000
                                  File size:828'928 bytes
                                  MD5 hash:1B024A71A37EA700D40A76071CA192EA
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  Target ID:5
                                  Start time:09:54:02
                                  Start date:10/01/2025
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff620390000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  Target ID:6
                                  Start time:09:54:02
                                  Start date:10/01/2025
                                  Path:C:\Users\user\Desktop\sDflTDPSLw.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\Desktop\sDflTDPSLw.exe"
                                  Imagebase:0x390000
                                  File size:828'928 bytes
                                  MD5 hash:1B024A71A37EA700D40A76071CA192EA
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  Target ID:7
                                  Start time:09:54:02
                                  Start date:10/01/2025
                                  Path:C:\Users\user\Desktop\sDflTDPSLw.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\sDflTDPSLw.exe"
                                  Imagebase:0x900000
                                  File size:828'928 bytes
                                  MD5 hash:1B024A71A37EA700D40A76071CA192EA
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2563481165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2563481165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2565454718.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2565454718.0000000002D33000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2565454718.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:false

                                  Target ID:8
                                  Start time:09:54:04
                                  Start date:10/01/2025
                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                  Imagebase:0x7ff6616b0000
                                  File size:496'640 bytes
                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                  Has elevated privileges:true
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:8.2%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:49
                                    Total number of Limit Nodes:3
                                    execution_graph 25023 1394668 25024 139467a 25023->25024 25025 1394686 25024->25025 25027 1394780 25024->25027 25028 13947a5 25027->25028 25032 1394881 25028->25032 25036 1394890 25028->25036 25034 13948b7 25032->25034 25033 1394994 25034->25033 25040 13944b4 25034->25040 25038 13948b7 25036->25038 25037 1394994 25038->25037 25039 13944b4 CreateActCtxA 25038->25039 25039->25037 25041 1395920 CreateActCtxA 25040->25041 25043 13959e3 25041->25043 24994 139acb0 24998 139ada8 24994->24998 25005 139ada7 24994->25005 24995 139acbf 24999 139adb9 24998->24999 25000 139addc 24998->25000 24999->25000 25001 139add4 24999->25001 25012 139b031 24999->25012 25000->24995 25001->25000 25002 139afe0 GetModuleHandleW 25001->25002 25003 139b00d 25002->25003 25003->24995 25006 139adb9 25005->25006 25007 139addc 25005->25007 25006->25007 25008 139add4 25006->25008 25011 139b031 GetModuleHandleW 25006->25011 25007->24995 25008->25007 25009 139afe0 GetModuleHandleW 25008->25009 25010 139b00d 25009->25010 25010->24995 25011->25008 25013 139afd9 GetModuleHandleW 25012->25013 25016 139b03a 25012->25016 25015 139b00d 25013->25015 25015->25001 25016->25001 25017 139d690 DuplicateHandle 25018 139d726 25017->25018 25044 139d040 25045 139d086 GetCurrentProcess 25044->25045 25047 139d0d8 GetCurrentThread 25045->25047 25048 139d0d1 25045->25048 25049 139d10e 25047->25049 25050 139d115 GetCurrentProcess 25047->25050 25048->25047 25049->25050 25053 139d14b 25050->25053 25051 139d173 GetCurrentThreadId 25052 139d1a4 25051->25052 25053->25051 25019 8d21fb8 25020 8d21ffb 25019->25020 25021 8d22019 MonitorFromPoint 25020->25021 25022 8d2204a 25020->25022 25021->25022
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1342104460.0000000008D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8d20000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c4fe33e99f61329dafe847c1849dc098b489289617f99321844959775d88a722
                                    • Instruction ID: 45bd6d264dbc3a5c5d0c3c80f92f757282cd174b9416e01c7d883ceffdad9258
                                    • Opcode Fuzzy Hash: c4fe33e99f61329dafe847c1849dc098b489289617f99321844959775d88a722
                                    • Instruction Fuzzy Hash: 9421E4B1D14628CBEB18CFABC8047EEFAB7BFD9305F14C16AD40966264DB7509468F90
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1342104460.0000000008D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8d20000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 72e1ee4a6cb909495d8f3cf068f516ef56cc9e7c4acffde18bdde9ad63c26a85
                                    • Instruction ID: d7356a1cc4fd6e6f29437fe781dd397188aa451a0fdf84a8350b4d27b9a3f1dd
                                    • Opcode Fuzzy Hash: 72e1ee4a6cb909495d8f3cf068f516ef56cc9e7c4acffde18bdde9ad63c26a85
                                    • Instruction Fuzzy Hash: 6421F3B1D04628CBEB18CFABCC047EEFAB6BFD8304F04C16AD40966254DB750A468F90

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 0139D0BE
                                    • GetCurrentThread.KERNEL32 ref: 0139D0FB
                                    • GetCurrentProcess.KERNEL32 ref: 0139D138
                                    • GetCurrentThreadId.KERNEL32 ref: 0139D191
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1333930810.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1390000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 8b1a834951b8893c06d89d4db36af43332e5f2613518aeeb7a9d4a712322834a
                                    • Instruction ID: 2fd53fa3d9b2018508ba5dae5356f1d6af249a5576053f37864b28277f9d238f
                                    • Opcode Fuzzy Hash: 8b1a834951b8893c06d89d4db36af43332e5f2613518aeeb7a9d4a712322834a
                                    • Instruction Fuzzy Hash: 9D5168B49003499FEB18CFA9D549BDEBFF1EF88314F208459E019A7390DB385985CB65

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 0139D0BE
                                    • GetCurrentThread.KERNEL32 ref: 0139D0FB
                                    • GetCurrentProcess.KERNEL32 ref: 0139D138
                                    • GetCurrentThreadId.KERNEL32 ref: 0139D191
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1333930810.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1390000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 62851ae945794c11e5b0bf14b5005d2a9c192bc32d03a50ab89ae5205bda29f9
                                    • Instruction ID: 75c200e96b3d2e248ac8be965a584d7b53210442e8a3f211b091c5b704a4084a
                                    • Opcode Fuzzy Hash: 62851ae945794c11e5b0bf14b5005d2a9c192bc32d03a50ab89ae5205bda29f9
                                    • Instruction Fuzzy Hash: DF5168B09003499FEB18CFA9D549BDEBFF1EF88314F208419E019A7390DB389985CB65

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 110 139ada8-139adb7 111 139adb9-139adc6 call 139a0cc 110->111 112 139ade3-139ade7 110->112 119 139adc8 111->119 120 139addc 111->120 113 139ade9-139adf3 112->113 114 139adfb-139ae3c 112->114 113->114 121 139ae49-139ae57 114->121 122 139ae3e-139ae46 114->122 167 139adce call 139b031 119->167 168 139adce call 139b040 119->168 120->112 124 139ae59-139ae5e 121->124 125 139ae7b-139ae7d 121->125 122->121 123 139add4-139add6 123->120 126 139af18-139af94 123->126 128 139ae69 124->128 129 139ae60-139ae67 call 139a0d8 124->129 127 139ae80-139ae87 125->127 160 139afc0-139afd8 126->160 161 139af96-139afbe 126->161 131 139ae89-139ae91 127->131 132 139ae94-139ae9b 127->132 130 139ae6b-139ae79 128->130 129->130 130->127 131->132 135 139aea8-139aeaa call 139a0e8 132->135 136 139ae9d-139aea5 132->136 139 139aeaf-139aeb1 135->139 136->135 141 139aebe-139aec3 139->141 142 139aeb3-139aebb 139->142 143 139aee1-139aeee 141->143 144 139aec5-139aecc 141->144 142->141 151 139af11-139af17 143->151 152 139aef0-139af0e 143->152 144->143 146 139aece-139aede call 139a0f8 call 139a108 144->146 146->143 152->151 162 139afda-139afdd 160->162 163 139afe0-139b00b GetModuleHandleW 160->163 161->160 162->163 164 139b00d-139b013 163->164 165 139b014-139b028 163->165 164->165 167->123 168->123
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0139AFFE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1333930810.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1390000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 1b31f86750d9e2ad469dfa7852e47d867c706ebdf457ed991178284e4f2b8b5d
                                    • Instruction ID: 87183f5391411a55e9503a3cb270de0bb1fd8f1c7e5c260230db14def390274d
                                    • Opcode Fuzzy Hash: 1b31f86750d9e2ad469dfa7852e47d867c706ebdf457ed991178284e4f2b8b5d
                                    • Instruction Fuzzy Hash: 0D814870A00B058FEB24DF29D45579ABBF1FF48308F008A2DD48ADBA50E775E849CB90

