Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pKXxiawkTj.exe

Overview

General Information

Sample name:pKXxiawkTj.exe
renamed because original name is a hash value
Original sample name:cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe
Analysis ID:1587944
MD5:fb3b28a74fc931a89acb88affa85ac8f
SHA1:0c3bcf811112241312ec1298fa11a86b58f5b351
SHA256:cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee
Tags:AsyncRATexeuser-adrian__luca
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected XWorm
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • pKXxiawkTj.exe (PID: 1456 cmdline: "C:\Users\user\Desktop\pKXxiawkTj.exe" MD5: FB3B28A74FC931A89ACB88AFFA85AC8F)
    • powershell.exe (PID: 664 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VfcnvkK.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2020 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5116 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp3D99.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • pKXxiawkTj.exe (PID: 5772 cmdline: "C:\Users\user\Desktop\pKXxiawkTj.exe" MD5: FB3B28A74FC931A89ACB88AFFA85AC8F)
    • pKXxiawkTj.exe (PID: 3232 cmdline: "C:\Users\user\Desktop\pKXxiawkTj.exe" MD5: FB3B28A74FC931A89ACB88AFFA85AC8F)
  • VfcnvkK.exe (PID: 2628 cmdline: C:\Users\user\AppData\Roaming\VfcnvkK.exe MD5: FB3B28A74FC931A89ACB88AFFA85AC8F)
    • schtasks.exe (PID: 6688 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp4DE5.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • VfcnvkK.exe (PID: 6356 cmdline: "C:\Users\user\AppData\Roaming\VfcnvkK.exe" MD5: FB3B28A74FC931A89ACB88AFFA85AC8F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["154.39.0.150"], "Port": 5200, "Aes key": "1987", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.1376668702.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    0000000E.00000002.1376668702.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x87d1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x886e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x8983:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x8363:$cnc4: POST / HTTP/1.1
    00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x35529:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x355c6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x356db:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x350bb:$cnc4: POST / HTTP/1.1
      0000000B.00000002.1358950431.00000000032ED000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 10 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.pKXxiawkTj.exe.44a5b58.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          0.2.pKXxiawkTj.exe.44a5b58.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0x51d5:$str01: $VB$Local_Port
          • 0x51c6:$str02: $VB$Local_Host
          • 0x548a:$str03: get_Jpeg
          • 0x4eb3:$str04: get_ServicePack
          • 0x61f3:$str05: Select * from AntivirusProduct
          • 0x63ef:$str06: PCRestart
          • 0x6403:$str07: shutdown.exe /f /r /t 0
          • 0x64b5:$str08: StopReport
          • 0x648b:$str09: StopDDos
          • 0x6581:$str10: sendPlugin
          • 0x671f:$str12: -ExecutionPolicy Bypass -File "
          • 0x6848:$str13: Content-length: 5235
          0.2.pKXxiawkTj.exe.44a5b58.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x6bd1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x6c6e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x6d83:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x6763:$cnc4: POST / HTTP/1.1
          0.2.pKXxiawkTj.exe.44a5b58.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.pKXxiawkTj.exe.44a5b58.0.raw.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x6fd5:$str01: $VB$Local_Port
            • 0x6fc6:$str02: $VB$Local_Host
            • 0x728a:$str03: get_Jpeg
            • 0x6cb3:$str04: get_ServicePack
            • 0x7ff3:$str05: Select * from AntivirusProduct
            • 0x81ef:$str06: PCRestart
            • 0x8203:$str07: shutdown.exe /f /r /t 0
            • 0x82b5:$str08: StopReport
            • 0x828b:$str09: StopDDos
            • 0x8381:$str10: sendPlugin
            • 0x851f:$str12: -ExecutionPolicy Bypass -File "
            • 0x8648:$str13: Content-length: 5235
            Click to see the 16 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VfcnvkK.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VfcnvkK.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\pKXxiawkTj.exe", ParentImage: C:\Users\user\Desktop\pKXxiawkTj.exe, ParentProcessId: 1456, ParentProcessName: pKXxiawkTj.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VfcnvkK.exe", ProcessId: 664, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VfcnvkK.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VfcnvkK.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\pKXxiawkTj.exe", ParentImage: C:\Users\user\Desktop\pKXxiawkTj.exe, ParentProcessId: 1456, ParentProcessName: pKXxiawkTj.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VfcnvkK.exe", ProcessId: 664, ProcessName: powershell.exe
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\pKXxiawkTj.exe, ProcessId: 3232, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepab.lnk
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp4DE5.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp4DE5.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\VfcnvkK.exe, ParentImage: C:\Users\user\AppData\Roaming\VfcnvkK.exe, ParentProcessId: 2628, ParentProcessName: VfcnvkK.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp4DE5.tmp", ProcessId: 6688, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp3D99.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp3D99.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\pKXxiawkTj.exe", ParentImage: C:\Users\user\Desktop\pKXxiawkTj.exe, ParentProcessId: 1456, ParentProcessName: pKXxiawkTj.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp3D99.tmp", ProcessId: 5116, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VfcnvkK.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VfcnvkK.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\pKXxiawkTj.exe", ParentImage: C:\Users\user\Desktop\pKXxiawkTj.exe, ParentProcessId: 1456, ParentProcessName: pKXxiawkTj.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VfcnvkK.exe", ProcessId: 664, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp3D99.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp3D99.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\pKXxiawkTj.exe", ParentImage: C:\Users\user\Desktop\pKXxiawkTj.exe, ParentProcessId: 1456, ParentProcessName: pKXxiawkTj.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp3D99.tmp", ProcessId: 5116, ProcessName: schtasks.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: pKXxiawkTj.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Notepab.exeAvira: detection malicious, Label: HEUR/AGEN.1305624
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeAvira: detection malicious, Label: HEUR/AGEN.1305624
            Found malware configuration
            Source: 00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["154.39.0.150"], "Port": 5200, "Aes key": "1987", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Notepab.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeReversingLabs: Detection: 81%
            Multi AV Scanner detection for submitted file
            Source: pKXxiawkTj.exeVirustotal: Detection: 83%Perma Link
            Source: pKXxiawkTj.exeReversingLabs: Detection: 81%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Notepab.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: pKXxiawkTj.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmpString decryptor: 154.39.0.150
            Source: 00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmpString decryptor: 5200
            Source: 00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmpString decryptor: 1987
            Source: 00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmpString decryptor: <Xwormmm>
            Source: 00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmpString decryptor: XWorm V5.6
            Source: 00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmpString decryptor: USB.exe
            Source: 00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmpString decryptor: %AppData%
            Source: 00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmpString decryptor: Notepab.exe
            Source: pKXxiawkTj.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: pKXxiawkTj.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 154.39.0.150
            Source: global trafficTCP traffic: 192.168.2.7:49710 -> 154.39.0.150:5200
            Source: global trafficTCP traffic: 192.168.2.7:59731 -> 162.159.36.2:53
            Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
            Source: pKXxiawkTj.exe, 00000000.00000002.1307232411.000000000364D000.00000004.00000800.00020000.00000000.sdmp, pKXxiawkTj.exe, 00000008.00000002.3768528862.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, VfcnvkK.exe, 0000000B.00000002.1358950431.00000000032ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: pKXxiawkTj.exe, Notepab.exe.8.dr, VfcnvkK.exe.0.drString found in binary or memory: https://api.libertyreserve.com/beta/xml/
            Source: pKXxiawkTj.exe, Notepab.exe.8.dr, VfcnvkK.exe.0.drString found in binary or memory: https://api.libertyreserve.com/beta/xml/balance.aspx$AccountNameRequestphttps://api.libertyreserve.c
            Source: pKXxiawkTj.exe, Notepab.exe.8.dr, VfcnvkK.exe.0.drString found in binary or memory: https://api.libertyreserve.com/beta/xml/balance.aspx%AccountNameRequestqhttps://api.libertyreserve.c
            Source: VfcnvkK.exe.0.drString found in binary or memory: https://api.libertyreserve.com/beta/xml/history.aspx
            Source: VfcnvkK.exe.0.drString found in binary or memory: https://api.libertyreserve.com/beta/xml/transfer.aspx
            Source: VfcnvkK.exe.0.drString found in binary or memory: https://sci.libertyreserve.com/
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.pKXxiawkTj.exe.44a5b58.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.pKXxiawkTj.exe.44a5b58.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.pKXxiawkTj.exe.44a5b58.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.pKXxiawkTj.exe.44a5b58.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.pKXxiawkTj.exe.4f5f458.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.pKXxiawkTj.exe.4f5f458.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 14.2.VfcnvkK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 14.2.VfcnvkK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.pKXxiawkTj.exe.4f5f458.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.pKXxiawkTj.exe.4f5f458.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.pKXxiawkTj.exe.4ef8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.pKXxiawkTj.exe.4ef8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.pKXxiawkTj.exe.4e92018.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.pKXxiawkTj.exe.4e92018.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0000000E.00000002.1376668702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0000000B.00000002.1358950431.00000000032ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.1307232411.000000000364D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.1307640783.0000000004CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0164D57C0_2_0164D57C
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5C7E80_2_07D5C7E8
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5A6800_2_07D5A680
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D520A40_2_07D520A4
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5B9780_2_07D5B978
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5C7CE0_2_07D5C7CE
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D547980_2_07D54798
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5A67E0_2_07D5A67E
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5D6170_2_07D5D617
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5B3D80_2_07D5B3D8
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5B3C80_2_07D5B3C8
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5AF400_2_07D5AF40
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5AF300_2_07D5AF30
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5EED90_2_07D5EED9
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5AEF00_2_07D5AEF0
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5EEE80_2_07D5EEE8
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5EC580_2_07D5EC58
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5EC4B0_2_07D5EC4B
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D59B300_2_07D59B30
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5DB210_2_07D5DB21
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D59B200_2_07D59B20
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5EA500_2_07D5EA50
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5EA400_2_07D5EA40
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5B9760_2_07D5B976
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5D8480_2_07D5D848
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_07D5D8380_2_07D5D838
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D2B580_2_0B7D2B58
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D4A800_2_0B7D4A80
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D41800_2_0B7D4180
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D2B4B0_2_0B7D2B4B
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D4A710_2_0B7D4A71
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D39080_2_0B7D3908
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7DD8080_2_0B7DD808
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D38F80_2_0B7D38F8
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D2E100_2_0B7D2E10
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D2E030_2_0B7D2E03
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D41700_2_0B7D4170
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D31500_2_0B7D3150
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D31400_2_0B7D3140
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7DC1300_2_0B7DC130
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7DE1B80_2_0B7DE1B8
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D00400_2_0B7D0040
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D50300_2_0B7D5030
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D50210_2_0B7D5021
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D00070_2_0B7D0007
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7DE6B00_2_0B7DE6B0
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7DC5680_2_0B7DC568
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D35480_2_0B7D3548
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7D353B0_2_0B7D353B
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0B7DD5A80_2_0B7DD5A8
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0EF82CD80_2_0EF82CD8
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 8_2_02F545388_2_02F54538
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 8_2_02F513608_2_02F51360
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 8_2_02F53F408_2_02F53F40
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 8_2_02F51A0A8_2_02F51A0A
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 8_2_07022F288_2_07022F28
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 8_2_070257508_2_07025750
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 8_2_07027F908_2_07027F90
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 8_2_070237F88_2_070237F8
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 8_2_07022BE08_2_07022BE0
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_012CD57C11_2_012CD57C
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA418011_2_07CA4180
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA2B5811_2_07CA2B58
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CAE6B011_2_07CAE6B0
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CAC56811_2_07CAC568
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CAE1B811_2_07CAE1B8
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA417011_2_07CA4170
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CAC13011_2_07CAC130
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA004011_2_07CA0040
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA002111_2_07CA0021
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA2FAA11_2_07CA2FAA
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA2E0211_2_07CA2E02
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA2E1011_2_07CA2E10
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA2B4A11_2_07CA2B4A
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA4A8011_2_07CA4A80
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA4A7111_2_07CA4A71
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CAD5A811_2_07CAD5A8
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA354811_2_07CA3548
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA353A11_2_07CA353A
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA314011_2_07CA3140
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA315011_2_07CA3150
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA502111_2_07CA5021
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA503011_2_07CA5030
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA390811_2_07CA3908
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CA38F811_2_07CA38F8
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_07CAD80811_2_07CAD808
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_0EAA209811_2_0EAA2098
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 14_2_028D136014_2_028D1360
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 14_2_028D1A0A14_2_028D1A0A
            Source: pKXxiawkTj.exe, 00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs pKXxiawkTj.exe
            Source: pKXxiawkTj.exe, 00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs pKXxiawkTj.exe
            Source: pKXxiawkTj.exe, 00000000.00000002.1310870460.0000000007610000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs pKXxiawkTj.exe
            Source: pKXxiawkTj.exe, 00000000.00000002.1311914118.0000000007CC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamer vs pKXxiawkTj.exe
            Source: pKXxiawkTj.exe, 00000000.00000002.1306159956.000000000165E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs pKXxiawkTj.exe
            Source: pKXxiawkTj.exe, 00000000.00000002.1310564532.0000000005E30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs pKXxiawkTj.exe
            Source: pKXxiawkTj.exe, 00000000.00000000.1287328475.000000000101E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedxDF.exe4 vs pKXxiawkTj.exe
            Source: pKXxiawkTj.exe, 00000000.00000002.1307640783.0000000004CE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs pKXxiawkTj.exe
            Source: pKXxiawkTj.exe, 00000000.00000002.1307640783.0000000004CE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs pKXxiawkTj.exe
            Source: pKXxiawkTj.exe, 00000008.00000002.3773151104.0000000005FF9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs pKXxiawkTj.exe
            Source: pKXxiawkTj.exe, 00000008.00000002.3771740770.00000000040F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedxDF.exe4 vs pKXxiawkTj.exe
            Source: pKXxiawkTj.exeBinary or memory string: OriginalFilenamedxDF.exe4 vs pKXxiawkTj.exe
            Source: pKXxiawkTj.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.pKXxiawkTj.exe.44a5b58.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.pKXxiawkTj.exe.44a5b58.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.pKXxiawkTj.exe.44a5b58.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.pKXxiawkTj.exe.44a5b58.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.pKXxiawkTj.exe.4f5f458.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.pKXxiawkTj.exe.4f5f458.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 14.2.VfcnvkK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 14.2.VfcnvkK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.pKXxiawkTj.exe.4f5f458.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.pKXxiawkTj.exe.4f5f458.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.pKXxiawkTj.exe.4ef8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.pKXxiawkTj.exe.4ef8a38.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.pKXxiawkTj.exe.4e92018.3.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.pKXxiawkTj.exe.4e92018.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0000000E.00000002.1376668702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0000000B.00000002.1358950431.00000000032ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.1307232411.000000000364D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.1307640783.0000000004CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: pKXxiawkTj.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: VfcnvkK.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Notepab.exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@18/14@0/1
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile created: C:\Users\user\AppData\Roaming\VfcnvkK.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeMutant created: NULL
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeMutant created: \Sessions\1\BaseNamedObjects\Tta9Wy8kD7xwtsRU
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2064:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4832:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1648:120:WilError_03
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3D99.tmpJump to behavior
            Source: pKXxiawkTj.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: pKXxiawkTj.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: pKXxiawkTj.exeVirustotal: Detection: 83%
            Source: pKXxiawkTj.exeReversingLabs: Detection: 81%
            Source: pKXxiawkTj.exeString found in binary or memory: PageCount-Start date is missing.MHistory is not available before '{0}'.
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile read: C:\Users\user\Desktop\pKXxiawkTj.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\pKXxiawkTj.exe "C:\Users\user\Desktop\pKXxiawkTj.exe"
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VfcnvkK.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp3D99.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess created: C:\Users\user\Desktop\pKXxiawkTj.exe "C:\Users\user\Desktop\pKXxiawkTj.exe"
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess created: C:\Users\user\Desktop\pKXxiawkTj.exe "C:\Users\user\Desktop\pKXxiawkTj.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\VfcnvkK.exe C:\Users\user\AppData\Roaming\VfcnvkK.exe
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp4DE5.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess created: C:\Users\user\AppData\Roaming\VfcnvkK.exe "C:\Users\user\AppData\Roaming\VfcnvkK.exe"
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VfcnvkK.exe"Jump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp3D99.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess created: C:\Users\user\Desktop\pKXxiawkTj.exe "C:\Users\user\Desktop\pKXxiawkTj.exe"Jump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess created: C:\Users\user\Desktop\pKXxiawkTj.exe "C:\Users\user\Desktop\pKXxiawkTj.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp4DE5.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess created: C:\Users\user\AppData\Roaming\VfcnvkK.exe "C:\Users\user\AppData\Roaming\VfcnvkK.exe"Jump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Notepab.lnk.8.drLNK file: ..\..\..\..\..\Notepab.exe
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: pKXxiawkTj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: pKXxiawkTj.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0164E9B8 pushfd ; retf 0_2_0164E9B9
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0164F550 pushad ; iretd 0_2_0164F559
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeCode function: 0_2_0164DBE4 pushfd ; ret 0_2_0164DBED
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeCode function: 11_2_012CE9B8 pushfd ; retf 11_2_012CE9B9
            Source: pKXxiawkTj.exeStatic PE information: section name: .text entropy: 7.555625480789712
            Source: VfcnvkK.exe.0.drStatic PE information: section name: .text entropy: 7.555625480789712
            Source: Notepab.exe.8.drStatic PE information: section name: .text entropy: 7.555625480789712
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile created: C:\Users\user\AppData\Roaming\VfcnvkK.exeJump to dropped file
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile created: C:\Users\user\AppData\Roaming\Notepab.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp3D99.tmp"
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepab.lnkJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepab.lnkJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Icon mismatch, binary includes an icon from a different legit application in order to fool users
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (2112).png
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: pKXxiawkTj.exe PID: 1456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: VfcnvkK.exe PID: 2628, type: MEMORYSTR
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeMemory allocated: 1640000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeMemory allocated: 3470000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeMemory allocated: 1A10000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeMemory allocated: 91C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeMemory allocated: A1C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeMemory allocated: A3B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeMemory allocated: B3B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeMemory allocated: BDA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeMemory allocated: CDA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeMemory allocated: DDA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeMemory allocated: 2F50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeMemory allocated: 30F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeMemory allocated: 50F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeMemory allocated: 12B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeMemory allocated: 3110000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeMemory allocated: 2F50000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeMemory allocated: 9010000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeMemory allocated: 7570000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeMemory allocated: A010000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeMemory allocated: 78B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeMemory allocated: B540000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeMemory allocated: C540000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeMemory allocated: D540000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeMemory allocated: 28D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeMemory allocated: 2A90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeMemory allocated: 4A90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5434Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4275Jump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWindow / User API: threadDelayed 2403Jump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWindow / User API: threadDelayed 7383Jump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exe TID: 1204Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6340Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exe TID: 7212Thread sleep time: -34126476536362649s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exe TID: 180Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exe TID: 2064Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: pKXxiawkTj.exe, 00000000.00000002.1311914118.0000000007CB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: pKXxiawkTj.exe, 00000008.00000002.3774907614.0000000006F20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VfcnvkK.exe"
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VfcnvkK.exe"Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeMemory written: C:\Users\user\Desktop\pKXxiawkTj.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeMemory written: C:\Users\user\AppData\Roaming\VfcnvkK.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VfcnvkK.exe"Jump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp3D99.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess created: C:\Users\user\Desktop\pKXxiawkTj.exe "C:\Users\user\Desktop\pKXxiawkTj.exe"Jump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeProcess created: C:\Users\user\Desktop\pKXxiawkTj.exe "C:\Users\user\Desktop\pKXxiawkTj.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp4DE5.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeProcess created: C:\Users\user\AppData\Roaming\VfcnvkK.exe "C:\Users\user\AppData\Roaming\VfcnvkK.exe"Jump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeQueries volume information: C:\Users\user\Desktop\pKXxiawkTj.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeQueries volume information: C:\Users\user\Desktop\pKXxiawkTj.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeQueries volume information: C:\Users\user\AppData\Roaming\VfcnvkK.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeQueries volume information: C:\Users\user\AppData\Roaming\VfcnvkK.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\VfcnvkK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: pKXxiawkTj.exe, 00000008.00000002.3774907614.0000000006F4E000.00000004.00000020.00020000.00000000.sdmp, pKXxiawkTj.exe, 00000008.00000002.3774907614.0000000006F20000.00000004.00000020.00020000.00000000.sdmp, pKXxiawkTj.exe, 00000008.00000002.3767059066.00000000015B9000.00000004.00000020.00020000.00000000.sdmp, pKXxiawkTj.exe, 00000008.00000002.3767059066.0000000001557000.00000004.00000020.00020000.00000000.sdmp, pKXxiawkTj.exe, 00000008.00000002.3767059066.000000000159B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\pKXxiawkTj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 0.2.pKXxiawkTj.exe.44a5b58.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.pKXxiawkTj.exe.44a5b58.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.pKXxiawkTj.exe.4f5f458.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.VfcnvkK.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.pKXxiawkTj.exe.4f5f458.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.pKXxiawkTj.exe.4ef8a38.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.pKXxiawkTj.exe.4e92018.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.1376668702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.1358950431.00000000032ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1307232411.000000000364D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1307640783.0000000004CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: pKXxiawkTj.exe PID: 1456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: VfcnvkK.exe PID: 2628, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: VfcnvkK.exe PID: 6356, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 0.2.pKXxiawkTj.exe.44a5b58.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.pKXxiawkTj.exe.44a5b58.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.pKXxiawkTj.exe.4f5f458.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.VfcnvkK.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.pKXxiawkTj.exe.4f5f458.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.pKXxiawkTj.exe.4ef8a38.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.pKXxiawkTj.exe.4e92018.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000E.00000002.1376668702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.1358950431.00000000032ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1307232411.000000000364D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1307640783.0000000004CE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: pKXxiawkTj.exe PID: 1456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: VfcnvkK.exe PID: 2628, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: VfcnvkK.exe PID: 6356, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		111
            Process Injection            		11
            Masquerading            		OS Credential Dumping221
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		2
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol1
            Clipboard Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		2
            Registry Run Keys / Startup Folder            		131
            Virtualization/Sandbox Evasion            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		111
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Obfuscated Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Software Packing            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1587944 Sample: pKXxiawkTj.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for dropped file 2->54 56 13 other signatures 2->56 7 pKXxiawkTj.exe 7 2->7         started        11 VfcnvkK.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\Roaming\VfcnvkK.exe, PE32 7->36 dropped 38 C:\Users\user\...\VfcnvkK.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmp3D99.tmp, XML 7->40 dropped 42 C:\Users\user\AppData\...\pKXxiawkTj.exe.log, ASCII 7->42 dropped 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->58 60 Uses schtasks.exe or at.exe to add and modify task schedules 7->60 62 Adds a directory exclusion to Windows Defender 7->62 64 Injects a PE file into a foreign processes 7->64 13 pKXxiawkTj.exe 6 7->13         started        17 powershell.exe 23 7->17         started        20 schtasks.exe 1 7->20         started        22 pKXxiawkTj.exe 7->22         started        66 Antivirus detection for dropped file 11->66 68 Multi AV Scanner detection for dropped file 11->68 70 Machine Learning detection for dropped file 11->70 24 schtasks.exe 1 11->24         started        26 VfcnvkK.exe 11->26         started        signatures5 process6 dnsIp7 46 154.39.0.150, 49710, 49720, 49744 COGENT-174US United States 13->46 44 C:\Users\user\AppData\Roaming44otepab.exe, PE32 13->44 dropped 48 Loading BitLocker PowerShell Module 17->48 28 WmiPrvSE.exe 17->28         started        30 conhost.exe 17->30         started        32 conhost.exe 20->32         started        34 conhost.exe 24->34         started        file8 signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            pKXxiawkTj.exe83%VirustotalBrowse
            pKXxiawkTj.exe82%ReversingLabsWin32.Trojan.Leonem
            pKXxiawkTj.exe100%AviraHEUR/AGEN.1305624
            pKXxiawkTj.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\Notepab.exe100%AviraHEUR/AGEN.1305624
            C:\Users\user\AppData\Roaming\VfcnvkK.exe100%AviraHEUR/AGEN.1305624
            C:\Users\user\AppData\Roaming\Notepab.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\VfcnvkK.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\Notepab.exe82%ReversingLabsWin32.Trojan.Leonem
            C:\Users\user\AppData\Roaming\VfcnvkK.exe82%ReversingLabsWin32.Trojan.Leonem