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 169 1395914-13959e1 CreateActCtxA 171 13959ea-1395a44 169->171 172 13959e3-13959e9 169->172 179 1395a53-1395a57 171->179 180 1395a46-1395a49 171->180 172->171 181 1395a59-1395a65 179->181 182 1395a68 179->182 180->179 181->182 184 1395a69 182->184 184->184
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 013959D1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1333930810.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1390000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 6f7fa7b2008ec7c2fc7797fd8c55577ea34c73b7b018acae7651c9472c31c26e
                                    • Instruction ID: 9c53b196b323339f05a5460da1743c8e861fe7f07fb474c1d69fb56afe172d4d
                                    • Opcode Fuzzy Hash: 6f7fa7b2008ec7c2fc7797fd8c55577ea34c73b7b018acae7651c9472c31c26e
                                    • Instruction Fuzzy Hash: DA41D1B4C00719CBEB25DFA9C884BDDBBB5BF49308F20816AD408AB251D7796986CF50

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 185 13944b4-13959e1 CreateActCtxA 188 13959ea-1395a44 185->188 189 13959e3-13959e9 185->189 196 1395a53-1395a57 188->196 197 1395a46-1395a49 188->197 189->188 198 1395a59-1395a65 196->198 199 1395a68 196->199 197->196 198->199 201 1395a69 199->201 201->201
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 013959D1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1333930810.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1390000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 086c322f1fc811ee41b0ba5eb45de4f801442d3b744639ee841c148569df5af5
                                    • Instruction ID: ca53e689e9575f62d48684fdc9480ea3ebe9f78869ab9d5210961d191a307dd9
                                    • Opcode Fuzzy Hash: 086c322f1fc811ee41b0ba5eb45de4f801442d3b744639ee841c148569df5af5
                                    • Instruction Fuzzy Hash: A641A174C0071DCBEB25DFA9C884B9DBBB5FF49308F20805AD408AB251D7B96986CF90

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 202 8d21fb8-8d22004 204 8d22006-8d22048 MonitorFromPoint 202->204 205 8d2206a-8d22085 202->205 208 8d22051-8d2205c 204->208 209 8d2204a-8d22050 204->209 213 8d22087-8d22094 205->213 212 8d22065-8d22068 208->212 209->208 212->213
                                    APIs
                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 08D22037
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1342104460.0000000008D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8d20000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: FromMonitorPoint
                                    • String ID:
                                    • API String ID: 1566494148-0
                                    • Opcode ID: 3f8602a7770eac0fd1dade289e66bd616f46a19f6b8d5ea21217894b2e62c27c
                                    • Instruction ID: 4bd14b9d57811eb38937d4e41ce0e8ccbb7ce435b6991bd6096a36ff4c11c9ea
                                    • Opcode Fuzzy Hash: 3f8602a7770eac0fd1dade289e66bd616f46a19f6b8d5ea21217894b2e62c27c
                                    • Instruction Fuzzy Hash: AD219CB4A002189FCB20DF99C455BEEFBF4FB84320F108019E955AB380C739A945CFA1

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 219 139d690-139d724 DuplicateHandle 220 139d72d-139d74a 219->220 221 139d726-139d72c 219->221 221->220
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0139D717
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1333930810.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1390000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: e8a67a7c28a9e11402c3df0237a29f6d4da4c05d3c7d0e3212c6e28eda64ef12
                                    • Instruction ID: e7d86d10d7290bc1d26bee3679632fa0a45abba7fc9f49ad978391783ae6ea1d
                                    • Opcode Fuzzy Hash: e8a67a7c28a9e11402c3df0237a29f6d4da4c05d3c7d0e3212c6e28eda64ef12
                                    • Instruction Fuzzy Hash: 9F21E2B5D002489FDB10CFAAD984ADEBBF8EB48314F14841AE918A3350D378A944CFA0

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 214 139d688-139d724 DuplicateHandle 215 139d72d-139d74a 214->215 216 139d726-139d72c 214->216 216->215
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0139D717
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1333930810.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1390000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: e76062c1fe8ef93c4f974b646db0b766c333d4f57403b9e4d5813838f3982fb7
                                    • Instruction ID: 9cefc4ed1a2833ad7910978d7b06ae005d6f9c9d3441443302a23e1c91ff224e
                                    • Opcode Fuzzy Hash: e76062c1fe8ef93c4f974b646db0b766c333d4f57403b9e4d5813838f3982fb7
                                    • Instruction Fuzzy Hash: 392112B5D003489FDB10CFAAD581AEEBBF4FB48314F10842AE918A3350D378A945CFA0

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 224 8d21fa9-8d22004 227 8d22006-8d22048 MonitorFromPoint 224->227 228 8d2206a-8d22085 224->228 231 8d22051-8d2205c 227->231 232 8d2204a-8d22050 227->232 236 8d22087-8d22094 228->236 235 8d22065-8d22068 231->235 232->231 235->236
                                    APIs
                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 08D22037
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1342104460.0000000008D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8d20000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: FromMonitorPoint
                                    • String ID:
                                    • API String ID: 1566494148-0
                                    • Opcode ID: 74b8f28d53236f865ede0cd1199f10d707969421003bea336a4f406689408f68
                                    • Instruction ID: 58a74d2a8eeafdb2496ec44b7e361ed51aa065e82e44347c7deefd5e3eccdb63
                                    • Opcode Fuzzy Hash: 74b8f28d53236f865ede0cd1199f10d707969421003bea336a4f406689408f68
                                    • Instruction Fuzzy Hash: 412189B4D00258DFCB20DF99D545BEEBBB0FB48324F10811AE854AB780C339A945CFA1

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 237 139b031-139b038 238 139afd9-139b00b GetModuleHandleW 237->238 239 139b03a-139b056 call 139a0cc 237->239 243 139b00d-139b013 238->243 244 139b014-139b028 238->244 245 139b058-139b069 call 139a124 239->245 246 139b086-139b08b 239->246 243->244 250 139b06b-139b074 call 139a130 245->250 251 139b07d-139b084 call 139a13c 245->251 254 139b079-139b07b 250->254 251->246 254->246
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0139AFFE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1333930810.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1390000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: a5f0bd0e2e2b982b62b881b4fa58750334f9c497905f02295ef4217e1cb698b6
                                    • Instruction ID: 1a8dc5719682001c7fcb87bf7db84b29b4ce620329d04f89578bd9c9ced408e0
                                    • Opcode Fuzzy Hash: a5f0bd0e2e2b982b62b881b4fa58750334f9c497905f02295ef4217e1cb698b6
                                    • Instruction Fuzzy Hash: EE11E7B6A003058FDF14DF69D840BAAFBF5AF84214F05805AC519E7355C7759806CBA0

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 256 139af98-139afd8 257 139afda-139afdd 256->257 258 139afe0-139b00b GetModuleHandleW 256->258 257->258 259 139b00d-139b013 258->259 260 139b014-139b028 258->260 259->260
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0139AFFE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1333930810.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1390000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 3ac873047e96360bd7564b8da1fedc8d363b5975c9540b1cbd8ce485de64382d
                                    • Instruction ID: 54667b1c9b7a0ad2e4c6cd433eab64a2b6e6019a9ff33ecba3ee8e132920d9fa
                                    • Opcode Fuzzy Hash: 3ac873047e96360bd7564b8da1fedc8d363b5975c9540b1cbd8ce485de64382d
                                    • Instruction Fuzzy Hash: 0811E0B6C002498FDB24CF9AD444BDEFBF4EB88314F10855AD929A7350D379A545CFA1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1333398165.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_105d000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4724392b329a86e488be7cdc9c2516c5f6d7b12a91337325c899528cdddef143
                                    • Instruction ID: caf175088c75b699aa58421b34981251b1a08d364bddba3bc4b98ec27439983e
                                    • Opcode Fuzzy Hash: 4724392b329a86e488be7cdc9c2516c5f6d7b12a91337325c899528cdddef143
                                    • Instruction Fuzzy Hash: F421F571504304EFDB85DF94D5C0B16BBA5FB94364F20C5AEDC894B252C376D446CB61
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1333398165.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_105d000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ece84b45289cc70f7f78e414f1e960195523a1b452ecffdf98a40a8d30e29533
                                    • Instruction ID: 163299565684bbb94fe6dcdc3dff27bbd1bb164c95dda1d15b7362d09c47477f
                                    • Opcode Fuzzy Hash: ece84b45289cc70f7f78e414f1e960195523a1b452ecffdf98a40a8d30e29533
                                    • Instruction Fuzzy Hash: D1210371504300DFDB55DF54D4C0B1BBBA5EB84254F20C5AAEC894B252C33AD847CB62
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1333398165.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_105d000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eade7999c4f3845799afae0898718d3b653e32347fc2d3bfb83607705b02d6d2
                                    • Instruction ID: 75b9dc1620308c305deabb7e997e7080f76d30f08e8deffbe2ed3f4ea9db0897
                                    • Opcode Fuzzy Hash: eade7999c4f3845799afae0898718d3b653e32347fc2d3bfb83607705b02d6d2
                                    • Instruction Fuzzy Hash: 7621A4755093808FDB57CF64D990715BFB1EB46214F28C5DBD8898B2A7C33AD80ACB62
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1333398165.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_105d000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                    • Instruction ID: 98174518f42df14839762c512c8a0d99efa548d463cbd7cb928c9818ba12be97
                                    • Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                    • Instruction Fuzzy Hash: 8711BB75504280DFCB46CF54C5C0B16BFA1FB84224F24C6AEDC894B296C33AD44ACB61
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1333359168.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_104d000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1f2805eb5a375cac5bf6daf755b9974813f9cb7238825d979d66044dafc6a31e
                                    • Instruction ID: ccdc7d60204a87a2dbed3c268385eee8593ff8954daf3f57998079ac871044c3
                                    • Opcode Fuzzy Hash: 1f2805eb5a375cac5bf6daf755b9974813f9cb7238825d979d66044dafc6a31e
                                    • Instruction Fuzzy Hash: 9201F7B14043809BF720DA55CCC4B6ABBE8FF51264F04C5AAED480A282E2799841CBB5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1333359168.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_104d000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ee74f5f0e9db0bf52d4478b72b38d01f92f3f0d0bd72f2101fc0829076bb9ded
                                    • Instruction ID: c405434aef25915bfbef65d1a6fa4cde19f6c0ef2e57bc199396f9627807fa1b
                                    • Opcode Fuzzy Hash: ee74f5f0e9db0bf52d4478b72b38d01f92f3f0d0bd72f2101fc0829076bb9ded
                                    • Instruction Fuzzy Hash: E1F0C2714043849FE7208E19C8C8B66FFD8EB51238F18C19AED480E286D2799845CBB1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1342104460.0000000008D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8d20000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4e5aa00fbf87c0fd46274e5a8b47eacf151af3ed4a3554d5a0696231f97019a0
                                    • Instruction ID: 67716d61b7af92bef59e7b6f96fe05868f1a10f92f88c564272abf1161cab67d
                                    • Opcode Fuzzy Hash: 4e5aa00fbf87c0fd46274e5a8b47eacf151af3ed4a3554d5a0696231f97019a0
                                    • Instruction Fuzzy Hash: 1BE1F874E00219CFDB14DFA9C980AAEBBF2FF89345F248669D414AB355DB31A941CF60
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1342104460.0000000008D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_8d20000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4eb3f6ad5be8f7c0469dbf5beaf44a355d91156d7e7074c406c7d2379debadd8
                                    • Instruction ID: abd869a7f151ae91224d47218863046395443d0b6aa7cc9650c3dfcc00413fff
                                    • Opcode Fuzzy Hash: 4eb3f6ad5be8f7c0469dbf5beaf44a355d91156d7e7074c406c7d2379debadd8
                                    • Instruction Fuzzy Hash: 10E1F674E002198FDB14DFA9C980AAEFBB2FF89345F248669D454AB355DB30A941CF60
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1333930810.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_1390000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bb1e0ea984914b4b467ec36f23da6b237a5688feddc7b3af874036224a413bd4
                                    • Instruction ID: 6315fa800b094605a1c4ef3bc77d27906e47bf27c0294ba9ff067501e3a51372
                                    • Opcode Fuzzy Hash: bb1e0ea984914b4b467ec36f23da6b237a5688feddc7b3af874036224a413bd4
                                    • Instruction Fuzzy Hash: ABA18132E0021ACFCF05DFB8C84059EBBB6FF85308B15456AE905EB265DB31E955CB80

                                    Execution Graph

                                    Execution Coverage:11.7%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:2.8%
                                    Total number of Nodes:107
                                    Total number of Limit Nodes:10
                                    execution_graph 43162 6703210 43163 6703256 GetCurrentProcess 43162->43163 43165 67032a1 43163->43165 43166 67032a8 GetCurrentThread 43163->43166 43165->43166 43167 67032e5 GetCurrentProcess 43166->43167 43168 67032de 43166->43168 43169 670331b 43167->43169 43168->43167 43170 6703343 GetCurrentThreadId 43169->43170 43171 6703374 43170->43171 43172 11f0afc 43174 11f084e 43172->43174 43173 11f091b 43174->43172 43174->43173 43178 11f137f 43174->43178 43182 6702108 43174->43182 43186 67020f8 43174->43186 43179 11f1383 43178->43179 43180 11f14a6 43179->43180 43190 11f8258 43179->43190 43180->43174 43183 6702117 43182->43183 43205 6701834 43183->43205 43187 6702117 43186->43187 43188 6701834 3 API calls 43187->43188 43189 6702138 43188->43189 43189->43174 43191 11f8262 43190->43191 43192 11f827c 43191->43192 43195 672fa10 43191->43195 43200 672fa00 43191->43200 43192->43179 43197 672fa25 43195->43197 43196 672fc3a 43196->43192 43197->43196 43198 672fc60 GlobalMemoryStatusEx GlobalMemoryStatusEx 43197->43198 43199 672fc50 GlobalMemoryStatusEx GlobalMemoryStatusEx 43197->43199 43198->43197 43199->43197 43202 672fa25 43200->43202 43201 672fc3a 43201->43192 43202->43201 43203 672fc60 GlobalMemoryStatusEx GlobalMemoryStatusEx 43202->43203 43204 672fc50 GlobalMemoryStatusEx GlobalMemoryStatusEx 43202->43204 43203->43202 43204->43202 43206 670183a 43205->43206 43209 6702f94 43206->43209 43208 6703abe 43208->43208 43210 6702f9f 43209->43210 43211 67041e4 43210->43211 43214 6705a68 43210->43214 43218 6705a58 43210->43218 43211->43208 43216 6705a89 43214->43216 43215 6705aad 43215->43211 43216->43215 43222 6705c18 43216->43222 43219 6705a5c 43218->43219 43220 6705aad 43219->43220 43221 6705c18 3 API calls 43219->43221 43220->43211 43221->43220 43223 6705c25 43222->43223 43225 6705c5e 43223->43225 43226 6703fa4 43223->43226 43225->43215 43227 6703faf 43226->43227 43228 67060d0 43227->43228 43230 6703fb4 43227->43230 43228->43228 43231 6703fbf 43230->43231 43237 6705c94 43231->43237 43233 670613f 43241 670b448 43233->43241 43249 670b460 43233->43249 43234 6706179 43234->43228 43240 6705c9f 43237->43240 43238 67073c8 43238->43233 43239 6705a68 3 API calls 43239->43238 43240->43238 43240->43239 43242 670b458 43241->43242 43243 670b49d 43242->43243 43257 670b6d8 43242->43257 43260 670b6c8 43242->43260 43243->43234 43244 670b4dd 43264 670c9d8 43244->43264 43269 670c9c9 43244->43269 43250 670b466 43249->43250 43251 670b49d 43250->43251 43255 670b6d8 GetModuleHandleW 43250->43255 43256 670b6c8 GetModuleHandleW 43250->43256 43251->43234 43252 670b4dd 43253 670c9d8 2 API calls 43252->43253 43254 670c9c9 2 API calls 43252->43254 43253->43251 43254->43251 43255->43252 43256->43252 43274 670b718 43257->43274 43258 670b6e2 43258->43244 43261 670b6d4 43260->43261 43262 670b6de 43261->43262 43263 670b718 GetModuleHandleW 43261->43263 43262->43244 43263->43262 43265 670ca03 43264->43265 43266 670cab2 43265->43266 43279 670d7b0 43265->43279 43284 670d831 43265->43284 43270 670c9d4 43269->43270 43271 670cab2 43270->43271 43272 670d7b0 CreateWindowExW 43270->43272 43273 670d831 CreateWindowExW 43270->43273 43272->43271 43273->43271 43276 670b71d 43274->43276 43275 670b75c 43275->43258 43276->43275 43277 670b960 GetModuleHandleW 43276->43277 43278 670b98d 43277->43278 43278->43258 43281 670d7b4 43279->43281 43280 670d800 43280->43266 43281->43266 43281->43280 43282 670d9d3 CreateWindowExW 43281->43282 43283 670da34 43282->43283 43283->43283 43286 670d834 43284->43286 43285 670d880 43285->43266 43286->43266 43286->43285 43287 670d9d3 CreateWindowExW 43286->43287 43288 670da34 43287->43288 43288->43288 43289 6703458 DuplicateHandle 43290 67034ee 43289->43290 43291 11f70a0 43292 11f70e4 CheckRemoteDebuggerPresent 43291->43292 43293 11f7126 43292->43293