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            154.39.0.1500%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            154.39.0.150true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://api.libertyreserve.com/beta/xml/balance.aspx%AccountNameRequestqhttps://api.libertyreserve.cpKXxiawkTj.exe, Notepab.exe.8.dr, VfcnvkK.exe.0.drfalse
              		high
              https://api.libertyreserve.com/beta/xml/transfer.aspxVfcnvkK.exe.0.drfalse
                		high
                https://api.libertyreserve.com/beta/xml/balance.aspx$AccountNameRequestphttps://api.libertyreserve.cpKXxiawkTj.exe, Notepab.exe.8.dr, VfcnvkK.exe.0.drfalse
                  		high
                  https://sci.libertyreserve.com/VfcnvkK.exe.0.drfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepKXxiawkTj.exe, 00000000.00000002.1307232411.000000000364D000.00000004.00000800.00020000.00000000.sdmp, pKXxiawkTj.exe, 00000008.00000002.3768528862.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, VfcnvkK.exe, 0000000B.00000002.1358950431.00000000032ED000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://api.libertyreserve.com/beta/xml/history.aspxVfcnvkK.exe.0.drfalse
                        		high
                        https://api.libertyreserve.com/beta/xml/pKXxiawkTj.exe, Notepab.exe.8.dr, VfcnvkK.exe.0.drfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          154.39.0.150
                          		unknownUnited States
                          		174COGENT-174UStrue

                          General Information

                          Joe Sandbox version:42.0.0 Malachite
                          Analysis ID:1587944
                          Start date and time:2025-01-10 19:37:09 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 8m 30s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:20
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:pKXxiawkTj.exe
                          renamed because original name is a hash value
                          Original Sample Name:cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@18/14@0/1
                          EGA Information:
                          • Successful, ratio: 75%
                          HCA Information:
                          • Successful, ratio: 96%
                          • Number of executed functions: 91
                          • Number of non-executed functions: 35
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 2.23.242.162, 4.175.87.197
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target VfcnvkK.exe, PID 6356 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          13:38:06API Interceptor8693971x Sleep call for process: pKXxiawkTj.exe modified
                          13:38:07API Interceptor15x Sleep call for process: powershell.exe modified
                          13:38:10API Interceptor1x Sleep call for process: VfcnvkK.exe modified
                          19:38:10Task SchedulerRun new task: VfcnvkK path: C:\Users\user\AppData\Roaming\VfcnvkK.exe
                          19:38:16AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepab.lnk

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          154.39.0.150Receipt-#202431029B.exeGet hashmaliciousXWormBrowse

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            COGENT-174USfrosty.arm.elfGet hashmaliciousMiraiBrowse
                            • 154.62.137.46
                            frosty.spc.elfGet hashmaliciousMiraiBrowse
                            • 38.148.77.12
                            frosty.sh4.elfGet hashmaliciousMiraiBrowse
                            • 23.154.10.225
                            cNDddMAF5u.exeGet hashmaliciousFormBookBrowse
                            • 154.23.178.231
                            zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                            • 38.181.21.54
                            https://sign-as.allarknow.online/Get hashmaliciousUnknownBrowse
                            • 50.7.127.10
                            http://pdfdrive.com.coGet hashmaliciousUnknownBrowse
                            • 143.244.56.53
                            https://www.cineuserdad.ecGet hashmaliciousUnknownBrowse
                            • 50.7.24.35
                            5.elfGet hashmaliciousUnknownBrowse
                            • 38.148.53.45
                            armv5l.elfGet hashmaliciousUnknownBrowse
                            • 38.12.137.2

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VfcnvkK.exe.log

                            Download File
                            Process:C:\Users\user\AppData\Roaming\VfcnvkK.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1216
                            Entropy (8bit):5.34331486778365
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pKXxiawkTj.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\pKXxiawkTj.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1216
                            Entropy (8bit):5.34331486778365
                            Encrypted:false
                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                            Malicious:true
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2232
                            Entropy (8bit):5.379552885213346
                            Encrypted:false
                            SSDEEP:48:fWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeoM0Uyus:fLHxvCsIfA2KRHmOugU1s
                            MD5:9A8E8C8CDBDA6772FAC1C51A88DC89B6
                            SHA1:B0E88CCF26816A3037ED18E26DBB3005FAB1ECBA
                            SHA-256:096217CDF15586E58ABFCB3877E8EEAB2FA607CE4D8D47DA167D34CBDD556AFD
                            SHA-512:4405D85F3EF190CD411D9949E8BAA059DB1FB00888034C135E08B3D1FADE01B932B245A0267F2F4F0BDFAFCBA2BFE4CE771866E569F77A4046EE0F972E1C20BC
                            Malicious:false
                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                            C:\Users\user\AppData\Local\Temp\Log.tmp

                            Download File
                            Process:C:\Users\user\Desktop\pKXxiawkTj.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):29
                            Entropy (8bit):3.598349098128234
                            Encrypted:false
                            SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                            MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                            SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                            SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                            SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                            Malicious:false
                            Preview:....### explorer ###..[WIN]r

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gioginzm.asm.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_golgyyfs.gox.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iomkqwao.kaz.ps1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iszh45qh.0gf.psm1

                            Download File
                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.038920595031593
                            Encrypted:false
                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                            Malicious:false
                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                            C:\Users\user\AppData\Local\Temp\tmp3D99.tmp

                            Download File
                            Process:C:\Users\user\Desktop\pKXxiawkTj.exe
                            File Type:XML 1.0 document, ASCII text
                            Category:dropped
                            Size (bytes):1601
                            Entropy (8bit):5.120381299175655
                            Encrypted:false
                            SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtwxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTAv
                            MD5:717A9A95C9623BBDAB40B325869A86A2
                            SHA1:2A038E736B924BA1E8735D7B5D471DD0F7D16BB9
                            SHA-256:409315A4ABD4A1A6FCA942C1EFF40C6923EC5FE290B5D1F34E2B9392E7BACBF7
                            SHA-512:6A544CB0DD7F6DDDD46A1821792EE0EFF2FC74D36B92AE580D0130FBB85B632397804F6F31722B52F6F46776C40FF3CE74BD214FE1ACA68D0A97ADF76B1CBBC3
                            Malicious:true
                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                            C:\Users\user\AppData\Local\Temp\tmp4DE5.tmp

                            Download File
                            Process:C:\Users\user\AppData\Roaming\VfcnvkK.exe
                            File Type:XML 1.0 document, ASCII text
                            Category:dropped
                            Size (bytes):1601
                            Entropy (8bit):5.120381299175655
                            Encrypted:false
                            SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtwxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTAv
                            MD5:717A9A95C9623BBDAB40B325869A86A2
                            SHA1:2A038E736B924BA1E8735D7B5D471DD0F7D16BB9
                            SHA-256:409315A4ABD4A1A6FCA942C1EFF40C6923EC5FE290B5D1F34E2B9392E7BACBF7
                            SHA-512:6A544CB0DD7F6DDDD46A1821792EE0EFF2FC74D36B92AE580D0130FBB85B632397804F6F31722B52F6F46776C40FF3CE74BD214FE1ACA68D0A97ADF76B1CBBC3
                            Malicious:false
                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepab.lnk

                            Download File
                            Process:C:\Users\user\Desktop\pKXxiawkTj.exe
                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Jan 10 17:38:11 2025, mtime=Fri Jan 10 17:38:11 2025, atime=Fri Jan 10 17:38:11 2025, length=800256, window=hide
                            Category:dropped
                            Size (bytes):768
                            Entropy (8bit):5.084704472772225
                            Encrypted:false
                            SSDEEP:12:80RC24qvyN+2Chyi1Y//XflML/19lOjAGANHZ2lgGKuJGuJzBmV:8Q0qL2R9g9yAGOCgGKuJGuJtm
                            MD5:5CFB49A5A97779CB2CEEFC75C4CBCCC9
                            SHA1:C88A2531736460CBB3B32A094EDE76CC83A0B818
                            SHA-256:96F3AB6ACC098CF5B626FCCBB72F9D4FAEC3EA0A8AD2926013D45FE621ED9B69
                            SHA-512:46DD506A8B60781F2C88C158BD1EDFC9790618042C54D7AB5834EFC39CDF71B78CC231E1A2C81FE4C34A4A80EEB074EF50E9BC02D85A4495775945FFF85F1D90
                            Malicious:false
                            Preview:L..................F.... ....QD.c...QD.c...QD.c...6......................v.:..DG..Yr?.D..U..k0.&...&......Qg.*_.......c...R.c......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=*Z...........................3*N.A.p.p.D.a.t.a...B.V.1.....*Z...Roaming.@......EW.=*Z...........................mp .R.o.a.m.i.n.g.....b.2..6..*Z. .Notepab.exe.H......*Z.*Z.....t.....................mp .N.o.t.e.p.a.b...e.x.e.......]...............-.......\...........3........C:\Users\user\AppData\Roaming\Notepab.exe........\.....\.....\.....\.....\.N.o.t.e.p.a.b...e.x.e.`.......X.......301389...........hT..CrF.f4... .!../Tc...,......hT..CrF.f4... .!../Tc...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                            C:\Users\user\AppData\Roaming\Notepab.exe

                            Download File
                            Process:C:\Users\user\Desktop\pKXxiawkTj.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):800256
                            Entropy (8bit):7.339482386762247
                            Encrypted:false
                            SSDEEP:12288:bL8f2uE1zDeQrlWxDgBvSI6Gf2GKUAOB0pApklKZCPHSljKdAA:bLu2uOGe4xDgEJROB+lLPHSljYA
                            MD5:FB3B28A74FC931A89ACB88AFFA85AC8F
                            SHA1:0C3BCF811112241312EC1298FA11A86B58F5B351
                            SHA-256:CACD71018BABC4F0E7E0676FEEA914EC61E37216487A567A1E94D9F518CF40EE
                            SHA-512:E8528285C36B64258B2284BE49AEFF4AAEAA5531043EF86C4442F481FD7F331D6C738E1409BCEDC66D2FB5C9C0469F53C40DBB94FAD09802926DBC05414533ED
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 82%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ag..............0.................. ........@.. ....................................@.................................P...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............4..............@..B........................H.......XX..(.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*r.(......(......(......(....*.0..Y........(.....(.....{...........%.r...p(....s.....%.r...p(....s.....%.r!..p(....s........(....&*....0..j..........{....o....(....%.}.....}.....{....rg..p.|....(....rq..p(....o.....{....rg..p.|....(....rq..p(....o....*...0..]........{....o....(.....#......@.Y.#3333...@.#.......@ZX#.p=...?Y.(......{......(....o...

                            C:\Users\user\AppData\Roaming\VfcnvkK.exe

                            Download File
                            Process:C:\Users\user\Desktop\pKXxiawkTj.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):800256
                            Entropy (8bit):7.339482386762247
                            Encrypted:false
                            SSDEEP:12288:bL8f2uE1zDeQrlWxDgBvSI6Gf2GKUAOB0pApklKZCPHSljKdAA:bLu2uOGe4xDgEJROB+lLPHSljYA
                            MD5:FB3B28A74FC931A89ACB88AFFA85AC8F
                            SHA1:0C3BCF811112241312EC1298FA11A86B58F5B351
                            SHA-256:CACD71018BABC4F0E7E0676FEEA914EC61E37216487A567A1E94D9F518CF40EE
                            SHA-512:E8528285C36B64258B2284BE49AEFF4AAEAA5531043EF86C4442F481FD7F331D6C738E1409BCEDC66D2FB5C9C0469F53C40DBB94FAD09802926DBC05414533ED
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 82%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ag..............0.................. ........@.. ....................................@.................................P...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc...............4..............@..B........................H.......XX..(.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*r.(......(......(......(....*.0..Y........(.....(.....{...........%.r...p(....s.....%.r...p(....s.....%.r!..p(....s........(....&*....0..j..........{....o....(....%.}.....}.....{....rg..p.|....(....rq..p(....o.....{....rg..p.|....(....rq..p(....o....*...0..]........{....o....(.....#......@.Y.#3333...@.#.......@ZX#.p=...?Y.(......{......(....o...

                            C:\Users\user\AppData\Roaming\VfcnvkK.exe:Zone.Identifier

                            Download File
                            Process:C:\Users\user\Desktop\pKXxiawkTj.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):26
                            Entropy (8bit):3.95006375643621
                            Encrypted:false
                            SSDEEP:3:ggPYV:rPYV
                            MD5:187F488E27DB4AF347237FE461A079AD
                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                            Malicious:true
                            Preview:[ZoneTransfer]....ZoneId=0

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.339482386762247
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:pKXxiawkTj.exe
                            File size:800'256 bytes
                            MD5:fb3b28a74fc931a89acb88affa85ac8f
                            SHA1:0c3bcf811112241312ec1298fa11a86b58f5b351
                            SHA256:cacd71018babc4f0e7e0676feea914ec61e37216487a567a1e94d9f518cf40ee
                            SHA512:e8528285c36b64258b2284be49aeff4aaeaa5531043ef86c4442f481fd7f331d6c738e1409bcedc66d2fb5c9c0469f53c40dbb94fad09802926dbc05414533ed
                            SSDEEP:12288:bL8f2uE1zDeQrlWxDgBvSI6Gf2GKUAOB0pApklKZCPHSljKdAA:bLu2uOGe4xDgEJROB+lLPHSljYA
                            TLSH:26059DD03B25A311DC6A6534D43ADDBB60232A2CAC1478EE2DD97F0B7DA6303581AF57
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ag..............0.................. ........@.. ....................................@................................

                            File Icon

                            Icon Hash:2eec8e8cb683b9b1

                            Static PE Info

                            General

                            Entrypoint:0x4ac7a2
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x67619506 [Tue Dec 17 15:13:10 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            dec esp
                            add byte ptr [edi+00h], ch
                            popad
                            add byte ptr [eax+eax+00h], ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xac7500x4f.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x18998.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc80000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000xaa7b00xaa800476e5dc3b6b24f65365dc8bd6e7f4009False0.8452048203812317data7.555625480789712IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0xae0000x189980x18a008b70dc1dffa69d201aa493db140b82c9False0.14467996510152284data4.286044851577916IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0xc80000xc0x20018922caae820acf70aff09cb2f5a86dbFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xae1d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m0.2649377593360996
                            RT_ICON0xb07800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m0.3646810506566604
                            RT_ICON0xb18280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m0.5549645390070922
                            RT_ICON0xb1c900x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/m0.18115257439773264
                            RT_ICON0xb5eb80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m0.0959718443156276
                            RT_GROUP_ICON0xc66e00x4cdata0.7631578947368421
                            RT_GROUP_ICON0xc672c0x14data1.05
                            RT_VERSION0xc67400x258data0.485

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 10, 2025 19:38:13.656992912 CET497105200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:13.661770105 CET520049710154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:13.661854982 CET497105200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:14.275238991 CET497105200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:14.280013084 CET520049710154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:15.054550886 CET520049710154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:15.054675102 CET497105200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:15.085146904 CET497105200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:15.086981058 CET497205200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:15.089931965 CET520049710154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:15.091846943 CET520049720154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:15.091922998 CET497205200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:15.131149054 CET497205200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:15.135915995 CET520049720154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:16.495505095 CET520049720154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:16.495570898 CET497205200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:19.364839077 CET497205200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:19.367955923 CET497445200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:19.369703054 CET520049720154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:19.372829914 CET520049744154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:19.372944117 CET497445200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:19.436867952 CET497445200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:19.441817045 CET520049744154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:20.757738113 CET520049744154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:20.757849932 CET497445200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:24.675828934 CET497445200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:24.677165985 CET497795200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:24.680804014 CET520049744154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:24.682002068 CET520049779154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:24.682087898 CET497795200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:24.762876034 CET497795200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:24.767759085 CET520049779154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:26.092201948 CET520049779154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:26.092441082 CET497795200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:29.656585932 CET497795200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:29.660028934 CET498155200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:29.661717892 CET520049779154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:29.664910078 CET520049815154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:29.668426037 CET498155200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:29.999861002 CET498155200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:30.004801035 CET520049815154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:31.088205099 CET520049815154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:31.088345051 CET498155200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:35.055114031 CET498155200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:35.055826902 CET498485200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:35.059923887 CET520049815154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:35.060700893 CET520049848154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:35.060796976 CET498485200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:35.080430984 CET498485200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:35.085261106 CET520049848154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:36.443932056 CET520049848154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:36.444119930 CET498485200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:39.992872000 CET498485200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:39.995485067 CET498805200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:39.997734070 CET520049848154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:40.001131058 CET520049880154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:40.001213074 CET498805200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:40.018023014 CET498805200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:40.022903919 CET520049880154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:41.413630962 CET520049880154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:41.413732052 CET498805200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:44.742764950 CET498805200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:44.743522882 CET499135200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:44.747633934 CET520049880154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:44.748352051 CET520049913154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:44.748445034 CET499135200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:44.765086889 CET499135200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:44.769969940 CET520049913154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:46.151642084 CET520049913154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:46.152667999 CET499135200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:49.570879936 CET499135200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:49.571882963 CET499465200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:49.576122046 CET520049913154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:49.576759100 CET520049946154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:49.580487967 CET499465200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:49.599365950 CET499465200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:49.604393005 CET520049946154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:50.980150938 CET520049946154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:50.982971907 CET499465200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:53.758378029 CET499465200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:53.759088039 CET499745200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:53.763200998 CET520049946154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:53.763950109 CET520049974154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:53.764061928 CET499745200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:53.780178070 CET499745200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:53.785054922 CET520049974154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:54.468861103 CET5973153192.168.2.7162.159.36.2
                            Jan 10, 2025 19:38:54.473753929 CET5359731162.159.36.2192.168.2.7
                            Jan 10, 2025 19:38:54.473839998 CET5973153192.168.2.7162.159.36.2
                            Jan 10, 2025 19:38:54.478693008 CET5359731162.159.36.2192.168.2.7
                            Jan 10, 2025 19:38:54.950658083 CET5973153192.168.2.7162.159.36.2
                            Jan 10, 2025 19:38:54.956126928 CET5359731162.159.36.2192.168.2.7
                            Jan 10, 2025 19:38:54.956218958 CET5973153192.168.2.7162.159.36.2
                            Jan 10, 2025 19:38:55.211275101 CET520049974154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:55.211333036 CET499745200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:57.461549044 CET499745200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:57.464257956 CET597415200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:57.466398954 CET520049974154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:57.469007015 CET520059741154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:57.469082117 CET597415200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:57.509399891 CET597415200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:57.514213085 CET520059741154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:58.882803917 CET520059741154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:58.882935047 CET597415200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:59.961549044 CET597415200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:59.963109970 CET597425200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:59.966300964 CET520059741154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:59.967910051 CET520059742154.39.0.150192.168.2.7
                            Jan 10, 2025 19:38:59.967987061 CET597425200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:59.983135939 CET597425200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:38:59.987936020 CET520059742154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:01.368839025 CET520059742154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:01.371535063 CET597425200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:02.117723942 CET597425200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:02.118494987 CET597435200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:02.122688055 CET520059742154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:02.123342991 CET520059743154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:02.123435020 CET597435200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:02.139980078 CET597435200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:02.144803047 CET520059743154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:03.525119066 CET520059743154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:03.525235891 CET597435200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:04.289726973 CET597435200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:04.290962934 CET597445200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:04.295386076 CET520059743154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:04.298441887 CET520059744154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:04.298732042 CET597445200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:04.315843105 CET597445200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:04.322434902 CET520059744154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:05.699130058 CET520059744154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:05.699265003 CET597445200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:05.961987019 CET597445200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:05.962852001 CET597455200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:05.966948032 CET520059744154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:05.967714071 CET520059745154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:05.967808962 CET597455200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:05.984404087 CET597455200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:05.989347935 CET520059745154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:07.351511002 CET520059745154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:07.352494001 CET597455200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:07.508513927 CET597455200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:07.511288881 CET597465200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:07.513520002 CET520059745154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:07.516197920 CET520059746154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:07.516293049 CET597465200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:07.533550024 CET597465200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:07.538516045 CET520059746154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:08.929478884 CET520059746154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:08.929636002 CET597465200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:09.633486032 CET597465200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:09.634313107 CET597475200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:09.638375044 CET520059746154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:09.639139891 CET520059747154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:09.639286995 CET597475200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:09.656215906 CET597475200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:09.661093950 CET520059747154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:11.061470985 CET520059747154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:11.061614990 CET597475200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:11.274169922 CET597475200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:11.275016069 CET597485200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:11.279103041 CET520059747154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:11.279817104 CET520059748154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:11.279906988 CET597485200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:11.296622038 CET597485200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:11.302280903 CET520059748154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:12.664273977 CET520059748154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:12.664421082 CET597485200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:12.930244923 CET597485200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:12.931932926 CET597495200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:12.935187101 CET520059748154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:12.936795950 CET520059749154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:12.936887026 CET597495200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:12.967869997 CET597495200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:12.972702980 CET520059749154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:14.319957018 CET520059749154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:14.320085049 CET597495200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:14.430280924 CET597495200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:14.431303024 CET597505200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:14.435107946 CET520059749154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:14.436139107 CET520059750154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:14.436225891 CET597505200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:14.453035116 CET597505200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:14.457863092 CET520059750154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:15.840627909 CET520059750154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:15.840713978 CET597505200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:15.883481026 CET597505200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:15.885185957 CET597515200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:15.888322115 CET520059750154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:15.890022993 CET520059751154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:15.890110016 CET597515200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:15.907778978 CET597515200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:15.912549019 CET520059751154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:17.322588921 CET520059751154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:17.322700977 CET597515200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:17.323229074 CET597515200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:17.325191975 CET597525200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:17.328017950 CET520059751154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:17.329996109 CET520059752154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:17.330687046 CET597525200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:17.345910072 CET597525200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:17.350720882 CET520059752154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:18.744046926 CET520059752154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:18.744115114 CET597525200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:22.524533033 CET597525200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:22.525796890 CET597535200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:22.529628992 CET520059752154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:22.530966997 CET520059753154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:22.531339884 CET597535200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:22.633779049 CET597535200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:22.639113903 CET520059753154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:23.947864056 CET520059753154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:23.947930098 CET597535200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:28.024099112 CET597535200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:28.026612043 CET597545200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:28.028886080 CET520059753154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:28.031440020 CET520059754154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:28.031527996 CET597545200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:28.086863041 CET597545200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:28.091742039 CET520059754154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:29.433057070 CET520059754154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:29.433118105 CET597545200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:33.367896080 CET597545200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:33.370299101 CET597555200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:33.372746944 CET520059754154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:33.375233889 CET520059755154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:33.376277924 CET597555200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:33.509752035 CET597555200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:33.514601946 CET520059755154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:33.776109934 CET597555200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:33.781059980 CET520059755154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:34.793484926 CET520059755154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:34.796160936 CET597555200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:38.775446892 CET597555200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:38.776052952 CET597565200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:38.780313015 CET520059755154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:38.780899048 CET520059756154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:38.781038046 CET597565200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:38.864475965 CET597565200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:38.869313002 CET520059756154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:40.195728064 CET520059756154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:40.195796967 CET597565200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:43.994370937 CET597565200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:43.997903109 CET597575200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:43.999186039 CET520059756154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:44.002726078 CET520059757154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:44.003884077 CET597575200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:44.128149986 CET597575200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:44.133054972 CET520059757154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:44.149406910 CET597575200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:44.155404091 CET520059757154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:45.436041117 CET520059757154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:45.436096907 CET597575200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:49.165035963 CET597575200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:49.169987917 CET520059757154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:49.170049906 CET597585200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:49.174886942 CET520059758154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:49.174971104 CET597585200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:49.221616983 CET597585200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:49.226492882 CET520059758154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:50.592240095 CET520059758154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:50.592564106 CET597585200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:54.367885113 CET597585200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:54.370907068 CET597595200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:54.373778105 CET520059758154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:54.375755072 CET520059759154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:54.375835896 CET597595200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:54.532588959 CET597595200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:54.537425995 CET520059759154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:54.805895090 CET597595200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:54.810792923 CET520059759154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:54.852554083 CET597595200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:54.857443094 CET520059759154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:54.868577957 CET597595200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:54.873442888 CET520059759154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:54.930861950 CET597595200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:54.935657024 CET520059759154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:55.243551016 CET597595200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:55.250461102 CET520059759154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:55.258755922 CET597595200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:39:55.263605118 CET520059759154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:55.775898933 CET520059759154.39.0.150192.168.2.7
                            Jan 10, 2025 19:39:55.778748035 CET597595200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:00.367954969 CET597595200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:00.372498035 CET597605200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:00.372930050 CET520059759154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:00.377432108 CET520059760154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:00.377785921 CET597605200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:00.497011900 CET597605200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:00.501859903 CET520059760154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:01.775522947 CET520059760154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:01.775593996 CET597605200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:06.164874077 CET597605200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:06.167107105 CET597615200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:06.169879913 CET520059760154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:06.172068119 CET520059761154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:06.172202110 CET597615200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:06.268567085 CET597615200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:06.273473024 CET520059761154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:07.134248018 CET597615200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:07.139198065 CET520059761154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:07.570956945 CET520059761154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:07.571067095 CET597615200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:12.573457956 CET597615200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:12.578453064 CET520059761154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:12.587866068 CET597625200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:12.592778921 CET520059762154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:12.595390081 CET597625200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:12.811135054 CET597625200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:12.815949917 CET520059762154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:13.993163109 CET520059762154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:13.993279934 CET597625200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:18.056612015 CET597625200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:18.057673931 CET597635200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:18.061543941 CET520059762154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:18.062529087 CET520059763154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:18.062612057 CET597635200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:18.100768089 CET597635200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:18.105591059 CET520059763154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:18.118138075 CET597635200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:18.122961998 CET520059763154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:18.979758024 CET597635200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:18.986627102 CET520059763154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:19.465975046 CET520059763154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:19.466088057 CET597635200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:23.336831093 CET597635200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:23.339337111 CET597645200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:23.341882944 CET520059763154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:23.344158888 CET520059764154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:23.344244003 CET597645200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:23.385560989 CET597645200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:23.390485048 CET520059764154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:24.744473934 CET520059764154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:24.744874001 CET597645200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:28.696449041 CET597645200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:28.698577881 CET597655200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:28.701443911 CET520059764154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:28.703423023 CET520059765154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:28.703541994 CET597655200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:28.862335920 CET597655200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:28.867268085 CET520059765154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:28.977859974 CET597655200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:28.982844114 CET520059765154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:29.008888006 CET597655200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:29.013765097 CET520059765154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:30.087331057 CET520059765154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:30.092560053 CET597655200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:34.086904049 CET597655200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:34.087649107 CET597665200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:34.091873884 CET520059765154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:34.092449903 CET520059766154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:34.092524052 CET597665200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:34.149363995 CET597665200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:34.154284954 CET520059766154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:35.514934063 CET520059766154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:35.515052080 CET597665200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:39.212579012 CET597665200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:39.213874102 CET597675200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:39.217472076 CET520059766154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:39.218744040 CET520059767154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:39.218839884 CET597675200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:39.316581964 CET597675200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:39.321594954 CET520059767154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:40.685328960 CET520059767154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:40.685400009 CET597675200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:44.602516890 CET597675200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:44.603718042 CET597685200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:44.607424021 CET520059767154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:44.608581066 CET520059768154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:44.608725071 CET597685200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:44.650582075 CET597685200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:44.655500889 CET520059768154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:45.993716002 CET520059768154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:45.993808985 CET597685200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:49.743482113 CET597685200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:49.746889114 CET597695200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:49.748430014 CET520059768154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:49.751794100 CET520059769154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:49.751862049 CET597695200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:49.788299084 CET597695200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:49.793107033 CET520059769154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:51.150649071 CET520059769154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:51.150873899 CET597695200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:55.180706978 CET597695200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:55.183691025 CET597705200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:55.185647964 CET520059769154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:55.188510895 CET520059770154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:55.188586950 CET597705200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:55.230411053 CET597705200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:40:55.235374928 CET520059770154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:56.572454929 CET520059770154.39.0.150192.168.2.7
                            Jan 10, 2025 19:40:56.576621056 CET597705200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:00.477603912 CET597705200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:00.479764938 CET597715200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:00.500519991 CET520059770154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:00.500540972 CET520059771154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:00.500854969 CET597715200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:00.593868017 CET597715200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:00.600291014 CET520059771154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:01.904437065 CET520059771154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:01.904501915 CET597715200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:05.715645075 CET597715200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:05.719233036 CET597725200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:05.721168995 CET520059771154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:05.724047899 CET520059772154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:05.724148035 CET597725200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:05.880729914 CET597725200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:05.885549068 CET520059772154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:05.915350914 CET597725200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:05.920180082 CET520059772154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:05.931008101 CET597725200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:05.935839891 CET520059772154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:07.121721029 CET520059772154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:07.121928930 CET597725200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:11.040762901 CET597725200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:11.044632912 CET597735200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:11.046437979 CET520059772154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:11.049488068 CET520059773154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:11.050988913 CET597735200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:11.156491041 CET597735200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:11.162858963 CET520059773154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:12.466675043 CET520059773154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:12.466746092 CET597735200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:16.368269920 CET597735200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:16.371419907 CET597745200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:16.373172998 CET520059773154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:16.376293898 CET520059774154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:16.376357079 CET597745200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:16.416178942 CET597745200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:16.422091961 CET520059774154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:16.557090998 CET597745200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:16.564685106 CET520059774154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:17.776374102 CET520059774154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:17.778146982 CET597745200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:22.759016991 CET597745200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:22.761171103 CET597755200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:22.763952017 CET520059774154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:22.766124010 CET520059775154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:22.766201019 CET597755200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:22.796365976 CET597755200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:22.801227093 CET520059775154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:24.357553959 CET520059775154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:24.357636929 CET597755200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:27.821775913 CET597755200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:27.823792934 CET597765200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:27.826630116 CET520059775154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:27.828588009 CET520059776154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:27.828687906 CET597765200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:27.988579035 CET597765200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:27.993489027 CET520059776154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:29.250174999 CET520059776154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:29.250317097 CET597765200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:33.072674990 CET597765200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:33.074749947 CET597775200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:33.077713013 CET520059776154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:33.079652071 CET520059777154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:33.080032110 CET597775200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:33.174386978 CET597775200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:33.179255009 CET520059777154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:33.698472023 CET597775200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:33.703377008 CET520059777154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:34.480232954 CET520059777154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:34.480299950 CET597775200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:38.259073019 CET597775200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:38.260405064 CET597785200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:38.264144897 CET520059777154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:38.265381098 CET520059778154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:38.265446901 CET597785200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:38.303348064 CET597785200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:38.308393002 CET520059778154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:38.478066921 CET597785200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:38.482939005 CET520059778154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:38.587424040 CET597785200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:38.592427015 CET520059778154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:38.602979898 CET597785200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:38.607770920 CET520059778154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:39.651626110 CET520059778154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:39.651746988 CET597785200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:43.634080887 CET597785200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:43.635936975 CET597795200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:43.639111996 CET520059778154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:43.640906096 CET520059779154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:43.640989065 CET597795200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:43.680279016 CET597795200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:43.686147928 CET520059779154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:45.073853016 CET520059779154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:45.073966980 CET597795200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:48.790369034 CET597795200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:48.792045116 CET597805200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:48.795275927 CET520059779154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:48.796897888 CET520059780154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:48.796969891 CET597805200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:48.831505060 CET597805200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:48.836615086 CET520059780154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:48.868571043 CET597805200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:48.874414921 CET520059780154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:50.200179100 CET520059780154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:50.200269938 CET597805200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:54.121659040 CET597805200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:54.126652002 CET520059780154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:54.128659964 CET597815200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:54.133598089 CET520059781154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:54.133758068 CET597815200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:54.180305958 CET597815200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:54.185204983 CET520059781154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:55.526339054 CET520059781154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:55.526428938 CET597815200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:59.274902105 CET597815200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:59.277314901 CET597825200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:59.279874086 CET520059781154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:59.282171965 CET520059782154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:59.284276009 CET597825200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:59.388287067 CET597825200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:59.393203974 CET520059782154.39.0.150192.168.2.7
                            Jan 10, 2025 19:41:59.462521076 CET597825200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:41:59.467518091 CET520059782154.39.0.150192.168.2.7
                            Jan 10, 2025 19:42:00.685659885 CET520059782154.39.0.150192.168.2.7
                            Jan 10, 2025 19:42:00.685724020 CET597825200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:42:04.930908918 CET597825200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:42:04.932704926 CET597835200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:42:04.935678959 CET520059782154.39.0.150192.168.2.7
                            Jan 10, 2025 19:42:04.937563896 CET520059783154.39.0.150192.168.2.7
                            Jan 10, 2025 19:42:04.938647032 CET597835200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:42:05.002552986 CET597835200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:42:05.007514954 CET520059783154.39.0.150192.168.2.7
                            Jan 10, 2025 19:42:05.056212902 CET597835200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:42:05.061175108 CET520059783154.39.0.150192.168.2.7
                            Jan 10, 2025 19:42:05.790719032 CET597835200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:42:05.795644045 CET520059783154.39.0.150192.168.2.7
                            Jan 10, 2025 19:42:06.356790066 CET520059783154.39.0.150192.168.2.7
                            Jan 10, 2025 19:42:06.356883049 CET597835200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:42:10.243555069 CET597835200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:42:10.245057106 CET597845200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:42:10.248429060 CET520059783154.39.0.150192.168.2.7
                            Jan 10, 2025 19:42:10.249946117 CET520059784154.39.0.150192.168.2.7
                            Jan 10, 2025 19:42:10.250014067 CET597845200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:42:10.320728064 CET597845200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:42:10.325712919 CET520059784154.39.0.150192.168.2.7
                            Jan 10, 2025 19:42:11.480745077 CET597845200192.168.2.7154.39.0.150
                            Jan 10, 2025 19:42:11.485662937 CET520059784154.39.0.150192.168.2.7
                            Jan 10, 2025 19:42:11.636953115 CET520059784154.39.0.150192.168.2.7
                            Jan 10, 2025 19:42:11.637362003 CET597845200192.168.2.7154.39.0.150