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 927 11f70a0-11f7124 CheckRemoteDebuggerPresent 929 11f712d-11f7168 927->929 930 11f7126-11f712c 927->930 930->929
                                    APIs
                                    • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 011F7117
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2565129180.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_11f0000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: CheckDebuggerPresentRemote
                                    • String ID:
                                    • API String ID: 3662101638-0
                                    • Opcode ID: 3146a80ae762e320def09b63e732488bb9d68dd01c3f472a0477daf6062d9db3
                                    • Instruction ID: 017527bd54a45bb86b4fd6145baaacd952145d850cbc8791fc1825849ada9753
                                    • Opcode Fuzzy Hash: 3146a80ae762e320def09b63e732488bb9d68dd01c3f472a0477daf6062d9db3
                                    • Instruction Fuzzy Hash: 1D2137B1C012598FDB14CF9AD884BEEFBF5EF49310F14842AE459A7250D778A944CF61
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 96c3c63278de3b17c8833fcb9082520e7fcb42365710ae379c5582ac854f75b6
                                    • Instruction ID: e1450ae400e0b243e5059e1b35542d799b2f0d27a78b1b17e3e9d512d32e5a46
                                    • Opcode Fuzzy Hash: 96c3c63278de3b17c8833fcb9082520e7fcb42365710ae379c5582ac854f75b6
                                    • Instruction Fuzzy Hash: EDD26A34E10215CFDB64DB68C484AADB7B2FF89310F648569D419AB362EB74ED81CF90
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e4cd2da4c9daf2616914712757f858725ea6950c43cfd6d52ba2575a2332ea29
                                    • Instruction ID: 99ea856cdcd8ce16fcf89cdafc2c62224490571ab34478ee9abdca7ae4e38682
                                    • Opcode Fuzzy Hash: e4cd2da4c9daf2616914712757f858725ea6950c43cfd6d52ba2575a2332ea29
                                    • Instruction Fuzzy Hash: 5D62BC35A102158FDB64DB68D994BADB7F2FF88310F24842AE806DB391DB35ED45CB90
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 75fe96a1d95e9ef2710ff4e4fc646187a0b1205ba4f55861412e9ecc3ffd0a6e
                                    • Instruction ID: 9adf588aad530431a9edf30b23ccd32ea27fa4a81183d1673ec8b607a9a3b5e6
                                    • Opcode Fuzzy Hash: 75fe96a1d95e9ef2710ff4e4fc646187a0b1205ba4f55861412e9ecc3ffd0a6e
                                    • Instruction Fuzzy Hash: 82528030E1021A8FDF64DB69D4907BDB7B6FB85714F20892AE445EB381DB34ED818B91
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7a5134b06ed84e175ab6edfa30b09f17a0996d64f551f5e9e70c3a6ad9c8ef33
                                    • Instruction ID: bd8ff70c73a94351d2b306f6fc554e38e2b084e723e34fe24e1584843451fc31
                                    • Opcode Fuzzy Hash: 7a5134b06ed84e175ab6edfa30b09f17a0996d64f551f5e9e70c3a6ad9c8ef33
                                    • Instruction Fuzzy Hash: 3D32CF35B102198FDB95DB68D894BAEB7B2FB88310F108529E505EB395DB34EC81CB91
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 690b43dfdf37a0d1bc367b46336111c46d97720dd8560a0b2427f968c5b5f517
                                    • Instruction ID: 62c53819e7356a1539f476d083e2ea1105d7dba64fa305c7d5d9bdf55ceaeeab
                                    • Opcode Fuzzy Hash: 690b43dfdf37a0d1bc367b46336111c46d97720dd8560a0b2427f968c5b5f517
                                    • Instruction Fuzzy Hash: 2A22D135E002268FEF64DBA8C4806BEBBB2FF84310F248569D556AB381DB35DD45CB91
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 966ab6e7f6311adec6baf1784184cd2f44dbe3a6f717cdd6286c0235cac74579
                                    • Instruction ID: 83a686376107142c7f883031fef7f35297827e160d109ddff06547351da03998
                                    • Opcode Fuzzy Hash: 966ab6e7f6311adec6baf1784184cd2f44dbe3a6f717cdd6286c0235cac74579
                                    • Instruction Fuzzy Hash: 5B02D031B102158FDB18DB68D994B6EB7F2FF84300F248529E4159B385EB76EC86CB91

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 0670328E
                                    • GetCurrentThread.KERNEL32 ref: 067032CB
                                    • GetCurrentProcess.KERNEL32 ref: 06703308
                                    • GetCurrentThreadId.KERNEL32 ref: 06703361
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569726872.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6700000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 5d38517d9b8d15188666ba7d856067d396faff92d73dfc86f5f5917d074e75af
                                    • Instruction ID: 7c3131b8ffedd922c86bfc0f960cc6d01d91726f4f75a9945c239c633f3b0103
                                    • Opcode Fuzzy Hash: 5d38517d9b8d15188666ba7d856067d396faff92d73dfc86f5f5917d074e75af
                                    • Instruction Fuzzy Hash: AC5159B0D01349CFEB54CFA9C588B9EBBF1EF48314F208459D019A7290D7789945CF66

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 0670328E
                                    • GetCurrentThread.KERNEL32 ref: 067032CB
                                    • GetCurrentProcess.KERNEL32 ref: 06703308
                                    • GetCurrentThreadId.KERNEL32 ref: 06703361
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569726872.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6700000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 6ccbe056fc9719eb35577955a7cbcaffbc4917bd6c088fe798caedea858b0a97
                                    • Instruction ID: 772bb3c325cb04dcfa130a028f15ed84b64eb3b116a6b386f1a5021ba568f385
                                    • Opcode Fuzzy Hash: 6ccbe056fc9719eb35577955a7cbcaffbc4917bd6c088fe798caedea858b0a97
                                    • Instruction Fuzzy Hash: CC5156B09013498FEB54CFA9D988BAEBBF1EF48314F208459E019A7290D7789945CF66

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 657 670d7b0-670d7b2 658 670d7b4-670d7b8 657->658 659 670d7ba 657->659 658->659 660 670d7c2-670d7d8 659->660 661 670d7bc 659->661 662 670d7db-670d7fe 660->662 661->662 663 670d7be-670d7c0 661->663 665 670d800-670d803 662->665 666 670d806-670d812 662->666 663->660 667 670d814-670d818 666->667 668 670d81a 666->668 667->668 669 670d822-670d83a 668->669 670 670d81c-670d81d 668->670 672 670d842-670d852 669->672 673 670d83c-670d840 669->673 670->669 675 670d854-670d858 672->675 676 670d85a 672->676 673->672 675->676 677 670d862-670d87e 676->677 678 670d85c-670d860 676->678 680 670d880-670d883 677->680 681 670d886-670d892 677->681 678->677 682 670d894-670d898 681->682 683 670d89a 681->683 682->683 684 670d8a2-670d8b2 683->684 685 670d89c-670d8a0 683->685 686 670d8b4-670d8b9 684->686 687 670d8ba 684->687 685->684 686->687 689 670d8c2-670d8c4 687->689 690 670d8bc-670d8be 687->690 691 670d8c6-670d8f0 call 670aaac 689->691 692 670d8fe-670d906 689->692 690->689 696 670d8f5-670d8f6 691->696 694 670d908-670d90c 692->694 695 670d90e 692->695 694->695 697 670d910-670d915 695->697 698 670d916-670d976 695->698 697->698 699 670d981-670d988 698->699 700 670d978-670d97e 698->700 701 670d993-670da32 CreateWindowExW 699->701 702 670d98a-670d990 699->702 700->699 704 670da34-670da3a 701->704 705 670da3b-670da73 701->705 702->701 704->705 709 670da80 705->709 710 670da75-670da78 705->710 711 670da81 709->711 710->709 711->711
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569726872.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6700000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6b984c2574a7f8e1c27a981f71b31d804187a6b3c94f5cb745bb1cc0358bf503
                                    • Instruction ID: 99d0abe01c32e4aae263ba49d9c09dc86b9f7d51f151f3573d3a06970ef4bf1f
                                    • Opcode Fuzzy Hash: 6b984c2574a7f8e1c27a981f71b31d804187a6b3c94f5cb745bb1cc0358bf503
                                    • Instruction Fuzzy Hash: FE918D71C093889FDB62CFE9C9409DDBFF1AF4A350F15859AE444DB2A2D3319846CB61