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jan 10, 2025 19:38:54.468358040 CET5357453162.159.36.2192.168.2.7
                            Jan 10, 2025 19:38:54.961206913 CET53643491.1.1.1192.168.2.7

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:13:38:05
                            Start date:10/01/2025
                            Path:C:\Users\user\Desktop\pKXxiawkTj.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\pKXxiawkTj.exe"
                            Imagebase:0xf70000
                            File size:800'256 bytes
                            MD5 hash:FB3B28A74FC931A89ACB88AFFA85AC8F
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1307640783.0000000004479000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1307232411.000000000364D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1307232411.000000000364D000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1307640783.0000000004CE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1307640783.0000000004CE5000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:3
                            Start time:13:38:07
                            Start date:10/01/2025
                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VfcnvkK.exe"
                            Imagebase:0xd20000
                            File size:433'152 bytes
                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:4
                            Start time:13:38:07
                            Start date:10/01/2025
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:13:38:07
                            Start date:10/01/2025
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp3D99.tmp"
                            Imagebase:0xf10000
                            File size:187'904 bytes
                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:13:38:07
                            Start date:10/01/2025
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:7
                            Start time:13:38:07
                            Start date:10/01/2025
                            Path:C:\Users\user\Desktop\pKXxiawkTj.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\pKXxiawkTj.exe"
                            Imagebase:0x90000
                            File size:800'256 bytes
                            MD5 hash:FB3B28A74FC931A89ACB88AFFA85AC8F
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:8
                            Start time:13:38:07
                            Start date:10/01/2025
                            Path:C:\Users\user\Desktop\pKXxiawkTj.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\pKXxiawkTj.exe"
                            Imagebase:0xda0000
                            File size:800'256 bytes
                            MD5 hash:FB3B28A74FC931A89ACB88AFFA85AC8F
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:10
                            Start time:13:38:08
                            Start date:10/01/2025
                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                            Imagebase:0x7ff7fb730000
                            File size:496'640 bytes
                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                            Has elevated privileges:true
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:11
                            Start time:13:38:10
                            Start date:10/01/2025
                            Path:C:\Users\user\AppData\Roaming\VfcnvkK.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\AppData\Roaming\VfcnvkK.exe
                            Imagebase:0xa40000
                            File size:800'256 bytes
                            MD5 hash:FB3B28A74FC931A89ACB88AFFA85AC8F
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000B.00000002.1358950431.00000000032ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.1358950431.00000000032ED000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 100%, Joe Sandbox ML
                            • Detection: 82%, ReversingLabs
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:12
                            Start time:13:38:11
                            Start date:10/01/2025
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfcnvkK" /XML "C:\Users\user\AppData\Local\Temp\tmp4DE5.tmp"
                            Imagebase:0xf10000
                            File size:187'904 bytes
                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:13
                            Start time:13:38:11
                            Start date:10/01/2025
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff75da10000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:14
                            Start time:13:38:11
                            Start date:10/01/2025
                            Path:C:\Users\user\AppData\Roaming\VfcnvkK.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Roaming\VfcnvkK.exe"
                            Imagebase:0x6e0000
                            File size:800'256 bytes
                            MD5 hash:FB3B28A74FC931A89ACB88AFFA85AC8F
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000E.00000002.1376668702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000E.00000002.1376668702.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:11.2%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:1.3%
                              Total number of Nodes:225
                              Total number of Limit Nodes:17
                              execution_graph 35906 164ac70 35910 164ad68 35906->35910 35915 164ad59 35906->35915 35907 164ac7f 35913 164ad69 35910->35913 35911 164ad9c 35911->35907 35912 164afa0 GetModuleHandleW 35914 164afcd 35912->35914 35913->35911 35913->35912 35914->35907 35918 164ad68 35915->35918 35916 164ad9c 35916->35907 35917 164afa0 GetModuleHandleW 35919 164afcd 35917->35919 35918->35916 35918->35917 35919->35907 35970 164d000 35971 164d046 GetCurrentProcess 35970->35971 35973 164d091 35971->35973 35974 164d098 GetCurrentThread 35971->35974 35973->35974 35975 164d0d5 GetCurrentProcess 35974->35975 35976 164d0ce 35974->35976 35977 164d10b 35975->35977 35976->35975 35978 164d133 GetCurrentThreadId 35977->35978 35979 164d164 35978->35979 36058 164d650 DuplicateHandle 36059 164d6e6 36058->36059 35920 7d53000 35921 7d53016 35920->35921 35925 7d53458 35921->35925 35929 7d53468 35921->35929 35922 7d5308c 35933 7d53498 35925->35933 35938 7d534a8 35925->35938 35926 7d53486 35926->35922 35930 7d53486 35929->35930 35931 7d53498 DrawTextExW 35929->35931 35932 7d534a8 DrawTextExW 35929->35932 35930->35922 35931->35930 35932->35930 35934 7d5349d 35933->35934 35935 7d53506 35934->35935 35943 7d53518 35934->35943 35948 7d53528 35934->35948 35935->35926 35940 7d534d9 35938->35940 35939 7d53506 35939->35926 35940->35939 35941 7d53518 DrawTextExW 35940->35941 35942 7d53528 DrawTextExW 35940->35942 35941->35939 35942->35939 35944 7d5351e 35943->35944 35945 7d5355e 35944->35945 35953 7d51f58 35944->35953 35945->35935 35947 7d535b9 35950 7d53549 35948->35950 35949 7d5355e 35949->35935 35950->35949 35951 7d51f58 DrawTextExW 35950->35951 35952 7d535b9 35951->35952 35955 7d51f63 35953->35955 35954 7d53949 35954->35947 35955->35954 35959 7d53fa0 35955->35959 35962 7d53f8f 35955->35962 35956 7d53a5b 35956->35947 35960 7d53fbd 35959->35960 35966 7d5207c 35959->35966 35960->35956 35963 7d53f9d 35962->35963 35964 7d5207c DrawTextExW 35963->35964 35965 7d53fbd 35964->35965 35965->35956 35967 7d53fd8 DrawTextExW 35966->35967 35969 7d5407e 35967->35969 35969->35960 35880 ef81a70 35881 ef81bfb 35880->35881 35882 ef81a96 35880->35882 35882->35881 35884 ef81d21 PostMessageW 35882->35884 35885 ef81d5c 35884->35885 35885->35882 36060 ef807c0 36061 ef8079b 36060->36061 36062 ef807c3 36060->36062 36073 ef807b6 36061->36073 36077 ef80fde 36061->36077 36081 ef80f3a 36061->36081 36087 ef80f05 36061->36087 36093 ef80e83 36061->36093 36099 ef80be2 36061->36099 36107 ef81360 36061->36107 36111 ef81240 36061->36111 36118 ef80d2a 36061->36118 36122 ef80daa 36061->36122 36126 ef80c48 36061->36126 36134 ef80ca8 36061->36134 36140 ef80e14 36061->36140 36146 ef80cf1 36061->36146 36078 ef81001 36077->36078 36149 b7deae8 36078->36149 36082 ef80e86 36081->36082 36083 ef8103c 36082->36083 36153 b7de0e0 36082->36153 36084 ef81673 36083->36084 36157 b7de030 36083->36157 36084->36073 36088 ef80f09 36087->36088 36090 ef8103c 36088->36090 36092 b7de0e0 Wow64SetThreadContext 36088->36092 36089 ef81673 36089->36073 36090->36089 36091 b7de030 ResumeThread 36090->36091 36091->36090 36092->36090 36094 ef80f09 36093->36094 36096 ef8103c 36094->36096 36098 b7de0e0 Wow64SetThreadContext 36094->36098 36095 ef81673 36095->36073 36096->36095 36097 b7de030 ResumeThread 36096->36097 36097->36096 36098->36096 36100 ef80bec 36099->36100 36161 b7ded70 36100->36161 36108 ef814e1 36107->36108 36109 ef81673 36108->36109 36110 b7de030 ResumeThread 36108->36110 36109->36073 36110->36108 36115 b7deae8 WriteProcessMemory 36111->36115 36112 ef80cc6 36117 b7deae8 WriteProcessMemory 36112->36117 36113 ef80cb4 36113->36112 36114 ef81305 36113->36114 36165 b7de5f0 36113->36165 36115->36113 36117->36114 36119 ef80d30 36118->36119 36169 b7debd8 36119->36169 36123 ef80d41 36122->36123 36125 b7debd8 ReadProcessMemory 36123->36125 36124 ef8154e 36125->36124 36127 ef80bdb 36126->36127 36129 ef80bcd 36126->36129 36132 b7ded70 CreateProcessA 36127->36132 36128 ef80cc6 36131 b7deae8 WriteProcessMemory 36128->36131 36129->36073 36130 ef80c89 36130->36128 36130->36129 36133 b7de5f0 VirtualAllocEx 36130->36133 36131->36129 36132->36130 36133->36130 36136 ef80cb4 36134->36136 36135 ef80cc6 36139 b7deae8 WriteProcessMemory 36135->36139 36136->36135 36137 ef81305 36136->36137 36138 b7de5f0 VirtualAllocEx 36136->36138 36138->36136 36139->36137 36144 b7de5f0 VirtualAllocEx 36140->36144 36141 ef80cb4 36141->36140 36142 ef81305 36141->36142 36143 ef80cc6 36141->36143 36145 b7deae8 WriteProcessMemory 36143->36145 36144->36141 36145->36142 36148 b7de0e0 Wow64SetThreadContext 36146->36148 36147 ef80d0b 36147->36073 36148->36147 36150 b7deb30 WriteProcessMemory 36149->36150 36152 b7deb87 36150->36152 36154 b7de125 Wow64SetThreadContext 36153->36154 36156 b7de16d 36154->36156 36156->36083 36158 b7de070 ResumeThread 36157->36158 36160 b7de0a1 36158->36160 36160->36083 36162 b7dedf9 CreateProcessA 36161->36162 36164 b7defbb 36162->36164 36166 b7de630 VirtualAllocEx 36165->36166 36168 b7de66d 36166->36168 36168->36113 36170 b7dec23 ReadProcessMemory 36169->36170 36172 b7dec67 36170->36172 35886 1644668 35887 1644672 35886->35887 35889 1644759 35886->35889 35890 164477d 35889->35890 35894 1644868 35890->35894 35898 1644858 35890->35898 35895 164488f 35894->35895 35896 164496c 35895->35896 35902 16444b0 35895->35902 35900 164488f 35898->35900 35899 164496c 35900->35899 35901 16444b0 CreateActCtxA 35900->35901 35901->35899 35903 16458f8 CreateActCtxA 35902->35903 35905 16459bb 35903->35905 35980 7d59af8 35981 7d59b0a 35980->35981 35984 7d59b1b 35981->35984 35990 b7d09fe 35981->35990 35994 b7d046c 35981->35994 35998 b7d0b4d 35981->35998 36002 b7d1c82 35981->36002 36006 b7d0e0b 35981->36006 36010 b7d1179 35981->36010 36015 b7d0aee 35981->36015 36019 b7d2778 35990->36019 36022 b7d2770 35990->36022 35991 b7d0a15 35996 b7d2778 VirtualProtect 35994->35996 35997 b7d2770 VirtualProtect 35994->35997 35995 b7d049d 35996->35995 35997->35995 36000 b7d2778 VirtualProtect 35998->36000 36001 b7d2770 VirtualProtect 35998->36001 35999 b7d0b5e 36000->35999 36001->35999 36004 b7d2778 VirtualProtect 36002->36004 36005 b7d2770 VirtualProtect 36002->36005 36003 b7d1c96 36004->36003 36005->36003 36008 b7d2778 VirtualProtect 36006->36008 36009 b7d2770 VirtualProtect 36006->36009 36007 b7d0e1f 36008->36007 36009->36007 36011 b7d117c 36010->36011 36012 b7d11e1 36011->36012 36013 b7d2778 VirtualProtect 36011->36013 36014 b7d2770 VirtualProtect 36011->36014 36013->36011 36014->36011 36017 b7d2778 VirtualProtect 36015->36017 36018 b7d2770 VirtualProtect 36015->36018 36016 b7d0b05 36017->36016 36018->36016 36020 b7d27c0 VirtualProtect 36019->36020 36021 b7d27fa 36020->36021 36021->35991 36023 b7d27c0 VirtualProtect 36022->36023 36024 b7d27fa 36023->36024 36024->35991 36025 7d540b8 36026 7d53468 DrawTextExW 36025->36026 36028 7d540f7 36026->36028 36027 7d53528 DrawTextExW 36031 7d54205 36027->36031 36028->36027 36030 7d540fb 36028->36030 36029 7d54261 36031->36029 36032 7d54366 36031->36032 36033 7d5437b 36031->36033 36038 7d520a4 36032->36038 36035 7d520a4 3 API calls 36033->36035 36037 7d5438a 36035->36037 36039 7d520af 36038->36039 36040 7d54371 36039->36040 36043 7d550d0 36039->36043 36049 7d550bf 36039->36049 36055 7d520cc 36043->36055 36046 7d550f7 36046->36040 36047 7d55120 CreateIconFromResourceEx 36048 7d5519e 36047->36048 36048->36040 36050 7d550ea 36049->36050 36051 7d520cc CreateIconFromResourceEx 36049->36051 36052 7d550f7 36050->36052 36053 7d55120 CreateIconFromResourceEx 36050->36053 36051->36050 36052->36040 36054 7d5519e 36053->36054 36054->36040 36056 7d55120 CreateIconFromResourceEx 36055->36056 36057 7d550ea 36056->36057 36057->36046 36057->36047

                              Executed Functions

                              Function 07D520A4 Relevance: 6.9, Strings: 5, Instructions: 627COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 296 7d520a4-7d547d0 299 7d547d6-7d547db 296->299 300 7d54cb3-7d54d1c 296->300 299->300 301 7d547e1-7d547fe 299->301 307 7d54d23-7d54dab 300->307 306 7d54804-7d54808 301->306 301->307 309 7d54817-7d5481b 306->309 310 7d5480a-7d54814 call 7d520b4 306->310 351 7d54db6-7d54e36 307->351 313 7d5481d-7d54827 call 7d520b4 309->313 314 7d5482a-7d54831 309->314 310->309 313->314 318 7d54837-7d54867 314->318 319 7d5494c-7d54951 314->319 331 7d55036-7d5505c 318->331 332 7d5486d-7d54940 call 7d520c0 * 2 318->332 322 7d54953-7d54957 319->322 323 7d54959-7d5495e 319->323 322->323 325 7d54960-7d54964 322->325 326 7d54970-7d549a0 call 7d54398 * 3 323->326 325->331 333 7d5496a-7d5496d 325->333 326->351 352 7d549a6-7d549a9 326->352 340 7d5506c 331->340 341 7d5505e-7d5506a 331->341 332->319 360 7d54942 332->360 333->326 345 7d5506f-7d55074 340->345 341->345 368 7d54e3d-7d54ebf 351->368 352->351 355 7d549af-7d549b1 352->355 355->351 357 7d549b7-7d549ec 355->357 367 7d549f2-7d549fb 357->367 357->368 360->319 370 7d54a01-7d54a5b call 7d54398 * 2 call 7d543a8 * 2 367->370 371 7d54b5e-7d54b62 367->371 374 7d54ec7-7d54f49 368->374 412 7d54a6d 370->412 413 7d54a5d-7d54a66 370->413 371->374 375 7d54b68-7d54b6c 371->375 378 7d54f51-7d54f7e 374->378 375->378 379 7d54b72-7d54b78 375->379 393 7d54f85-7d55005 378->393 383 7d54b7c-7d54bb1 379->383 384 7d54b7a 379->384 388 7d54bb8-7d54bbe 383->388 384->388 388->393 394 7d54bc4-7d54bcc 388->394 450 7d5500c-7d5502e 393->450 395 7d54bd3-7d54bd5 394->395 396 7d54bce-7d54bd2 394->396 401 7d54c37-7d54c3d 395->401 402 7d54bd7-7d54bfb 395->402 396->395 409 7d54c5c-7d54c8a 401->409 410 7d54c3f-7d54c5a 401->410 434 7d54c04-7d54c08 402->434 435 7d54bfd-7d54c02 402->435 430 7d54c92-7d54c9e 409->430 410->430 420 7d54a71-7d54a73 412->420 413->420 421 7d54a68-7d54a6b 413->421 425 7d54a75 420->425 426 7d54a7a-7d54a7e 420->426 421->420 425->426 432 7d54a80-7d54a87 426->432 433 7d54a8c-7d54a92 426->433 449 7d54ca4-7d54cb0 430->449 430->450 440 7d54b29-7d54b2d 432->440 444 7d54a94-7d54a9a 433->444 445 7d54a9c-7d54aa1 433->445 434->331 439 7d54c0e-7d54c11 434->439 441 7d54c14-7d54c25 435->441 439->441 447 7d54b4c-7d54b58 440->447 448 7d54b2f-7d54b49 440->448 485 7d54c27 call 7d550d0 441->485 486 7d54c27 call 7d550bf 441->486 451 7d54aa7-7d54aad 444->451 445->451 447->370 447->371 448->447 450->331 454 7d54ab3-7d54ab8 451->454 455 7d54aaf-7d54ab1 451->455 460 7d54aba-7d54acc 454->460 455->460 457 7d54c2d-7d54c35 457->430 465 7d54ad6-7d54adb 460->465 466 7d54ace-7d54ad4 460->466 468 7d54ae1-7d54ae8 465->468 466->468 473 7d54aee 468->473 474 7d54aea-7d54aec 468->474 476 7d54af3-7d54afe 473->476 474->476 477 7d54b00-7d54b03 476->477 478 7d54b22 476->478 477->440 480 7d54b05-7d54b0b 477->480 478->440 481 7d54b12-7d54b1b 480->481 482 7d54b0d-7d54b10 480->482 481->440 484 7d54b1d-7d54b20 481->484 482->478 482->481 484->440 484->478 485->457 486->457
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: Hq$Hq$Hq$Hq$Hq
                              • API String ID: 0-3799487529
                              • Opcode ID: 0850d92a035c3ef4ac0d14e133cc915c452ad975baab7ea8f59f718ccdde3bab
                              • Instruction ID: 06f59cac44d22eab2aa646bde826e9aa1072dade12db328a7b44201ea1d246b9
                              • Opcode Fuzzy Hash: 0850d92a035c3ef4ac0d14e133cc915c452ad975baab7ea8f59f718ccdde3bab
                              • Instruction Fuzzy Hash: C5325E70E002598FDB58DFA8C8547AEBBF2BFC4300F148569D44AAB395DB349C85CB96
                              Function 07D5C7CE Relevance: 4.0, Strings: 3, Instructions: 287COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 531 7d5c7ce-7d5c80d 533 7d5c814-7d5c850 531->533 534 7d5c80f 531->534 601 7d5c852 call 7d5cd90 533->601 602 7d5c852 call 7d5cda0 533->602 534->533 536 7d5c858 537 7d5c85f-7d5c87b 536->537 538 7d5c884-7d5c885 537->538 539 7d5c87d 537->539 551 7d5cbdb-7d5cbe2 538->551 560 7d5c88a-7d5c88e 538->560 539->536 540 7d5cb95-7d5cba1 539->540 541 7d5ca37-7d5ca4c 539->541 542 7d5c8b7-7d5c8c9 539->542 543 7d5c9f6-7d5ca16 539->543 544 7d5c956-7d5c968 539->544 545 7d5ca51-7d5ca5e 539->545 546 7d5c990-7d5c99c 539->546 547 7d5ca7d-7d5ca81 539->547 548 7d5cadd-7d5cae9 539->548 549 7d5c9df-7d5c9f1 539->549 550 7d5cbbf-7d5cbd6 539->550 539->551 552 7d5ca1b-7d5ca32 539->552 553 7d5c9ba-7d5c9da 539->553 554 7d5c900-7d5c918 539->554 555 7d5ca63-7d5ca78 539->555 556 7d5caad-7d5cab1 539->556 557 7d5c96d-7d5c98b 539->557 558 7d5c8cb-7d5c8d4 539->558 559 7d5cb6b-7d5cb90 539->559 539->560 567 7d5cba3 540->567 568 7d5cba8-7d5cbba 540->568 541->537 542->537 543->537 544->537 545->537 561 7d5c9a3-7d5c9b5 546->561 562 7d5c99e 546->562 569 7d5ca94-7d5ca9b 547->569 570 7d5ca83-7d5ca92 547->570 575 7d5caf0-7d5cb06 548->575 576 7d5caeb 548->576 549->537 550->537 552->537 553->537 571 7d5c91f-7d5c935 554->571 572 7d5c91a 554->572 555->537 573 7d5cac4-7d5cacb 556->573 574 7d5cab3-7d5cac2 556->574 557->537 565 7d5c8e7-7d5c8ee 558->565 566 7d5c8d6-7d5c8e5 558->566 559->537 563 7d5c8a1-7d5c8a8 560->563 564 7d5c890-7d5c89f 560->564 561->537 562->561 582 7d5c8af-7d5c8b5 563->582 564->582 577 7d5c8f5-7d5c8fb 565->577 566->577 567->568 568->537 584 7d5caa2-7d5caa8 569->584 570->584 591 7d5c937 571->591 592 7d5c93c-7d5c951 571->592 572->571 578 7d5cad2-7d5cad8 573->578 574->578 589 7d5cb0d-7d5cb23 575->589 590 7d5cb08 575->590 576->575 577->537 578->537 582->537 584->537 595 7d5cb25 589->595 596 7d5cb2a-7d5cb40 589->596 590->589 591->592 592->537 595->596 598 7d5cb47-7d5cb66 596->598 599 7d5cb42 596->599 598->537 599->598 601->536 602->536
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: ry$ry$ry
                              • API String ID: 0-128149707
                              • Opcode ID: 28bdd1d3418da4a9e560db13169b8f6d1168c83d1bb6d460465c2dca31d4059c
                              • Instruction ID: cc48fd278a6349fbacb59c87aa1bb64719380079eb03f5e157d28ed403d74fb8
                              • Opcode Fuzzy Hash: 28bdd1d3418da4a9e560db13169b8f6d1168c83d1bb6d460465c2dca31d4059c
                              • Instruction Fuzzy Hash: F6C148B4D2430ADFCB08CFA5C5814AEFFB2FF89340B109459D859AB255D734AA42CFA5
                              Function 07D5C7E8 Relevance: 4.0, Strings: 3, Instructions: 284COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 603 7d5c7e8-7d5c80d 604 7d5c814-7d5c850 603->604 605 7d5c80f 603->605 672 7d5c852 call 7d5cd90 604->672 673 7d5c852 call 7d5cda0 604->673 605->604 607 7d5c858 608 7d5c85f-7d5c87b 607->608 609 7d5c884-7d5c885 608->609 610 7d5c87d 608->610 622 7d5cbdb-7d5cbe2 609->622 631 7d5c88a-7d5c88e 609->631 610->607 611 7d5cb95-7d5cba1 610->611 612 7d5ca37-7d5ca4c 610->612 613 7d5c8b7-7d5c8c9 610->613 614 7d5c9f6-7d5ca16 610->614 615 7d5c956-7d5c968 610->615 616 7d5ca51-7d5ca5e 610->616 617 7d5c990-7d5c99c 610->617 618 7d5ca7d-7d5ca81 610->618 619 7d5cadd-7d5cae9 610->619 620 7d5c9df-7d5c9f1 610->620 621 7d5cbbf-7d5cbd6 610->621 610->622 623 7d5ca1b-7d5ca32 610->623 624 7d5c9ba-7d5c9da 610->624 625 7d5c900-7d5c918 610->625 626 7d5ca63-7d5ca78 610->626 627 7d5caad-7d5cab1 610->627 628 7d5c96d-7d5c98b 610->628 629 7d5c8cb-7d5c8d4 610->629 630 7d5cb6b-7d5cb90 610->630 610->631 638 7d5cba3 611->638 639 7d5cba8-7d5cbba 611->639 612->608 613->608 614->608 615->608 616->608 632 7d5c9a3-7d5c9b5 617->632 633 7d5c99e 617->633 640 7d5ca94-7d5ca9b 618->640 641 7d5ca83-7d5ca92 618->641 646 7d5caf0-7d5cb06 619->646 647 7d5caeb 619->647 620->608 621->608 623->608 624->608 642 7d5c91f-7d5c935 625->642 643 7d5c91a 625->643 626->608 644 7d5cac4-7d5cacb 627->644 645 7d5cab3-7d5cac2 627->645 628->608 636 7d5c8e7-7d5c8ee 629->636 637 7d5c8d6-7d5c8e5 629->637 630->608 634 7d5c8a1-7d5c8a8 631->634 635 7d5c890-7d5c89f 631->635 632->608 633->632 653 7d5c8af-7d5c8b5 634->653 635->653 648 7d5c8f5-7d5c8fb 636->648 637->648 638->639 639->608 655 7d5caa2-7d5caa8 640->655 641->655 662 7d5c937 642->662 663 7d5c93c-7d5c951 642->663 643->642 649 7d5cad2-7d5cad8 644->649 645->649 660 7d5cb0d-7d5cb23 646->660 661 7d5cb08 646->661 647->646 648->608 649->608 653->608 655->608 666 7d5cb25 660->666 667 7d5cb2a-7d5cb40 660->667 661->660 662->663 663->608 666->667 669 7d5cb47-7d5cb66 667->669 670 7d5cb42 667->670 669->608 670->669 672->607 673->607
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: ry$ry$ry
                              • API String ID: 0-128149707
                              • Opcode ID: d206770d6abba3bef500d120df2a6c4effc40161c2413151405ed7e8530d2346
                              • Instruction ID: a75196cdd682b5fb90c13d49a4f085cc0709f76db581f6a91754f259ec942429
                              • Opcode Fuzzy Hash: d206770d6abba3bef500d120df2a6c4effc40161c2413151405ed7e8530d2346
                              • Instruction Fuzzy Hash: 78C148B4D2430ADFCB08CFA5C5858AEFBB2FF89300F109459D859AB254D774A942CFA4
                              Function 07D5A680 Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 674 7d5a680-7d5a6a3 675 7d5a6a5 674->675 676 7d5a6aa-7d5a704 674->676 675->676 679 7d5a707 676->679 680 7d5a70e-7d5a72a 679->680 681 7d5a733-7d5a734 680->681 682 7d5a72c 680->682 690 7d5a8e0-7d5a950 681->690 682->679 682->681 683 7d5a777-7d5a797 682->683 684 7d5a836-7d5a84b 682->684 685 7d5a850-7d5a87e 682->685 686 7d5a79c-7d5a7a0 682->686 687 7d5a8bf-7d5a8db 682->687 688 7d5a739-7d5a761 682->688 689 7d5a7fb-7d5a831 682->689 682->690 691 7d5a883-7d5a89e 682->691 692 7d5a763-7d5a775 682->692 693 7d5a8a3-7d5a8ba 682->693 694 7d5a7cc-7d5a7f6 682->694 683->680 684->680 685->680 695 7d5a7b3-7d5a7ba 686->695 696 7d5a7a2-7d5a7b1 686->696 687->680 688->680 689->680 710 7d5a952 call 7d5c627 690->710 711 7d5a952 call 7d5b976 690->711 712 7d5a952 call 7d5bcf3 690->712 713 7d5a952 call 7d5b978 690->713 714 7d5a952 call 7d5c5d8 690->714 715 7d5a952 call 7d5bc3b 690->715 691->680 692->680 693->680 694->680 699 7d5a7c1-7d5a7c7 695->699 696->699 699->680 709 7d5a958-7d5a962 710->709 711->709 712->709 713->709 714->709 715->709
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: Teq$Teq$z^I
                              • API String ID: 0-127928066
                              • Opcode ID: f1a3e6d1fc5ecb95c23d10ba061dadaf2683a50e3b9c483a49486ce0ab26fda3
                              • Instruction ID: 561673d4d8654349792df862523d2dc6587702f5eaabd44da0c28ecddeb3f3fd
                              • Opcode Fuzzy Hash: f1a3e6d1fc5ecb95c23d10ba061dadaf2683a50e3b9c483a49486ce0ab26fda3
                              • Instruction Fuzzy Hash: B091B3B4E102298FDB08CFAAC98469EFBB2FF89310F24952AD855BB354D7349905CF54
                              Function 07D5A67E Relevance: 4.0, Strings: 3, Instructions: 216COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 716 7d5a67e-7d5a6a3 718 7d5a6a5 716->718 719 7d5a6aa-7d5a704 716->719 718->719 722 7d5a707 719->722 723 7d5a70e-7d5a72a 722->723 724 7d5a733-7d5a734 723->724 725 7d5a72c 723->725 733 7d5a8e0-7d5a950 724->733 725->722 725->724 726 7d5a777-7d5a797 725->726 727 7d5a836-7d5a84b 725->727 728 7d5a850-7d5a87e 725->728 729 7d5a79c-7d5a7a0 725->729 730 7d5a8bf-7d5a8db 725->730 731 7d5a739-7d5a761 725->731 732 7d5a7fb-7d5a831 725->732 725->733 734 7d5a883-7d5a89e 725->734 735 7d5a763-7d5a775 725->735 736 7d5a8a3-7d5a8ba 725->736 737 7d5a7cc-7d5a7f6 725->737 726->723 727->723 728->723 738 7d5a7b3-7d5a7ba 729->738 739 7d5a7a2-7d5a7b1 729->739 730->723 731->723 732->723 753 7d5a952 call 7d5c627 733->753 754 7d5a952 call 7d5b976 733->754 755 7d5a952 call 7d5bcf3 733->755 756 7d5a952 call 7d5b978 733->756 757 7d5a952 call 7d5c5d8 733->757 758 7d5a952 call 7d5bc3b 733->758 734->723 735->723 736->723 737->723 742 7d5a7c1-7d5a7c7 738->742 739->742 742->723 752 7d5a958-7d5a962 753->752 754->752 755->752 756->752 757->752 758->752
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: Teq$Teq$z^I
                              • API String ID: 0-127928066
                              • Opcode ID: 89a4b13fcfa9364588f7f96fc400e2738a6c6e2241a02bdbdac686c78b6eb75a
                              • Instruction ID: 2d8d35c2092832f889e76dc6ce8b7043c5a455fc72b0a14f8b5533f765e5caf9
                              • Opcode Fuzzy Hash: 89a4b13fcfa9364588f7f96fc400e2738a6c6e2241a02bdbdac686c78b6eb75a
                              • Instruction Fuzzy Hash: E791B2B4E102198FDB08CFAAC984A9EFBB2FF89310F24952AD855BB354D7349905CF54
                              Function 0B7D4170 Relevance: 2.7, Strings: 2, Instructions: 228COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 819 b7d4170-b7d41a5 821 b7d41ac-b7d41dd 819->821 822 b7d41a7 819->822 823 b7d41de 821->823 822->821 824 b7d41e5-b7d4201 823->824 825 b7d420a-b7d420b 824->825 826 b7d4203 824->826 827 b7d4477-b7d4480 825->827 828 b7d4210-b7d4252 825->828 826->823 826->827 826->828 829 b7d437d-b7d4386 826->829 830 b7d445d-b7d4472 826->830 831 b7d42fc-b7d430f 826->831 832 b7d4298-b7d42aa 826->832 833 b7d4314-b7d4318 826->833 834 b7d4254-b7d4267 826->834 835 b7d43b7-b7d43ca 826->835 836 b7d43f6-b7d440e 826->836 837 b7d4413-b7d4425 826->837 838 b7d426c-b7d4293 826->838 839 b7d42af-b7d42b5 call b7d45c0 826->839 840 b7d438b-b7d43b2 826->840 841 b7d434b-b7d435e 826->841 842 b7d442a-b7d443c 826->842 843 b7d4441-b7d4458 826->843 844 b7d42e0-b7d42f7 826->844 845 b7d4363-b7d4378 826->845 828->824 829->824 830->824 831->824 832->824 846 b7d432b-b7d4332 833->846 847 b7d431a-b7d4329 833->847 834->824 848 b7d43dd-b7d43e4 835->848 849 b7d43cc-b7d43db 835->849 836->824 837->824 838->824 854 b7d42bb-b7d42db 839->854 840->824 841->824 842->824 843->824 844->824 845->824 850 b7d4339-b7d4346 846->850 847->850 853 b7d43eb-b7d43f1 848->853 849->853 850->824 853->824 854->824
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: TuA$UC;"
                              • API String ID: 0-2071649361
                              • Opcode ID: aa72b35320391e16f8875f0df5e6fc95dea9b392389e086dec0de215fa102d06
                              • Instruction ID: 1d748353621f017dc643408dbc2ab5584efb9cd66454145eccc49f36819d5526
                              • Opcode Fuzzy Hash: aa72b35320391e16f8875f0df5e6fc95dea9b392389e086dec0de215fa102d06
                              • Instruction Fuzzy Hash: 88912679D15209EFCB08CFEAE48559EFBF2EF89350F10902AE425A7264D7309A42CF54
                              Function 0B7D4180 Relevance: 2.7, Strings: 2, Instructions: 224COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 858 b7d4180-b7d41a5 859 b7d41ac-b7d41dd 858->859 860 b7d41a7 858->860 861 b7d41de 859->861 860->859 862 b7d41e5-b7d4201 861->862 863 b7d420a-b7d420b 862->863 864 b7d4203 862->864 865 b7d4477-b7d4480 863->865 866 b7d4210-b7d4252 863->866 864->861 864->865 864->866 867 b7d437d-b7d4386 864->867 868 b7d445d-b7d4472 864->868 869 b7d42fc-b7d430f 864->869 870 b7d4298-b7d42aa 864->870 871 b7d4314-b7d4318 864->871 872 b7d4254-b7d4267 864->872 873 b7d43b7-b7d43ca 864->873 874 b7d43f6-b7d440e 864->874 875 b7d4413-b7d4425 864->875 876 b7d426c-b7d4293 864->876 877 b7d42af-b7d42b5 call b7d45c0 864->877 878 b7d438b-b7d43b2 864->878 879 b7d434b-b7d435e 864->879 880 b7d442a-b7d443c 864->880 881 b7d4441-b7d4458 864->881 882 b7d42e0-b7d42f7 864->882 883 b7d4363-b7d4378 864->883 866->862 867->862 868->862 869->862 870->862 884 b7d432b-b7d4332 871->884 885 b7d431a-b7d4329 871->885 872->862 886 b7d43dd-b7d43e4 873->886 887 b7d43cc-b7d43db 873->887 874->862 875->862 876->862 892 b7d42bb-b7d42db 877->892 878->862 879->862 880->862 881->862 882->862 883->862 888 b7d4339-b7d4346 884->888 885->888 891 b7d43eb-b7d43f1 886->891 887->891 888->862 891->862 892->862