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 712 670b718-670b737 714 670b763-670b767 712->714 715 670b739-670b746 call 670a8f0 712->715 716 670b769-670b773 714->716 717 670b77b-670b7bc 714->717 722 670b748 715->722 723 670b75c 715->723 716->717 724 670b7c9-670b7d7 717->724 725 670b7be-670b7c6 717->725 772 670b74e call 670b9c0 722->772 773 670b74e call 670b9b3 722->773 723->714 726 670b7d9-670b7de 724->726 727 670b7fb-670b7fd 724->727 725->724 731 670b7e0-670b7e7 call 670a8fc 726->731 732 670b7e9 726->732 730 670b800-670b807 727->730 728 670b754-670b756 728->723 729 670b898-670b916 728->729 763 670b918-670b91d 729->763 764 670b91e-670b958 729->764 734 670b814-670b81b 730->734 735 670b809-670b811 730->735 733 670b7eb-670b7f9 731->733 732->733 733->730 737 670b828-670b831 call 6703d00 734->737 738 670b81d-670b825 734->738 735->734 744 670b833-670b83b 737->744 745 670b83e-670b843 737->745 738->737 744->745 746 670b861-670b865 745->746 747 670b845-670b84c 745->747 770 670b868 call 670bc70 746->770 771 670b868 call 670bc80 746->771 747->746 749 670b84e-670b85e call 6708ed8 call 670a90c 747->749 749->746 750 670b86b-670b86e 753 670b870-670b88e 750->753 754 670b891-670b897 750->754 753->754 763->764 765 670b960-670b98b GetModuleHandleW 764->765 766 670b95a-670b95d 764->766 767 670b994-670b9a8 765->767 768 670b98d-670b993 765->768 766->765 768->767 770->750 771->750 772->728 773->728
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0670B97E
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569726872.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6700000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 798c920ec7eb123207a4fde9763146a19d26f2ce91775e3655d0c661fbfe8537
                                    • Instruction ID: d9f2c23db3a36ab02379a1a23b00615257a88b83beb3e3f384c0d550707ae6bf
                                    • Opcode Fuzzy Hash: 798c920ec7eb123207a4fde9763146a19d26f2ce91775e3655d0c661fbfe8537
                                    • Instruction Fuzzy Hash: C9815570A00B05CFE7A4DF2AD44476ABBF1FF88604F00892ED496D7A90E775E945CBA1

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 906 670d910-670d976 908 670d981-670d988 906->908 909 670d978-670d97e 906->909 910 670d993-670d9cb 908->910 911 670d98a-670d990 908->911 909->908 912 670d9d3-670da32 CreateWindowExW 910->912 911->910 913 670da34-670da3a 912->913 914 670da3b-670da73 912->914 913->914 918 670da80 914->918 919 670da75-670da78 914->919 920 670da81 918->920 919->918 920->920
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0670DA22
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569726872.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6700000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: CreateWindow
                                    • String ID:
                                    • API String ID: 716092398-0
                                    • Opcode ID: d75efc2fe614472b52734a308d080e9d6a08735300ddcf5f85e41cd0c2251b91
                                    • Instruction ID: 41b10811d05f8864aa965e941caf2f86c2ce8e5407161d704a0d60014c2e1708
                                    • Opcode Fuzzy Hash: d75efc2fe614472b52734a308d080e9d6a08735300ddcf5f85e41cd0c2251b91
                                    • Instruction Fuzzy Hash: B5419DB1D10349DFDB24CF9AC884ADEBBB5FF48310F24812AE819AB250D7759945CFA0

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 921 11f7099-11f7124 CheckRemoteDebuggerPresent 923 11f712d-11f7168 921->923 924 11f7126-11f712c 921->924 924->923
                                    APIs
                                    • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 011F7117
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2565129180.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_11f0000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: CheckDebuggerPresentRemote
                                    • String ID:
                                    • API String ID: 3662101638-0
                                    • Opcode ID: d204593a346589ea5885a38ffab2a7255c72f23b578fa8bf6fa8e88b34c4eb3a
                                    • Instruction ID: d39508d3c0d1cd3211ee9e773be9712593418291e6ec211fe086eeac9bcba8eb
                                    • Opcode Fuzzy Hash: d204593a346589ea5885a38ffab2a7255c72f23b578fa8bf6fa8e88b34c4eb3a
                                    • Instruction Fuzzy Hash: B72148B2C002598FDB14CF9AD584BEEBBF5EF48210F14841AE458B7290D778A945CF60

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 933 6703450-67034ec DuplicateHandle 934 67034f5-6703512 933->934 935 67034ee-67034f4 933->935 935->934
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 067034DF
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569726872.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6700000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: ca085f66a5902767b13a204f7bffe781cab0d551a42a81c07658117b57feb48e
                                    • Instruction ID: d94d0cd3e9b717386fc369072c95995d7ffb6d5fdb0b2a1fd344cc5b2d132035
                                    • Opcode Fuzzy Hash: ca085f66a5902767b13a204f7bffe781cab0d551a42a81c07658117b57feb48e
                                    • Instruction Fuzzy Hash: 0821E4B5D00249DFDB10CF9AD484BEEBBF5EB48320F14841AE919A7350D379A951CFA1

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 938 6703458-67034ec DuplicateHandle 939 67034f5-6703512 938->939 940 67034ee-67034f4 938->940 940->939
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 067034DF
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569726872.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6700000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: cd2d44442ff29033107d4a9771585768e83a741129961a854f0d799a71751a7f
                                    • Instruction ID: e3182b2d80ebe5331e6803187664c5c4c00c892e51fdd8d19264f372478db4e2
                                    • Opcode Fuzzy Hash: cd2d44442ff29033107d4a9771585768e83a741129961a854f0d799a71751a7f
                                    • Instruction Fuzzy Hash: 5821E6B5D003499FDB10CF9AD484ADEBBF4EB48310F14841AE914A7350D379A940CF61

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 943 11ff16f-11ff1fc GlobalMemoryStatusEx 946 11ff1fe-11ff204 943->946 947 11ff205-11ff22d 943->947 946->947
                                    APIs
                                    • GlobalMemoryStatusEx.KERNELBASE ref: 011FF1EF
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2565129180.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_11f0000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: GlobalMemoryStatus
                                    • String ID:
                                    • API String ID: 1890195054-0
                                    • Opcode ID: 31c02cce40a8a28118e6ee67f0f2ee6707d40b11f9d3eca75d304738abe84f53
                                    • Instruction ID: b4d56dc3012c0b7280f8402e0e660310b87cd1983ea998cfcad15ce107dcd536
                                    • Opcode Fuzzy Hash: 31c02cce40a8a28118e6ee67f0f2ee6707d40b11f9d3eca75d304738abe84f53
                                    • Instruction Fuzzy Hash: EE2153B2C0029A8FDB10CFAAC4457DEFBF0EF09210F15856AE918B7240D378A941CFA1

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 950 11ff188-11ff1fc GlobalMemoryStatusEx 952 11ff1fe-11ff204 950->952 953 11ff205-11ff22d 950->953 952->953
                                    APIs
                                    • GlobalMemoryStatusEx.KERNELBASE ref: 011FF1EF
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2565129180.00000000011F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011F0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_11f0000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: GlobalMemoryStatus
                                    • String ID:
                                    • API String ID: 1890195054-0
                                    • Opcode ID: 969c66ffdbde1ef37157ede049fe45767e25382790f6c06c31ad26dbe5e9c0db
                                    • Instruction ID: 585f643a3e3c3d87b3b91e6055eaac958e3a4e99d0b2921bd7289ffd88b85876
                                    • Opcode Fuzzy Hash: 969c66ffdbde1ef37157ede049fe45767e25382790f6c06c31ad26dbe5e9c0db
                                    • Instruction Fuzzy Hash: B51112B2C0065A9BDB10DF9AC444BDEFBF4EF48220F10812AE918B7240D778A941CFA1

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 956 670b918-670b958 958 670b960-670b98b GetModuleHandleW 956->958 959 670b95a-670b95d 956->959 960 670b994-670b9a8 958->960 961 670b98d-670b993 958->961 959->958 961->960
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0670B97E
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569726872.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6700000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 1a23854768c7254368508a595a4427f04c9d739d887a77d82d5e7e83cf55011e
                                    • Instruction ID: 49bfbd8619cca42d8a7d6186a8856da36d6251c63a172983eee91d4ea64bd030
                                    • Opcode Fuzzy Hash: 1a23854768c7254368508a595a4427f04c9d739d887a77d82d5e7e83cf55011e
                                    • Instruction Fuzzy Hash: D111E0B5C00349CFDB20DF9AC444BDEFBF4EB88614F10842AD869A7650D37AA645CFA1

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1409 672fea3-672fede 1410 672fee7-672ff06 1409->1410 1422 672fee1 call 11fec18 1409->1422 1423 672fee1 call 11fec08 1409->1423 1414 672ff0e-672ff38 1410->1414 1417 672ff3a-672ff57 1414->1417 1418 672ff59 1414->1418 1419 672ff6b-672ff72 1417->1419 1418->1419 1422->1410 1423->1410
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: |
                                    • API String ID: 0-2343686810
                                    • Opcode ID: 234381a0e356a05b546e636adab1de0541974bbee737cc24806820b8ff01aaa4
                                    • Instruction ID: 289adf12fa3394b25790662aaeffcfefe2292dd72512610ca646d3d1bbb8c476
                                    • Opcode Fuzzy Hash: 234381a0e356a05b546e636adab1de0541974bbee737cc24806820b8ff01aaa4
                                    • Instruction Fuzzy Hash: 0C21AE71B042148FDB55DF788818B6E7BF1AF8D600F0084AEE54ADB3A1DB389D00CB44

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1424 672fec0-672fede 1437 672fee1 call 11fec18 1424->1437 1438 672fee1 call 11fec08 1424->1438 1425 672fee7-672ff06 1429 672ff0e-672ff38 1425->1429 1432 672ff3a-672ff57 1429->1432 1433 672ff59 1429->1433 1434 672ff6b-672ff72 1432->1434 1433->1434 1437->1425 1438->1425
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: |
                                    • API String ID: 0-2343686810
                                    • Opcode ID: 354c4a2421f83700b1e8008778c142060a524356d8d3e4b59d3e093016115aa5
                                    • Instruction ID: cff3cb18204701e21b431f40bb379591983375dfbf98b10d42817e120c38a42a
                                    • Opcode Fuzzy Hash: 354c4a2421f83700b1e8008778c142060a524356d8d3e4b59d3e093016115aa5
                                    • Instruction Fuzzy Hash: 9D114C71B502259FDB44EB789808B6E7BF5AF8C600F10846AEA0AE7390DA359900CB84
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: \Oq
                                    • API String ID: 0-643489707
                                    • Opcode ID: fab90e0ecda93ac65be295b2944263ddcbf70fcc19ef2f9f7f95a0aa55ff9986
                                    • Instruction ID: 87c7164b1e81ad38774641e5a48f879f5489a00c2a912b601f88d0eee56f5f93
                                    • Opcode Fuzzy Hash: fab90e0ecda93ac65be295b2944263ddcbf70fcc19ef2f9f7f95a0aa55ff9986
                                    • Instruction Fuzzy Hash: 9FF0FE30A10229DFDB14DF94E899BADBBB6FF88751F200519E402A7298CBB45D45CF80
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dcde54b6181f698f9f617e88770c8af3d7216b9202b7c3dcdfe012bc410a4eaf
                                    • Instruction ID: c8dab05623a21916da2474916d42b71b2fcaa17513e11f7487abd598900c7543
                                    • Opcode Fuzzy Hash: dcde54b6181f698f9f617e88770c8af3d7216b9202b7c3dcdfe012bc410a4eaf
                                    • Instruction Fuzzy Hash: 3F627130A1021A8FCB65EF68D590A5EB7B2FF84744F20C528D4459F366EB75ED86CB80
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f0dcfb4fccccffb71e3fbd5bc02f51e4c59e329cd11e814a733d802780771b5a
                                    • Instruction ID: d3633c5e2906f87958ba167afb25d7d7e8731deba551b575ddcfcedce8941039
                                    • Opcode Fuzzy Hash: f0dcfb4fccccffb71e3fbd5bc02f51e4c59e329cd11e814a733d802780771b5a
                                    • Instruction Fuzzy Hash: 27E18231E1031A8FDF69DB64D4806AEB7B2FF88704F208529D406AB345EB74ED46CB91
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c2e8ca0d43b9eb39ce9acdb860c79ccbdacc3c54e3b9e6f31e2f2c1bbcb2f7c2
                                    • Instruction ID: 8380ad038349eb757143c9b9dd58e8446d0c49ea10410361ca5fc9caa3f2c4ed
                                    • Opcode Fuzzy Hash: c2e8ca0d43b9eb39ce9acdb860c79ccbdacc3c54e3b9e6f31e2f2c1bbcb2f7c2
                                    • Instruction Fuzzy Hash: F2B1A474F1021A8FEF64DAADD8907BD77B6FB89714F204425E405EB382DA38DC818B51
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bd08bb8b7fea951a55d2f92c89ea851807896829e2dc50dea38ea49e14917318
                                    • Instruction ID: f10571a08d53769154304026ad64c52376371105317bb674d02ea937d693e4b8
                                    • Opcode Fuzzy Hash: bd08bb8b7fea951a55d2f92c89ea851807896829e2dc50dea38ea49e14917318
                                    • Instruction Fuzzy Hash: 00919074F0021A8FDB64DB69D8607AEB7F6BF88300F148569C51AAB345EF70ED418B91
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 360545ebacbd4af2b74a1cec74a1b7dbf9cb0545ebfba609c43ec535284375cc
                                    • Instruction ID: 944d403a8ea7aa3da9aaa3326ade3980b936271af20e3a40af1fb42323daedc9
                                    • Opcode Fuzzy Hash: 360545ebacbd4af2b74a1cec74a1b7dbf9cb0545ebfba609c43ec535284375cc
                                    • Instruction Fuzzy Hash: 7F61E6B2F001214FDF559A7DC84066FBAE7AFD4610B15443AE80AEB361DEB5DD0287D1
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0d57c06f577cab10cc1f31e8e330506bd8c0f2905a919107833c3151a180fea6
                                    • Instruction ID: ab7d637d689acf82b5236d339f4396ae23feb37a66ceb4635eadfc31b0188788
                                    • Opcode Fuzzy Hash: 0d57c06f577cab10cc1f31e8e330506bd8c0f2905a919107833c3151a180fea6
                                    • Instruction Fuzzy Hash: 70816F35B102158FDF54DBA8D49476EBBF2BF88300F108429E40ADB385DB75DC518B51
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: af700b74cacc85b35613e391871232e20366235a2fc96018b7dbdb7cabff665d
                                    • Instruction ID: a37a53f800f19d2641610d95350c881ddf58b6a379c76d54c6daff2e0ed33eeb
                                    • Opcode Fuzzy Hash: af700b74cacc85b35613e391871232e20366235a2fc96018b7dbdb7cabff665d
                                    • Instruction Fuzzy Hash: 9E813C34B1021A8FDB54DBA8D49476EBBF2BF89310F108429E40AEB385EB75DC518B91
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 19f31f3ef750ea1d666cc204bd06fa6852f6d5365baff9992966830215323052
                                    • Instruction ID: 300650789aeae8f81868399ff31f29f647cde55c27ff4b40f03bf8d2253193df
                                    • Opcode Fuzzy Hash: 19f31f3ef750ea1d666cc204bd06fa6852f6d5365baff9992966830215323052
                                    • Instruction Fuzzy Hash: 0A913C70E106198FDF60DF68C880B9DB7B1FF89310F208699D549BB245EB70AA85CF91
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ef4a8dd15938abd69e12da9738b1189f2a6733ddc28808fd122e183e64844dc8
                                    • Instruction ID: 96c2e517b516e7fc1e02b3c69bc80f316ee1aa96ed4cf3372f85e58cbc2c0e1e
                                    • Opcode Fuzzy Hash: ef4a8dd15938abd69e12da9738b1189f2a6733ddc28808fd122e183e64844dc8
                                    • Instruction Fuzzy Hash: 72912C70E106198FDF60DF69C880B9DB7B1FF89310F208699D549BB245EB70AA85CF91
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ff967a63d2f5b1b10de2e821953c48854098298f06820e8a141d1f9dcdec0691
                                    • Instruction ID: 6c667c56f6884a5a5ab6fca2b04473a9bd8fe4609df33aaf6b8419aa54001158
                                    • Opcode Fuzzy Hash: ff967a63d2f5b1b10de2e821953c48854098298f06820e8a141d1f9dcdec0691
                                    • Instruction Fuzzy Hash: B0715D31A002198FDB55DFA8D984AADBBF6FF88300F248529E509EB355DB30ED45CB50
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 608d2f56afbab9ce6187f493b4076215c9c54fd001c1ff8cac697e81f39ba91d
                                    • Instruction ID: 0972047ca44b0e79834b293dcd7ceeb6213e8457ba6ec5f89a718249459f8472
                                    • Opcode Fuzzy Hash: 608d2f56afbab9ce6187f493b4076215c9c54fd001c1ff8cac697e81f39ba91d
                                    • Instruction Fuzzy Hash: AA716C31A002198FDB55DFA8D984AADBBF6FF88300F248529E505EB355EB30ED46CB50
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b1c1f0e256aeb642755185ebe1bfffae8fef34d2e66b71e21248c83aeeb926dd
                                    • Instruction ID: 529f7db65cc4681bc1a50a8930727a5ae3912ef447c1ece15f16e42f34734ef6
                                    • Opcode Fuzzy Hash: b1c1f0e256aeb642755185ebe1bfffae8fef34d2e66b71e21248c83aeeb926dd
                                    • Instruction Fuzzy Hash: B1511231E4021ACFDF24AB78E4946ADBBB2FF88314F208879E506D7351DB398855CB80
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 58f4d305be6153d098e6efe25cad1b379fcb975d3906d595ff6e4117f506bf1d
                                    • Instruction ID: 2315d6d183338119156a77d8bbe8f6345f83588b6712fcc3a6ae2b62d63c0a76
                                    • Opcode Fuzzy Hash: 58f4d305be6153d098e6efe25cad1b379fcb975d3906d595ff6e4117f506bf1d
                                    • Instruction Fuzzy Hash: 5351FB70B602259FEF645678D8A477F267AD789B50F20443AD00AC77D5DE7CCC818792