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: TuA$UC;"
                              • API String ID: 0-2071649361
                              • Opcode ID: 407795e3c82bf5c22e7b9fbf85d1be3c193f7084c044fb5a83c5f6474f0cf378
                              • Instruction ID: 125310c373e4afbd7fa8df46f5947513eded225b2da26178919764dfa424995b
                              • Opcode Fuzzy Hash: 407795e3c82bf5c22e7b9fbf85d1be3c193f7084c044fb5a83c5f6474f0cf378
                              • Instruction Fuzzy Hash: 5F91F579D15209EFCB08CFE6E58159EFBF2AF89350F10942AE425A7264D7309642CF14
                              Function 0B7D2B4B Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: 5=6
                              • API String ID: 0-2897083178
                              • Opcode ID: 02b8a189ac550bbcb39a8eac576c01ec24f8575b9b1eeb17a7f3ecc8b25a9c9c
                              • Instruction ID: d22376f8571e2bd92675c28d88a6e31306fa0e0e6082cff420017b6290b3b281
                              • Opcode Fuzzy Hash: 02b8a189ac550bbcb39a8eac576c01ec24f8575b9b1eeb17a7f3ecc8b25a9c9c
                              • Instruction Fuzzy Hash: 73715970E1520A9FCB48CFA6DA454AEFBF2FF89340F10952AE025E7254EB749A01CF55
                              Function 0B7D2B58 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: 5=6
                              • API String ID: 0-2897083178
                              • Opcode ID: d8e1aa4b452ce8bbdcf4e565eeeaadfdadd375266f247cadc507c0b25f2571d4
                              • Instruction ID: 505d16cf64756df127946bda3816c0d33a9dfed045c2bcc8ece80a744e81a13e
                              • Opcode Fuzzy Hash: d8e1aa4b452ce8bbdcf4e565eeeaadfdadd375266f247cadc507c0b25f2571d4
                              • Instruction Fuzzy Hash: 32616C74E1520A9FCB48CFA6DA454AEFBF2FF89340F10952AE025E7214EB749A01CF50
                              Function 0EF82CD8 Relevance: .4, Instructions: 395COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1314895217.000000000EF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EF80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ef80000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 236b162911d9fb7be67e4d528c9c6a782b8ae2542a0e454bc21ecc3c97dac195
                              • Instruction ID: d9466f06f2e6e4fd2a365a2a1e22900a8743cd86f513b07c5355bb1f7d359e6a
                              • Opcode Fuzzy Hash: 236b162911d9fb7be67e4d528c9c6a782b8ae2542a0e454bc21ecc3c97dac195
                              • Instruction Fuzzy Hash: 6EE1AD31B017049FEB29EB69CA60BAEB7FBAF89700F14446DD5469B2A0DB35EC01C751
                              Function 07D54798 Relevance: .3, Instructions: 285COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f70c10678acc0ae08bd8c3833c8cf47819b0e58be2f706e66a2fb76c0224ba70
                              • Instruction ID: 6b2efed779516455c91111fa51190a6a1d47167319cbcbc89271a3e81fc1ecd5
                              • Opcode Fuzzy Hash: f70c10678acc0ae08bd8c3833c8cf47819b0e58be2f706e66a2fb76c0224ba70
                              • Instruction Fuzzy Hash: 54C12AB1E002558FDF25CF65C88079DFBF2AF85310F15C1AAD849AB255EB309985CF92
                              Function 0B7D4A71 Relevance: .3, Instructions: 257COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 424b140946409509833a1c1ace1ec76516b27ac2e9f4b417c392fc916e0e5624
                              • Instruction ID: 0e22ededc6fbd91dd9aba100a7d5e33af604cc909c388ce989f6f417a5ab480a
                              • Opcode Fuzzy Hash: 424b140946409509833a1c1ace1ec76516b27ac2e9f4b417c392fc916e0e5624
                              • Instruction Fuzzy Hash: B4B10771E052099FCB18CFA6D584A9EFBF2BF89340F24952AE425B7354DB349A06CF10
                              Function 0B7D4A80 Relevance: .3, Instructions: 254COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7dd04efdd9bd300a7b31ccc2ff43ad20c473b94a104b7d30014d4dc694fcf5df
                              • Instruction ID: 08fa761112bd054aa1842c5fb4667193b46c27a70b4b2ebcf508788eafd6a0f2
                              • Opcode Fuzzy Hash: 7dd04efdd9bd300a7b31ccc2ff43ad20c473b94a104b7d30014d4dc694fcf5df
                              • Instruction Fuzzy Hash: A8B1F671D052099FCB18CFA6D584A9EFBF6BF89344F20952AE425BB354DB349A06CF10
                              Function 07D5D617 Relevance: .1, Instructions: 129COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a8d321fe0d57607caff8bedff6ea765c86f076dfb8e08f32f5ab58c8180e22b3
                              • Instruction ID: 9b51b2f6ee520b98dee140c8afaa3d8a756ed27cea725e161fc867a481f1d0d9
                              • Opcode Fuzzy Hash: a8d321fe0d57607caff8bedff6ea765c86f076dfb8e08f32f5ab58c8180e22b3
                              • Instruction Fuzzy Hash: D0415CB0E0460AEFDF04DFA9C5819AEFBB2FF85200F14D695C815A7254D7349A41CFA1
                              Function 07D5B978 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a77d56f7c3bee94ba3883e78fd699a864825210918884c49a96908c485ca7075
                              • Instruction ID: 8e017ef72a7cbb1431a02a7cbcdc2132a3548847745a55238218305d67b6177a
                              • Opcode Fuzzy Hash: a77d56f7c3bee94ba3883e78fd699a864825210918884c49a96908c485ca7075
                              • Instruction Fuzzy Hash: 192107B1E006188BDB18CFABD8446DEFBB7BFC9310F14C06AD909A6264DB355A45CF50
                              Function 07D5B976 Relevance: .1, Instructions: 58COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3c26507df22f4da07f089c9f632bf5214c3c8130aaafb3870de1b54000411d99
                              • Instruction ID: 5e165b43d4671265bf00f79538535df5db7db8cc11f03969bfcd10984e95a446
                              • Opcode Fuzzy Hash: 3c26507df22f4da07f089c9f632bf5214c3c8130aaafb3870de1b54000411d99
                              • Instruction Fuzzy Hash: E621C8B1E006189BDB18CF9BC94469EFBF7AFC8310F14C06AD409A6258DB745945CF50
                              Function 0164CFF1 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 487 164cff1-164d08f GetCurrentProcess 491 164d091-164d097 487->491 492 164d098-164d0cc GetCurrentThread 487->492 491->492 493 164d0d5-164d109 GetCurrentProcess 492->493 494 164d0ce-164d0d4 492->494 496 164d112-164d12d call 164d5d8 493->496 497 164d10b-164d111 493->497 494->493 500 164d133-164d162 GetCurrentThreadId 496->500 497->496 501 164d164-164d16a 500->501 502 164d16b-164d1cd 500->502 501->502
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 0164D07E
                              • GetCurrentThread.KERNEL32 ref: 0164D0BB
                              • GetCurrentProcess.KERNEL32 ref: 0164D0F8
                              • GetCurrentThreadId.KERNEL32 ref: 0164D151
                              Memory Dump Source
                              • Source File: 00000000.00000002.1306135562.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1640000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: e34bfb6e53b5f4818cdf0d6d94aee477eb6524a83dce4b5b446e9c4030313fc1
                              • Instruction ID: f773fa68c25b9d924d525ca041feb8a3bcce05ca921aaba74546ef49c66a01e4
                              • Opcode Fuzzy Hash: e34bfb6e53b5f4818cdf0d6d94aee477eb6524a83dce4b5b446e9c4030313fc1
                              • Instruction Fuzzy Hash: 3D5168B0D007498FEB18DFA9D9887AEBBF1EF88314F208059E419A73A0D7745945CF65
                              Function 0164D000 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 509 164d000-164d08f GetCurrentProcess 513 164d091-164d097 509->513 514 164d098-164d0cc GetCurrentThread 509->514 513->514 515 164d0d5-164d109 GetCurrentProcess 514->515 516 164d0ce-164d0d4 514->516 518 164d112-164d12d call 164d5d8 515->518 519 164d10b-164d111 515->519 516->515 522 164d133-164d162 GetCurrentThreadId 518->522 519->518 523 164d164-164d16a 522->523 524 164d16b-164d1cd 522->524 523->524
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 0164D07E
                              • GetCurrentThread.KERNEL32 ref: 0164D0BB
                              • GetCurrentProcess.KERNEL32 ref: 0164D0F8
                              • GetCurrentThreadId.KERNEL32 ref: 0164D151
                              Memory Dump Source
                              • Source File: 00000000.00000002.1306135562.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1640000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: Current$ProcessThread
                              • String ID:
                              • API String ID: 2063062207-0
                              • Opcode ID: 5e5022c9563e833401e20dcc79bf048fadb86cc326f65d1fe602e2ac831d9324
                              • Instruction ID: d3aebf22e152cf061e3feb97318824bc926a2ccd3a9f9b445bf8f557e2e388cd
                              • Opcode Fuzzy Hash: 5e5022c9563e833401e20dcc79bf048fadb86cc326f65d1fe602e2ac831d9324
                              • Instruction Fuzzy Hash: 405167B4D003098FDB18DFA9D988BAEBBF1EF88314F208019E419A7360D7345845CF65
                              Function 0B7DED70 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 896 b7ded70-b7dee05 898 b7dee3e-b7dee5e 896->898 899 b7dee07-b7dee11 896->899 906 b7dee97-b7deec6 898->906 907 b7dee60-b7dee6a 898->907 899->898 900 b7dee13-b7dee15 899->900 901 b7dee38-b7dee3b 900->901 902 b7dee17-b7dee21 900->902 901->898 904 b7dee25-b7dee34 902->904 905 b7dee23 902->905 904->904 908 b7dee36 904->908 905->904 913 b7deeff-b7defb9 CreateProcessA 906->913 914 b7deec8-b7deed2 906->914 907->906 909 b7dee6c-b7dee6e 907->909 908->901 911 b7dee91-b7dee94 909->911 912 b7dee70-b7dee7a 909->912 911->906 915 b7dee7c 912->915 916 b7dee7e-b7dee8d 912->916 927 b7defbb-b7defc1 913->927 928 b7defc2-b7df048 913->928 914->913 918 b7deed4-b7deed6 914->918 915->916 916->916 917 b7dee8f 916->917 917->911 919 b7deef9-b7deefc 918->919 920 b7deed8-b7deee2 918->920 919->913 922 b7deee4 920->922 923 b7deee6-b7deef5 920->923 922->923 923->923 925 b7deef7 923->925 925->919 927->928 938 b7df058-b7df05c 928->938 939 b7df04a-b7df04e 928->939 941 b7df06c-b7df070 938->941 942 b7df05e-b7df062 938->942 939->938 940 b7df050 939->940 940->938 944 b7df080-b7df084 941->944 945 b7df072-b7df076 941->945 942->941 943 b7df064 942->943 943->941 946 b7df096-b7df09d 944->946 947 b7df086-b7df08c 944->947 945->944 948 b7df078 945->948 949 b7df09f-b7df0ae 946->949 950 b7df0b4 946->950 947->946 948->944 949->950
                              APIs
                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0B7DEFA6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: 76d32ce3136ec078c63aef6cbaa9ca5d4332dbef18284754c11a046a85cd04de
                              • Instruction ID: 06715a4fa0fd7c3b7985fd0817897c344d4748f00773e74a2c494dc497075801
                              • Opcode Fuzzy Hash: 76d32ce3136ec078c63aef6cbaa9ca5d4332dbef18284754c11a046a85cd04de
                              • Instruction Fuzzy Hash: 78915A71D003198FEF25DFA8C840BAEBBF2BF48350F148569E849AB240DB759985CF91
                              Function 0164AD68 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 952 164ad68-164ad77 954 164ada3-164ada7 952->954 955 164ad79-164ad86 call 164a08c 952->955 957 164ada9-164adb3 954->957 958 164adbb-164adfc 954->958 962 164ad9c 955->962 963 164ad88 955->963 957->958 964 164adfe-164ae06 958->964 965 164ae09-164ae17 958->965 962->954 1010 164ad8e call 164aff0 963->1010 1011 164ad8e call 164b000 963->1011 964->965 966 164ae19-164ae1e 965->966 967 164ae3b-164ae3d 965->967 969 164ae20-164ae27 call 164a098 966->969 970 164ae29 966->970 972 164ae40-164ae47 967->972 968 164ad94-164ad96 968->962 971 164aed8-164af54 968->971 976 164ae2b-164ae39 969->976 970->976 1003 164af56-164af7e 971->1003 1004 164af80-164af98 971->1004 973 164ae54-164ae5b 972->973 974 164ae49-164ae51 972->974 977 164ae5d-164ae65 973->977 978 164ae68-164ae71 call 164a0a8 973->978 974->973 976->972 977->978 984 164ae73-164ae7b 978->984 985 164ae7e-164ae83 978->985 984->985 986 164ae85-164ae8c 985->986 987 164aea1-164aea5 985->987 986->987 989 164ae8e-164ae9e call 164a0b8 call 164a0c8 986->989 990 164aeab-164aeae 987->990 989->987 993 164aeb0-164aece 990->993 994 164aed1-164aed7 990->994 993->994 1003->1004 1005 164afa0-164afcb GetModuleHandleW 1004->1005 1006 164af9a-164af9d 1004->1006 1007 164afd4-164afe8 1005->1007 1008 164afcd-164afd3 1005->1008 1006->1005 1008->1007 1010->968 1011->968
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000), ref: 0164AFBE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1306135562.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1640000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 28248561722091549fa214a4425440cfd6fdd0704018c0b791a3a50e44e9102e
                              • Instruction ID: b1bbad74d5a3a602170bd10d93588ada2d6f0695d29c1e426ab3d3acc94b018a
                              • Opcode Fuzzy Hash: 28248561722091549fa214a4425440cfd6fdd0704018c0b791a3a50e44e9102e
                              • Instruction Fuzzy Hash: A8812570A00B059FE724DF69D84479ABBF2FF88304F00892DD59A9BB50D775E84ACB91
                              Function 016458ED Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1012 16458ed-16458f4 1013 16458f6-16459b9 CreateActCtxA 1012->1013 1014 1645891-16458b9 1012->1014 1019 16459c2-1645a1c 1013->1019 1020 16459bb-16459c1 1013->1020 1017 16458c2-16458e3 1014->1017 1018 16458bb-16458c1 1014->1018 1018->1017 1028 1645a1e-1645a21 1019->1028 1029 1645a2b-1645a2f 1019->1029 1020->1019 1028->1029 1030 1645a40 1029->1030 1031 1645a31-1645a3d 1029->1031 1033 1645a41 1030->1033 1031->1030 1033->1033
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 016459A9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1306135562.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1640000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: e8fab36b086a94f464f01717ed262090b22586b832387361b036a0ee6c97511a
                              • Instruction ID: e0bc609ace3b6c5e4e3199d29ec640e8a5d677d411e145e70dd05933aac0d471
                              • Opcode Fuzzy Hash: e8fab36b086a94f464f01717ed262090b22586b832387361b036a0ee6c97511a
                              • Instruction Fuzzy Hash: 8A510F71C00719CFEB24CFA9C8847CEBBF1AF48314F20816AD519AB251DB756986CF90
                              Function 016444B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 016459A9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1306135562.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1640000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 023ecef42a2b644bdda987f231afa6b65b2871428e84e6b2327de19ba24eff95
                              • Instruction ID: 935778540b67bc4499b4f1e7f3a05eda58b0b9c8eb418702683b34fec4cd411f
                              • Opcode Fuzzy Hash: 023ecef42a2b644bdda987f231afa6b65b2871428e84e6b2327de19ba24eff95
                              • Instruction Fuzzy Hash: B941F070D0071DCFEB24DFAAC884B8EBBB5BF49304F20806AD519AB251DB756946CF90
                              Function 07D550D0 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: CreateFromIconResource
                              • String ID:
                              • API String ID: 3668623891-0
                              • Opcode ID: 08dea7a593faa3f255f570aaecd0acf68b3690c3bcb6ec12a19d228fedddb165
                              • Instruction ID: 402e0f3679c2ac2bd9224f099acfad6b92104d061fd583c08f434469f1cc0abb
                              • Opcode Fuzzy Hash: 08dea7a593faa3f255f570aaecd0acf68b3690c3bcb6ec12a19d228fedddb165
                              • Instruction Fuzzy Hash: 6C319AB29003499FCB12DFA9C840A9ABFF9EF09310F14805AE954A7261C335D850CFA1
                              Function 07D5207C Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07D53FBD,?,?), ref: 07D5406F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: DrawText
                              • String ID:
                              • API String ID: 2175133113-0
                              • Opcode ID: 77c3eb98649538ce5d807ea726bde71b10d818f14a23af8180f3e83e50530978
                              • Instruction ID: 74cb0a88703b0afe2db190d8abfae6cf4bfc1ffd2c269741a2d807aa00901a2d
                              • Opcode Fuzzy Hash: 77c3eb98649538ce5d807ea726bde71b10d818f14a23af8180f3e83e50530978
                              • Instruction Fuzzy Hash: 9031E2B5D003499FDB10CF9AD884A9EFBF5EB48320F24842AE919A7350D775A940CFA1
                              Function 07D53FD1 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,07D53FBD,?,?), ref: 07D5406F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: DrawText
                              • String ID:
                              • API String ID: 2175133113-0
                              • Opcode ID: bdae831865bad51f2e7690be694eef4ad1a32a7f574dbe3286e41e0449cb5bdd
                              • Instruction ID: 3fdaa61dd2266664d7a5957bfed4a62cc40fb743d2306499a86c18bd10d65f0a
                              • Opcode Fuzzy Hash: bdae831865bad51f2e7690be694eef4ad1a32a7f574dbe3286e41e0449cb5bdd
                              • Instruction Fuzzy Hash: 5B31C3B5D003499FDB10CF9AD884A9EFBF5FB48320F24842AE919A7350D775A944CFA1
                              Function 0B7DEAE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                              Download Yara Rule
                              APIs
                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 0B7DEB78
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: 02c1141edfe97d940ca8f885d5df7f6edd90bbcdba7a4f743b5e73d47eb28b01
                              • Instruction ID: 0eaaf6639325c7d06262f74f08aa8dd90800f1e659810861d91b8984070e387c
                              • Opcode Fuzzy Hash: 02c1141edfe97d940ca8f885d5df7f6edd90bbcdba7a4f743b5e73d47eb28b01
                              • Instruction Fuzzy Hash: 0F2113759003499FDB10DFAAC881BDEBBF5FB48320F54852AE959A7240C778A941CBA4
                              Function 0164D648 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0164D6D7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1306135562.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1640000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 130431f2e21f5e692c622063b5efa22ad2de27edd639bd9240e4758ceec7b368
                              • Instruction ID: ada96dd2c2c7ecd06c3b56d32823a4d96bb71c28a02d466d64fc203eb7cfce8f
                              • Opcode Fuzzy Hash: 130431f2e21f5e692c622063b5efa22ad2de27edd639bd9240e4758ceec7b368
                              • Instruction Fuzzy Hash: 8421E5B5D00259DFDB10CFAAD885ADEBBF5FB48310F14801AE958A3350C378A941CF60
                              Function 0B7DEBD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0B7DEC58
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 47c75f802efe79512e10cf22191925c17868c980d65c80f290cf3d4ca8cb96e6
                              • Instruction ID: 610058fc284743269a5b298a845d9ac6cfbe56fbb908c2e54b702b41074b24fd
                              • Opcode Fuzzy Hash: 47c75f802efe79512e10cf22191925c17868c980d65c80f290cf3d4ca8cb96e6
                              • Instruction Fuzzy Hash: 4821E671D003499FDB10DFAAC881BEEBBF5FF48310F54842AE959A7250C7799941CBA4
                              Function 0B7DE0E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                              Download Yara Rule
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0B7DE15E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: 7ec0de283e3f3f88f346aeb1759cee6e1c1078fec4f4d7cc423107d58de813ee
                              • Instruction ID: 5537934682310e599377343c52b02a30af8bb3bef77f3ac08c12ac9016b78681
                              • Opcode Fuzzy Hash: 7ec0de283e3f3f88f346aeb1759cee6e1c1078fec4f4d7cc423107d58de813ee
                              • Instruction Fuzzy Hash: E6213871D003098FDB20DFAAC485BAEBBF4EF48364F54842AD459A7240CB799945CFA4
                              Function 0164D650 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0164D6D7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1306135562.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1640000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 3f89a213f6f09ad268f99cb0bcfa35f0f14851311e3b8278530d3bdd6ae82448
                              • Instruction ID: 9f60153d475f701eb97fc5a42f195180d43851e1054b00d5d8e2b560b863be6e
                              • Opcode Fuzzy Hash: 3f89a213f6f09ad268f99cb0bcfa35f0f14851311e3b8278530d3bdd6ae82448
                              • Instruction Fuzzy Hash: 3921E4B5D002489FDB10CF9AD884ADEFBF4EB48320F14801AE918A3350C374A940CF64
                              Function 07D520CC Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                              Download Yara Rule
                              APIs
                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07D550EA,?,?,?,?,?), ref: 07D5518F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: CreateFromIconResource
                              • String ID:
                              • API String ID: 3668623891-0
                              • Opcode ID: 58d8a07f4694a6b9238e6354553d250f974231662e2a4af3bb688c58dd968272
                              • Instruction ID: bd4a2f1717466421b134cb24498d6ca6dea78f822580ff58063419e5583c7b52
                              • Opcode Fuzzy Hash: 58d8a07f4694a6b9238e6354553d250f974231662e2a4af3bb688c58dd968272
                              • Instruction Fuzzy Hash: 691156B58003499FDB21CFAAD844BDEBFF8EB48320F14841AE955A3210C339A950CFA4
                              Function 0B7D2778 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 0B7D27EB
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 8276bcd7c255ce6229eea0e3bb24949a7788eb1463f24c751d481b0235a83d15
                              • Instruction ID: ef5db59e4e2f46153bfe7bcbd427e53cf84d26a38656cb9bcc8d0be1d6fc97bf
                              • Opcode Fuzzy Hash: 8276bcd7c255ce6229eea0e3bb24949a7788eb1463f24c751d481b0235a83d15
                              • Instruction Fuzzy Hash: E3210675D002499FDB20DF9AC884BDEFBF4FB48320F108429E958A3251D379A545CFA1
                              Function 0B7D2770 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 0B7D27EB
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 17b4b0d1490f624c31e8507f14f9d71187c2588f2093a23d486889585566c7bf
                              • Instruction ID: 7429eb9845fdbab1fb4a4203f2f454fd91a86e61cfc1d88e34c01f92404f69bf
                              • Opcode Fuzzy Hash: 17b4b0d1490f624c31e8507f14f9d71187c2588f2093a23d486889585566c7bf
                              • Instruction Fuzzy Hash: F42108B5D002499FDB10DF9AC585BDEFBF4BB48320F148429E958A3251D3749545CFA1
                              Function 0B7DE5F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0B7DE65E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: fc881f2d2f4815180b30db398f5eb656d9072f2230f62a6320e763eb2a0cfa31
                              • Instruction ID: 48788b6f8506c78bdfc952bd1a14e10e3c0e7f99bd4b2f3b02d059dcc2ea1e51
                              • Opcode Fuzzy Hash: fc881f2d2f4815180b30db398f5eb656d9072f2230f62a6320e763eb2a0cfa31
                              • Instruction Fuzzy Hash: DB112675D003499FDB20DFAAC845BDEBBF5EB48320F148829E955A7250CB759940CFA4
                              Function 0B7DE030 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 98c8d8e38a2c3bb39e93c4e2b7c31c0c657827e8faeb09af19ed90d16bbb3f52
                              • Instruction ID: 90cdfe69fead1d8166d115bd01a055a40743e46c3b7148674df1b7e4fc5a8b25
                              • Opcode Fuzzy Hash: 98c8d8e38a2c3bb39e93c4e2b7c31c0c657827e8faeb09af19ed90d16bbb3f52
                              • Instruction Fuzzy Hash: 1D113A71D003498FDB20DFAAC44579EFBF5EF48320F248819D519A7240CB756945CFA4
                              Function 0164AF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000), ref: 0164AFBE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1306135562.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1640000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 011d1c3ebe1b593590501d0c6a651ea12a0220599f02827c23d10abcc5d61227
                              • Instruction ID: 3a85eede823840eb546c5bf7fdc12e92df7e5d998e2346239db690dad8dce99f
                              • Opcode Fuzzy Hash: 011d1c3ebe1b593590501d0c6a651ea12a0220599f02827c23d10abcc5d61227
                              • Instruction Fuzzy Hash: C61110B5C003498FDB20CF9AC844BDEFBF4EB88324F10842AD829A7640C379A545CFA1
                              Function 0EF81CE8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,?,?,?), ref: 0EF81D4D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1314895217.000000000EF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EF80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ef80000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: fe0bbecc61c35ef7a0f23910fee51ca516caaa02c9a3df2873ea6b168ba44e48
                              • Instruction ID: db9808440ab1f01d9d460cc6646c83071c5fdb58237d72625b79a130ec92363b
                              • Opcode Fuzzy Hash: fe0bbecc61c35ef7a0f23910fee51ca516caaa02c9a3df2873ea6b168ba44e48
                              • Instruction Fuzzy Hash: AF11C5B5800349DFDB20DF9AD985BDEBBF8EB48320F14841AD958A7250C375A944CFA1
                              Function 0EF81D21 Relevance: 1.5, APIs: 1, Instructions: 30windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,?,?,?), ref: 0EF81D4D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1314895217.000000000EF80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EF80000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ef80000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 64d537a3f3a74c4068872f66a8c4d27909e37c4da910db466b9eb3a92b53c663
                              • Instruction ID: 981c3063dede0f1418a2982c9921dc242ebacec381006f9ceedc738d8c374182
                              • Opcode Fuzzy Hash: 64d537a3f3a74c4068872f66a8c4d27909e37c4da910db466b9eb3a92b53c663
                              • Instruction Fuzzy Hash: 8EF0E2B68003099FDB20DF89D895BDEBBF4EB48324F10841AE558A7250C379A995CFA1
                              Function 015ED3D8 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1305914371.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_15ed000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 204d671c04e5cbf873fe740fd582b86852b643619a1ead001cbc82f3c1d18380
                              • Instruction ID: a65d2ad860c86f5df9ec190e96fbb66e5b8957f6113d78b248fc8bb4a3645506
                              • Opcode Fuzzy Hash: 204d671c04e5cbf873fe740fd582b86852b643619a1ead001cbc82f3c1d18380
                              • Instruction Fuzzy Hash: 50213672904204DFDB19DF44D9C8B5ABBF5FBA8324F20C569E8090F246C376E446CAA2
                              Function 015ED4C4 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1305914371.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_15ed000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 76b5a2061769fdca9fac85b50ae3de71f54023956ea4f0b70bf07f16211f3924
                              • Instruction ID: 4cba2ec95538f4dcd69538de351152875920d76b6464ec2836ce50df6f062a70
                              • Opcode Fuzzy Hash: 76b5a2061769fdca9fac85b50ae3de71f54023956ea4f0b70bf07f16211f3924
                              • Instruction Fuzzy Hash: 15210672904240DFDB19DF54D9C8B2ABFF5FB84318F20C56AD8050F256C336D456CAA2
                              Function 015FD01C Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1305951366.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_15fd000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8ba86343260fd3bae4f61a3cda77e6a1d1a9d4dd0c46a1a15aed22f856e1f5ea
                              • Instruction ID: 4a787cc39ff83757f300ddd21c2b45ffbc515a7f28a244aa81759c1cbbf7f762
                              • Opcode Fuzzy Hash: 8ba86343260fd3bae4f61a3cda77e6a1d1a9d4dd0c46a1a15aed22f856e1f5ea
                              • Instruction Fuzzy Hash: 15210075604200DFDB15DF54D984B2ABBB9FB84314F20C96DEA0A4F286D33AD807CA62
                              Function 015FD1D4 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1305951366.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_15fd000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 63e1848a2437da06fb684fa7124e618610fb9baf63d6f16f47f087d09157d038
                              • Instruction ID: 7116f1dff5a2bf806691b0a34c6c7fbc1dcd18ddb5fd9ed1476e748da413f415
                              • Opcode Fuzzy Hash: 63e1848a2437da06fb684fa7124e618610fb9baf63d6f16f47f087d09157d038
                              • Instruction Fuzzy Hash: 96210779604300DFDB15DF94D9C4B1ABBB5FB84324F20C96DDA494F256C336D446CAA1
                              Function 015FD006 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1305951366.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_15fd000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cd6c0d41d8dbcb68d173d94092eca3a6a51178b6b9acce4cac264c0dad620c09
                              • Instruction ID: 966bfcc53304addf85ad822f96c31cecccc77a566d4a2921ec2d2766e8c0daa8
                              • Opcode Fuzzy Hash: cd6c0d41d8dbcb68d173d94092eca3a6a51178b6b9acce4cac264c0dad620c09
                              • Instruction Fuzzy Hash: DF217C755093808FCB06CF24D990715BF71FB46214F28C5EAD9498F6A7C33A980ACB62
                              Function 015ED3D3 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1305914371.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_15ed000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                              • Instruction ID: d87f7318808d0cfaa4667d369cca03873a31f2be8d060f77de15985fb1d778c2
                              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                              • Instruction Fuzzy Hash: A611CD76904280CFCB06CF44D5C4B5ABFB2FB94324F2482A9D8090A256C33AE456CBA1
                              Function 015ED4BF Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1305914371.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_15ed000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                              • Instruction ID: 335553647e44c85af5d9d40c9e77841f977755a325712c9ca3ab4a8e1e05b8c9
                              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                              • Instruction Fuzzy Hash: 4D11AF76904280CFCB16CF54D9C4B1ABFB2FB84324F24C6AAD8490F656C33AD456CBA1
                              Function 015FD1CF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1305951366.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_15fd000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                              • Instruction ID: b425fab87940bf345fc335a796c5b8eeb5cb487662b5a8fd850cb9ffdf385498
                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                              • Instruction Fuzzy Hash: 3411BB79504280DFCB06CF54C5C0B19BBB2FB84324F24C6AED9494F296C33AD40ACBA1