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c7afdb3de0ca63aaf7c0c8ca89d9d6d5a61c72e095344734b7ef9b4a66c8dbf4
                                    • Instruction ID: 599636bd1f4896a04a2c84ad155c9495f8be61ca3a4424b0cce05f270b412175
                                    • Opcode Fuzzy Hash: c7afdb3de0ca63aaf7c0c8ca89d9d6d5a61c72e095344734b7ef9b4a66c8dbf4
                                    • Instruction Fuzzy Hash: 38510770B602259FEF646678C8A473F267ED789B50F20442AE40AC37D5DEBDCC818792
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fc6ed9434f544c874b5f635d0e48f830d83772ac0850f12100ec28c9e800c039
                                    • Instruction ID: 42df4a103a7f6a194ded608edef4f7ae48883ca2d7d8ee5baa20562dc4a18456
                                    • Opcode Fuzzy Hash: fc6ed9434f544c874b5f635d0e48f830d83772ac0850f12100ec28c9e800c039
                                    • Instruction Fuzzy Hash: 7F519F75B402158FDB64DB79D960BAE77F7BB88350F048429C50ADB384EE30ED518BA0
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ac7b52279f99cb5417b7b62ca45071471caac8b0f21eff32b9c5f85a4b2c7104
                                    • Instruction ID: 87cf5c053e8c518a58fa2be315ef852bc4c538de2279c290f7e3603cbf8c9d35
                                    • Opcode Fuzzy Hash: ac7b52279f99cb5417b7b62ca45071471caac8b0f21eff32b9c5f85a4b2c7104
                                    • Instruction Fuzzy Hash: 88416C70E1071ADFDB659F65C8647AEBBB2BF89340F208529E401E7341EB74D941CB81
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b1e3dba7f530097c27f6414fa4941c3c083ce2a879a8262d987409ef364c30fd
                                    • Instruction ID: 44f4428ddf4f9cddd0ea605d5a958845e0308762a6ad6fc92de26abe3914ea40
                                    • Opcode Fuzzy Hash: b1e3dba7f530097c27f6414fa4941c3c083ce2a879a8262d987409ef364c30fd
                                    • Instruction Fuzzy Hash: 86416E30E1075ACFDB65DFA5C8946AEBBB2BF89340F108529E401EB241EB74D946CB41
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6fe1f3e424552cb0f974d94ce7c803d943fef111657a4c5b8ca651ea731725b8
                                    • Instruction ID: ffea83863031562da295a6ef1fcc801cc373fbd22f29ae6da7bacadd62d99310
                                    • Opcode Fuzzy Hash: 6fe1f3e424552cb0f974d94ce7c803d943fef111657a4c5b8ca651ea731725b8
                                    • Instruction Fuzzy Hash: 7931F032A0120A9FDB18AB78E4585AEBBB2FF84311F10897DD106D7251DF399865C784
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3ec857db5f4347029d200bfbe1ec705bf32e002184e2496566267766860c458f
                                    • Instruction ID: 686d80a5cadceff53e9d175af212c65788ffc4ade88c927f6ddd3b5bada955b8
                                    • Opcode Fuzzy Hash: 3ec857db5f4347029d200bfbe1ec705bf32e002184e2496566267766860c458f
                                    • Instruction Fuzzy Hash: D4312271B002129FDB699B74C850A6E7BF2BF89240F204528D402DB386DF36CE45CBA1
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 90300c3990a485e5d3b3d58e826ef5d1687b52b4099d7633936e95e3cbd43f74
                                    • Instruction ID: 46cb5a149fc01436dcd002fcfe37492bdbea0b225c54a4670a5988e1374cc4c0
                                    • Opcode Fuzzy Hash: 90300c3990a485e5d3b3d58e826ef5d1687b52b4099d7633936e95e3cbd43f74
                                    • Instruction Fuzzy Hash: C131F270B002158FDB69AB74C45476E7BE3BF89250F204528D412DB386EE36DE45CBA1
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 36d9b245105393aa27cfc9eec74229a99d10ad556ee4d16d65104d33b157025c
                                    • Instruction ID: f210d95f0f65bf8ce78a65380cbfcf8a98aee8e5da4e2ca2a5a76a864793db19
                                    • Opcode Fuzzy Hash: 36d9b245105393aa27cfc9eec74229a99d10ad556ee4d16d65104d33b157025c
                                    • Instruction Fuzzy Hash: 2E31A531E2031A8BDB25DF68D890A9EB7B6FF84300F108919E445EB351E7B0E941CB41
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 59a9ad7e22ae9c74b369b747e403af09c6b96912ff11176ae3f7c9accbf1a406
                                    • Instruction ID: f264b84c0ad11b9f57c1e36854b2adec6c79cf398a635ee507c787685e85f3d3
                                    • Opcode Fuzzy Hash: 59a9ad7e22ae9c74b369b747e403af09c6b96912ff11176ae3f7c9accbf1a406
                                    • Instruction Fuzzy Hash: 04316E75E202168FCB55CF64D895AAEFBB2EF89300F108919E916E7341DB71E986CB40
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 11d691d2763725db6e9eb73d5a56ed59e324d4d973a30ad5a05bd3ff7fa8cdc2
                                    • Instruction ID: e552f84e28f677b73a8f38c3cdf1699f0633f361e4f28fa892b9adbcc4e1e6ba
                                    • Opcode Fuzzy Hash: 11d691d2763725db6e9eb73d5a56ed59e324d4d973a30ad5a05bd3ff7fa8cdc2
                                    • Instruction Fuzzy Hash: EE315B31E202169BCB59CF64D894AAEBBB2EF89300F108919E916E7351DB71E981CB50
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b4bc3fd49c535a18fca2658a6d06f197af6bb0e20b62924fec3f98a2b6f51000
                                    • Instruction ID: de1f5a2649c4bf245664cd125578d2cbb1cb4223f0aee16e288535f87e59eb2a
                                    • Opcode Fuzzy Hash: b4bc3fd49c535a18fca2658a6d06f197af6bb0e20b62924fec3f98a2b6f51000
                                    • Instruction Fuzzy Hash: C5217A7AF006299FDB40DF69D980AAEBBF1BB48310F108029E915E7381E735D941CBA0
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 68fb0f44469c2d82205896942454bbaaff824fe7b2c13b2f953e3687b30dfebb
                                    • Instruction ID: f1a49081f60f0eedd2e7d452ec235cae8980588e9b5480e45361da82d461a60b
                                    • Opcode Fuzzy Hash: 68fb0f44469c2d82205896942454bbaaff824fe7b2c13b2f953e3687b30dfebb
                                    • Instruction Fuzzy Hash: 44218B76F006159FDB00DFA9D980BAEBBB1BB48310F008429E945E7381E738E9518B90
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: af14bf222fec3f97421458fa267c5e375a1dca5d016972e5b042d832ec23f99c
                                    • Instruction ID: 4e3982587473522b6df0f8cf4a9886f68fe168fda315ff1e40dad236b919894c
                                    • Opcode Fuzzy Hash: af14bf222fec3f97421458fa267c5e375a1dca5d016972e5b042d832ec23f99c
                                    • Instruction Fuzzy Hash: 3F21D436B1012A9FDF54DA68E9547ADB7B7EF84310F20842AD505EB381D732EC518B80
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a1b88f8f31a65125bdb5c1d2a4de3a69c4040d978c575d4a3e18bd4d1d61a604
                                    • Instruction ID: b69b2e86d34ea018712b68f94ffb0d8a0100f47fdf5612ff8064b64e1206959e
                                    • Opcode Fuzzy Hash: a1b88f8f31a65125bdb5c1d2a4de3a69c4040d978c575d4a3e18bd4d1d61a604
                                    • Instruction Fuzzy Hash: 4A218371D1072A8BDF25CFA9C8406AEBBB5FF85700F10891AE805FB240DB74A985CF81
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2564794011.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_116d000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e597250c3578cb83767eec482babc9cc616d6f610ba93d941ac0279c389a0817
                                    • Instruction ID: 2a90e715bbd69a9e61959ccb01cb9ea7d3e2f3bfba624edce4bea78e581196a9
                                    • Opcode Fuzzy Hash: e597250c3578cb83767eec482babc9cc616d6f610ba93d941ac0279c389a0817
                                    • Instruction Fuzzy Hash: E3212571604340DFDF19DF54E4C0B16BB69EB88354F20C56DD8890B242C33BD457CA62
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 00fb46210b5754bb8dfeeca27bdca179b481ee5c2d6fec9b92b7905b62f38c34
                                    • Instruction ID: 5c8b28f61ea645d0707fc08d98a1a03b233cb25c0ebefa9ec220ed7b700c39e8
                                    • Opcode Fuzzy Hash: 00fb46210b5754bb8dfeeca27bdca179b481ee5c2d6fec9b92b7905b62f38c34
                                    • Instruction Fuzzy Hash: FC21AF31B101299FDF64DA68E9947AEB7B7EB84310F20842AD505EB344DB31EC518B90
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f10615c19176a16b3249cd3709a89f47923567723f8fa45c57c2b4d4af18e1e9
                                    • Instruction ID: 872fe9a6bca84fdcb4d96cae9dcd8f3478f013079467f33421ef24299d89935b
                                    • Opcode Fuzzy Hash: f10615c19176a16b3249cd3709a89f47923567723f8fa45c57c2b4d4af18e1e9
                                    • Instruction Fuzzy Hash: 0C119371E102299FCF68DB69D8406EEF7B6EF89310F108569D105EB300EA359A40CBE1
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2564794011.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_116d000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eb324feac7d902f2a7347111d47005708c0ccba61414c60ec365c494280a7063
                                    • Instruction ID: 05a92d82ecacf12b282d0fe8c1c86fe9f52b0ba739f5371ec82623a1c6e5f81e
                                    • Opcode Fuzzy Hash: eb324feac7d902f2a7347111d47005708c0ccba61414c60ec365c494280a7063
                                    • Instruction Fuzzy Hash: 9B2192755093808FCB07CF24D990B15BF71EB46214F28C5DAD8898F2A7C33B981ACB62
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3a1055ac4e9f526181a31bd7494d9b17d08393e7d673754d5e710facbf17451f
                                    • Instruction ID: 8e44be53809359969a9efb80d5ffc7945e7d682906401998d66dfd1b350560b2
                                    • Opcode Fuzzy Hash: 3a1055ac4e9f526181a31bd7494d9b17d08393e7d673754d5e710facbf17451f
                                    • Instruction Fuzzy Hash: F011A136B105298FDB659A78D8246BE77E7FBC8720F008539D406E7384DE39DC1287A1
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 27d54c3be4656b56b3cbe9356d77dab3588238cf89884d0397df20a59e654d85
                                    • Instruction ID: 17505b333612b55cd2389c94fee70dc0df70cb84a7180993e8c6b39dab44f6b7
                                    • Opcode Fuzzy Hash: 27d54c3be4656b56b3cbe9356d77dab3588238cf89884d0397df20a59e654d85
                                    • Instruction Fuzzy Hash: 1701F576F101610FDB12897C980572AFBE6DF8A730F14882AE10ACB382E929DC464790
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 86b69795c93ddcf035f5283cb0cec78bb264cbf954f27e41929d0bc975a5a4a9
                                    • Instruction ID: ba66b5a8af9ffc671c3f042b3fa35866e3abc97c9946f50987a124b07690c424
                                    • Opcode Fuzzy Hash: 86b69795c93ddcf035f5283cb0cec78bb264cbf954f27e41929d0bc975a5a4a9
                                    • Instruction Fuzzy Hash: 7E01D8367105614FCB559B7C985473E77E6DFC9710F248836E40ACB381DE25EC424751
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9760be87f801ecf59f700120e7f31cf75a8f09987c3e4d1879da7980d96d418e
                                    • Instruction ID: 1c929a2f462c0fbcf4ba9122edf16ba50de56ab77583b77bd18d6068c8610042
                                    • Opcode Fuzzy Hash: 9760be87f801ecf59f700120e7f31cf75a8f09987c3e4d1879da7980d96d418e
                                    • Instruction Fuzzy Hash: 0C01F236B104255FEBA599689C25BFF37A7ABC8720F00453AD51AE7380EE65CC124391
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 261542b2af3624f6016d73584a45d748949aafc5c97dc07757da08f2781a7aab
                                    • Instruction ID: b2a977a1a0550cb44e5c996e634a62980c7c0ae2a94ba5c2b7b6cd4aab105c13
                                    • Opcode Fuzzy Hash: 261542b2af3624f6016d73584a45d748949aafc5c97dc07757da08f2781a7aab
                                    • Instruction Fuzzy Hash: EC21F2B5D012199FCB10CF9AD984BDEFBB4FF08310F10862AE918A7240D378A544CFA4
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4ca74c30f0efc9b13ad0d811f1e5912198767a23af87f1c99ace978454921520
                                    • Instruction ID: 2211453bb710f193f1fe70b0b0392b2147a5e729731ec4103e4212681f46b773
                                    • Opcode Fuzzy Hash: 4ca74c30f0efc9b13ad0d811f1e5912198767a23af87f1c99ace978454921520
                                    • Instruction Fuzzy Hash: 1411E4B1D012199FCB10DF9AD884BDEFBB4FB48310F10852AE918A7200D379A944CFA5
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 697da1cc31e7b9a82177b9bfbf74c7e10fa6c681caa88e22acd9502b91c9de48
                                    • Instruction ID: e5266c2b3181333c1bb0c5ec46fdb8da385f7261243e341f7fad1926ea0129f0
                                    • Opcode Fuzzy Hash: 697da1cc31e7b9a82177b9bfbf74c7e10fa6c681caa88e22acd9502b91c9de48
                                    • Instruction Fuzzy Hash: 6401F431F101210BDB65997CA444B2FB7DADBC9730F20883AE50ECB380EE6AEC464391
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5a286eed99ae77c3c8e72223ee1b21c93fa36fd552c377152c821bbb3bb3a604
                                    • Instruction ID: ecc8b16edd920318c4fbf39debb159c44912dfffcf4dad24e2c53f2bd0be62f8
                                    • Opcode Fuzzy Hash: 5a286eed99ae77c3c8e72223ee1b21c93fa36fd552c377152c821bbb3bb3a604
                                    • Instruction Fuzzy Hash: E901A436B105214BDB659A3C985873E77EADBC9760F248839F50AC7340EE25EC424791
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3bafd213b3e8e622b1df0031216e8fb6b7320252d8f55d64aa80f704d3bdbb4c
                                    • Instruction ID: a49d92954e8346f72823f892a39261ffcbae120ae2374e0701711c24d465d13b
                                    • Opcode Fuzzy Hash: 3bafd213b3e8e622b1df0031216e8fb6b7320252d8f55d64aa80f704d3bdbb4c
                                    • Instruction Fuzzy Hash: F901D636B182214FDB52DA7CD86572E7BE2FB8D710F148829E14BCB382EA25DC418781
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: dcc02478765e2c401eb658fce4e7a5ca3426b291b64273e656ed24e2504991de
                                    • Instruction ID: f113b70fa4ec75c506d5666c2602c281f6ffefdd74bd0375c8c58f7c82a6fd04
                                    • Opcode Fuzzy Hash: dcc02478765e2c401eb658fce4e7a5ca3426b291b64273e656ed24e2504991de
                                    • Instruction Fuzzy Hash: 3101A435B101214FDB51EA7CE855B2E77D6FB8D710F108828E50BC7341EE22EC414781
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cd2e2b82ac0d22970eeb32a51d307dc512b71ce1115b37d47130bcc0c140370a
                                    • Instruction ID: 6d2c7aac80b07575b67c472b0d1c0852931c7a00bbed325ac05bfba33eeb74ce
                                    • Opcode Fuzzy Hash: cd2e2b82ac0d22970eeb32a51d307dc512b71ce1115b37d47130bcc0c140370a
                                    • Instruction Fuzzy Hash: 51F0A736E2023497DB55A965DC006AEB37AE784754F104529E941A7344DB32A81087C0
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f43c356cf73cb22068c34fd4488cbfb32319e8aa7d20e4a74862c24f1e076606
                                    • Instruction ID: 63ee74e78aa9252ac1329c6f913c4c11e3a2505b9f653a4207f1007b0d6165e4
                                    • Opcode Fuzzy Hash: f43c356cf73cb22068c34fd4488cbfb32319e8aa7d20e4a74862c24f1e076606
                                    • Instruction Fuzzy Hash: 88E026B0E2115ADFDF50CFB0CAA83A937E5EB12208F204DA6D488CB141E137CF058701
                                    Memory Dump Source
                                    • Source File: 00000007.00000002.2569860409.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_6720000_sDflTDPSLw.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a09e4ac86f6dabbd3939ea16ebbd6618dc96c32b88f0b4e1e883662f68e0dce5
                                    • Instruction ID: 3ad9a912d9946444192b9264312d057c64f885a36835d6c48217e88ebe804650
                                    • Opcode Fuzzy Hash: a09e4ac86f6dabbd3939ea16ebbd6618dc96c32b88f0b4e1e883662f68e0dce5
                                    • Instruction Fuzzy Hash: 65E012B1E1011EEBDF50DEB4C95576A77ADD701218F2084A6D849CB201E676DB018780