                              Non-executed Functions

                              Function 0B7D5021 Relevance: 1.6, Strings: 1, Instructions: 326COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: {#L
                              • API String ID: 0-1361971085
                              • Opcode ID: 5fa6c19bcfcba09684adc16b9b63a419d2b03c9b7434463e12369b35db290ab7
                              • Instruction ID: 022ccd7814fad0631755e4eb2790d6bac817b8a358df2df1a460f4381d10b950
                              • Opcode Fuzzy Hash: 5fa6c19bcfcba09684adc16b9b63a419d2b03c9b7434463e12369b35db290ab7
                              • Instruction Fuzzy Hash: 5DD1F871E05219DFCB18CFAAD58059DFBF2BF98340F14D52AE425AB224E7349902CF95
                              Function 0B7D5030 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: {#L
                              • API String ID: 0-1361971085
                              • Opcode ID: cdef0c89e4ac03a2728930b0aea04a948d0ab1b342c8f19fb8e976c20441492b
                              • Instruction ID: b926017ea53bc0296b75a1dc4493635629b6b8fbbfd6c83c613fc4c47a6843a7
                              • Opcode Fuzzy Hash: cdef0c89e4ac03a2728930b0aea04a948d0ab1b342c8f19fb8e976c20441492b
                              • Instruction Fuzzy Hash: E1D1E871E05219DFCB18CFAAD58069DFBF2BF98340F14D52AE425AB224E7349902CF95
                              Function 07D5B3C8 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: 98R
                              • API String ID: 0-576591972
                              • Opcode ID: da5cefc536a41dcf1020aefd848cf8318ba68255eef56d2406e2c0508c8565f2
                              • Instruction ID: e8d4e76be35aebd5d4118e6b520e5c68668de25679b6a27aae2de7dfad17e8d6
                              • Opcode Fuzzy Hash: da5cefc536a41dcf1020aefd848cf8318ba68255eef56d2406e2c0508c8565f2
                              • Instruction Fuzzy Hash: 746127B4E1120A9FCB18CFA9D4819AEFBB2FB89310F149526D855AB354D7349A42CF90
                              Function 07D5B3D8 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: 98R
                              • API String ID: 0-576591972
                              • Opcode ID: b33e95cf0a866e0f2254df8c44b0674486d3c5e167fcf8036ce4bc6924977445
                              • Instruction ID: 2a55a9b4ee71fac3811ee2a9a2edf983150ef7958552552806797a628977cca6
                              • Opcode Fuzzy Hash: b33e95cf0a866e0f2254df8c44b0674486d3c5e167fcf8036ce4bc6924977445
                              • Instruction Fuzzy Hash: F17115B4E1120ADFCF14CF99D5819AEFBB1FB89310F14952AD815AB314D334AA42CF94
                              Function 0B7D3140 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: iUfo
                              • API String ID: 0-3820436262
                              • Opcode ID: 76ebf8a81024f515af5dca54a4dbc17460f6e28a0bd8579259287977275bc86e
                              • Instruction ID: a72d8ccb1aa22199f6acd3caeee2a5a2ab4d9e51ad630c98819b5f9380ffa317
                              • Opcode Fuzzy Hash: 76ebf8a81024f515af5dca54a4dbc17460f6e28a0bd8579259287977275bc86e
                              • Instruction Fuzzy Hash: 315102B4E012199FCB08CFAAD9455EEFBF2BF88300F14942AE415B7354EB349A418B65
                              Function 0B7D3150 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: iUfo
                              • API String ID: 0-3820436262
                              • Opcode ID: 9a84c0438239ff66aa8ab215cd7c22ad38111c95f75cf11d55f680788097e238
                              • Instruction ID: e1f68c03b0397aca6182f3bd7e08c95f13fde7906ba440e3f56659801f39060d
                              • Opcode Fuzzy Hash: 9a84c0438239ff66aa8ab215cd7c22ad38111c95f75cf11d55f680788097e238
                              • Instruction Fuzzy Hash: C151F2B4E012199FCB08CFAAD9455EEFBF2BF88300F14942AE415B7254EB345A418F65
                              Function 07D5AEF0 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: -2m
                              • API String ID: 0-2686427999
                              • Opcode ID: 0f965154786a2a8e380f2872adb5c8171c1a94ea0c720aa67e24b84e7961013e
                              • Instruction ID: 85a138c11e13a7ad7b92014e575b36113f20a7ec359f896b3aa58edcd3ca5f36
                              • Opcode Fuzzy Hash: 0f965154786a2a8e380f2872adb5c8171c1a94ea0c720aa67e24b84e7961013e
                              • Instruction Fuzzy Hash: FC514CB0E142599FCB08CFAAC4406AEFFF2EF89310F24D16AD859A7254D7348A41CB65
                              Function 07D5AF30 Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: -2m
                              • API String ID: 0-2686427999
                              • Opcode ID: d9ac321fa6408cb9113dafeb1dd3eab127080c612e13c939d32b1c14e4f18e51
                              • Instruction ID: ce185ada149f4e174bce4a54711c660392161d612743271015c0ec20a7c05f41
                              • Opcode Fuzzy Hash: d9ac321fa6408cb9113dafeb1dd3eab127080c612e13c939d32b1c14e4f18e51
                              • Instruction Fuzzy Hash: F2514AB0E042598FDB08CFAAC5406AEFFF2FF89310F24D16AD859A7255D7348A41CB65
                              Function 07D5AF40 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: -2m
                              • API String ID: 0-2686427999
                              • Opcode ID: 8207206a17387a2c6f78742efb02cde0fce2938d4af12209edd000b4e827908b
                              • Instruction ID: 12ae9bbec8489c24307bcf8b90f1c738bfb7f6b016f6c532b0f777bb8cab95ec
                              • Opcode Fuzzy Hash: 8207206a17387a2c6f78742efb02cde0fce2938d4af12209edd000b4e827908b
                              • Instruction Fuzzy Hash: 455107B0E142198FDB08CFAAC5406AEFFF2FB89300F24D16AD859B7254D73499418B69
                              Function 0B7D0007 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0ni
                              • API String ID: 0-1488673370
                              • Opcode ID: f336f3cc9648a775787fb3a63f4ba61e479eb6a563be4f05b504a1675ad7dddb
                              • Instruction ID: faa8f4b7ff57eb4c3942ec87aad176df447f4ad7c6d2f5b829f095df842ea065
                              • Opcode Fuzzy Hash: f336f3cc9648a775787fb3a63f4ba61e479eb6a563be4f05b504a1675ad7dddb
                              • Instruction Fuzzy Hash: 3551A971E057588FEB19CF6B8D5469AFBF3AFC9200F18C1AAD44CA6265DB300A858F11
                              Function 0B7D353B Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: w7e^
                              • API String ID: 0-1657886525
                              • Opcode ID: 44cb1589bb0631e16e6bbbebc7665f6b3ebb6772af095f1d89a972682c195cb1
                              • Instruction ID: ccfb7a731c1de4e0089befa841f00b5e17d2e1f486a0ce6ddeadc8bd6cd50cc0
                              • Opcode Fuzzy Hash: 44cb1589bb0631e16e6bbbebc7665f6b3ebb6772af095f1d89a972682c195cb1
                              • Instruction Fuzzy Hash: 594156B0D04209EFCB04CFAAC8456EEFBF1FB89240F15946AD012B7254D3388641CF6A
                              Function 0B7D3548 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: w7e^
                              • API String ID: 0-1657886525
                              • Opcode ID: c7afd96fcfdbf11ee6d8a1c9b227b244495f2f40c43d19d742f348904e0ab3d7
                              • Instruction ID: 4a885256cf9c6d012c858293a4ab658b939351942a89dd4a68a95527ec5ec73d
                              • Opcode Fuzzy Hash: c7afd96fcfdbf11ee6d8a1c9b227b244495f2f40c43d19d742f348904e0ab3d7
                              • Instruction Fuzzy Hash: 914124B0D04219EBCF04CFAAC8446EEFBF1BB89240F15956AD426B7244D73846428F6A
                              Function 0B7D0040 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0ni
                              • API String ID: 0-1488673370
                              • Opcode ID: fe64141290965bf9a438d2df9d9be6e7ef71c51c1ca3b1992d2a3cd4d29178f4
                              • Instruction ID: 49c0e37f7ed330cc70c68500a7ce7a92b87910f13a5f9b5757e2d89040edc7a5
                              • Opcode Fuzzy Hash: fe64141290965bf9a438d2df9d9be6e7ef71c51c1ca3b1992d2a3cd4d29178f4
                              • Instruction Fuzzy Hash: 31514971E116188BEB68CF6B8D4579EFBF3AFC8200F14C1BA954CA6255EB301A858F51
                              Function 0B7DD5A8 Relevance: .5, Instructions: 504COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f0b8607135e6c0498c8e16d80db786a41220f6abb850404b412fe376c9e8fe5b
                              • Instruction ID: c5514e60b69c4a78bb8c30a2cf0c2e3e788a8f9edb0c6ac17f45f7f1d22a8220
                              • Opcode Fuzzy Hash: f0b8607135e6c0498c8e16d80db786a41220f6abb850404b412fe376c9e8fe5b
                              • Instruction Fuzzy Hash: 61221C74E002158FDB24CFA8C584AADBBF2FF89355F248169E419AB355D731EC42CB90
                              Function 0B7DC130 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e11ae71d2eb1870d80a5452f0c27047b5d336901f4ef6d959d5177182b8c5742
                              • Instruction ID: 5a3306931cb7a8cf48a5b0285e75d1fa358e13b2d1cde4800d74fb45e5d892f2
                              • Opcode Fuzzy Hash: e11ae71d2eb1870d80a5452f0c27047b5d336901f4ef6d959d5177182b8c5742
                              • Instruction Fuzzy Hash: 8CE10974E002198FDB14CFA9C580AAEFBB2FF89345F248169E415AB355D730AD42CF61
                              Function 0B7DE1B8 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bc6686663559c850e4f4ecb6dddb6cfa77269a23788d84d05737ac942455ce23
                              • Instruction ID: 9dc7970cf0e987f0b30657085609555d07db2995d2860eeafb0d987a9f3ca87c
                              • Opcode Fuzzy Hash: bc6686663559c850e4f4ecb6dddb6cfa77269a23788d84d05737ac942455ce23
                              • Instruction Fuzzy Hash: 82E1F874E002198FDB14CFA9C580AAEFBB2FF89345F248169E415AB356D730AD42CF60
                              Function 0B7DE6B0 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2b14ad2d2ebf7c51e6fd48e96ea69700bc7fcb16998e871d404893c79b94ac11
                              • Instruction ID: d121909a27613b6765a60880272a81bbe4f11a28355c6193412cdfc5dff1ef81
                              • Opcode Fuzzy Hash: 2b14ad2d2ebf7c51e6fd48e96ea69700bc7fcb16998e871d404893c79b94ac11
                              • Instruction Fuzzy Hash: CDE1E774E002198FDB14DFA9C580AAEFBB2FF89345F248169E415AB356D730AD42CF61
                              Function 0B7DC568 Relevance: .3, Instructions: 312COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1d1321fd52fb45240ee20e775e534e60867ba068aa39ecb6aa185efe98577714
                              • Instruction ID: aa1ff45b426a772bce0b1dd8ff9818b0dbb32276010e11b2814c253b5e8dca48
                              • Opcode Fuzzy Hash: 1d1321fd52fb45240ee20e775e534e60867ba068aa39ecb6aa185efe98577714
                              • Instruction Fuzzy Hash: 8DE1E774E002198FDB14CFA9C580AAEFBB2FF89345F248169E455AB356D730AD42CF60
                              Function 0164D57C Relevance: .3, Instructions: 264COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1306135562.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1640000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8b8a5246f44559be1271bc6a585ca6c883f22551dde0f505728fe3c0bccdcf45
                              • Instruction ID: 5a2563fc98bf8b4e5832c26625faf44bba89cb8cd2f3713acd1ec0ab745a2a50
                              • Opcode Fuzzy Hash: 8b8a5246f44559be1271bc6a585ca6c883f22551dde0f505728fe3c0bccdcf45
                              • Instruction Fuzzy Hash: 40A16F32E0021ACFDF15DFB8C84059EBBB2FF85301B1585AAE905AB365DB71E906CB40
                              Function 07D5DB21 Relevance: .2, Instructions: 239COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 77121b5b21bc2c53ee46b637093873366fff1ed6284ded4e4af94045b61ad671
                              • Instruction ID: cc4c67ba73426b8c5a55329e580bdbbaaee69b059c429a3d0254434128ce7377
                              • Opcode Fuzzy Hash: 77121b5b21bc2c53ee46b637093873366fff1ed6284ded4e4af94045b61ad671
                              • Instruction Fuzzy Hash: 6AA115B0E1520ADFCB44CFA9D9809AEFBF2FF89210F249556D455AB250D330AA41CF61
                              Function 07D5D848 Relevance: .2, Instructions: 196COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dc09b6249b9634f2f370d48013cdd0b4ab0a7094f9fdbceb91f59a9fc72ce1b8
                              • Instruction ID: fee96a7d70d8cbef4caf4e4abd10f8475d82c31de19a4f1a85e7054ddf4467a1
                              • Opcode Fuzzy Hash: dc09b6249b9634f2f370d48013cdd0b4ab0a7094f9fdbceb91f59a9fc72ce1b8
                              • Instruction Fuzzy Hash: 0F91CFB4E1521ADFCB44CFA9C98499EFBF2FF89210F249569D455AB320D330AA41CF61
                              Function 07D5D838 Relevance: .2, Instructions: 196COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dc0dd10ec07c857af79c63a29e1d1c7570574883017ccbec6a0db1c851a3a956
                              • Instruction ID: 66d8d3ceeb1a24fccc28d393904e6eeb0163b8311c37ab44dc53d8ee3e1f6b4e
                              • Opcode Fuzzy Hash: dc0dd10ec07c857af79c63a29e1d1c7570574883017ccbec6a0db1c851a3a956
                              • Instruction Fuzzy Hash: 3481C3B4E1525ACFCB44CFA9C98499EFBF2FF89210F14956AD455AB320D330AA41CF61
                              Function 0B7D3908 Relevance: .2, Instructions: 183COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3cb95748e7e041ecf6a5f8adac1ebb0788d96baa906895c92b58336c0b481f9e
                              • Instruction ID: dbb88650f9ee039c4e7ae7fc88d70e33812f8d162c82e6aa78d5e8338fc69880
                              • Opcode Fuzzy Hash: 3cb95748e7e041ecf6a5f8adac1ebb0788d96baa906895c92b58336c0b481f9e
                              • Instruction Fuzzy Hash: 19810A74E002698BDB14CF69C580AAEFBF6FF89204F24C1A9D458A7356D730AE41CF65
                              Function 0B7D38F8 Relevance: .2, Instructions: 180COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1a21ec99979bdb103c15c9614ecbd20aa0f76e4518ee809181e202a4629e8122
                              • Instruction ID: 3af4473b0a90e9d460de289e507eb641b41ec47a3cfa800c1812c0b78f995500
                              • Opcode Fuzzy Hash: 1a21ec99979bdb103c15c9614ecbd20aa0f76e4518ee809181e202a4629e8122
                              • Instruction Fuzzy Hash: 87810A74E102598BDB14CF69C5806AEFBF2FF89204F24C1AAD458A7356D730AE41CF65
                              Function 07D5EC58 Relevance: .2, Instructions: 173COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a072b1908b7d2dd8790ba4ad3ede1418310741186f26916b386660e10ab96a05
                              • Instruction ID: be980b5b4803267dec4bda9ff3cfda940fd9b07f07d513f64d4e4eaeaf4dc5a8
                              • Opcode Fuzzy Hash: a072b1908b7d2dd8790ba4ad3ede1418310741186f26916b386660e10ab96a05
                              • Instruction Fuzzy Hash: 7771D6B4E15609DFCF04DFA9C5805EEFBF6FB89210F24A42AD815BB354D3349A418B68
                              Function 07D5EC4B Relevance: .2, Instructions: 170COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f9030b02adaa5d1bb095e13e42eff1691a1fef287e36e3aaa663b540e18baea5
                              • Instruction ID: e0c9b695d37c3072775befc4911476c9f8fb4fc9ad056099038d62c47396585c
                              • Opcode Fuzzy Hash: f9030b02adaa5d1bb095e13e42eff1691a1fef287e36e3aaa663b540e18baea5
                              • Instruction Fuzzy Hash: D971F7B4E15609CFCF04CFA9C5815EEFBF2BF99210F24A46AD815BB354D3349A418B68
                              Function 0B7DD808 Relevance: .1, Instructions: 127COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 286efaced0a6eb5e0a20999635aab0e6777067abe528c025eb86bb10cce3c1e4
                              • Instruction ID: fd6076698227c2230c15f67dbaae51f91576ee9260c19a5b23bc9a48fe0227a1
                              • Opcode Fuzzy Hash: 286efaced0a6eb5e0a20999635aab0e6777067abe528c025eb86bb10cce3c1e4
                              • Instruction Fuzzy Hash: 9951E774E002198BDB14DFA9C5806AEFBF2FF89345F248169E418A7356D731AD42CFA1
                              Function 0B7D2E03 Relevance: .1, Instructions: 110COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 28fb350562c9f8a51797a1f053b9be703de6865b130998d6d26dbeca6214bb43
                              • Instruction ID: 9a4fa37933b9eb647d4c42f20bc0643ef2ac5d878345b4c889bb7a6b0c2a42da
                              • Opcode Fuzzy Hash: 28fb350562c9f8a51797a1f053b9be703de6865b130998d6d26dbeca6214bb43
                              • Instruction Fuzzy Hash: 07415E70E1520ADFCB04CFA5C5456AEFBF2AF98340F20946AD015B7265E37487428B95
                              Function 07D5EED9 Relevance: .1, Instructions: 109COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c3afd55eda21039f6ed0ac90f254d0c3d7f4608a404bf852484ab1e9a4fcd089
                              • Instruction ID: 83a29743802a47a1d3c65dc2f81196d28fe93957809e995682237a02789787ac
                              • Opcode Fuzzy Hash: c3afd55eda21039f6ed0ac90f254d0c3d7f4608a404bf852484ab1e9a4fcd089
                              • Instruction Fuzzy Hash: A141F8B0E1520ADBCF04CFA9C5815AEFBF2EF89200F64D56AC905AB254D7349A418BA5
                              Function 07D5EEE8 Relevance: .1, Instructions: 108COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 0fc90426c1dd0877f3b304a759ce572c29b1fff00cb43adce48877379760fe0a
                              • Instruction ID: 0997997944b84f73dffef413f08f1b0a59a10b5a0c954cbb9d9f3617bb8eeb2f
                              • Opcode Fuzzy Hash: 0fc90426c1dd0877f3b304a759ce572c29b1fff00cb43adce48877379760fe0a
                              • Instruction Fuzzy Hash: 914107B0E1520ADBCF44CFA9C5816AEFBF2FF88200F64D569C805BB354D7309A418BA4
                              Function 07D5EA40 Relevance: .1, Instructions: 107COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7c1c58c0c5b9b06e26ac4083ef2b38630a261faaf54c3737f9ddeb5d6f685cc
                              • Instruction ID: a275380de521f540a78ef622db59c15cb3fd8ffb7f0d4bb8dbeb4671b945fb2b
                              • Opcode Fuzzy Hash: e7c1c58c0c5b9b06e26ac4083ef2b38630a261faaf54c3737f9ddeb5d6f685cc
                              • Instruction Fuzzy Hash: E141F7B1E1420A9FDF08DFAAD5816AEFBF2BF89300F14C56AC415AB254D7349A41CF94
                              Function 0B7D2E10 Relevance: .1, Instructions: 106COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1313213620.000000000B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0B7D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_b7d0000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 36dac8e24f607300b998d90abcb1ebbb345a3d585772ffa1daba8ce9d3555aaf
                              • Instruction ID: 29e2856d125a92096df67b710918730b58fea6675b8848fb4c82d09e00e329c2
                              • Opcode Fuzzy Hash: 36dac8e24f607300b998d90abcb1ebbb345a3d585772ffa1daba8ce9d3555aaf
                              • Instruction Fuzzy Hash: EB416D70E1520ADFCB04CFA6C5456AFFBF1EF88740F20946AD015B7265E37497428B94
                              Function 07D5EA50 Relevance: .1, Instructions: 101COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8ff8d0c5f145ba3b3bd641c2fae158fad108bcd43dc55b48a06bc45e9f31e237
                              • Instruction ID: 060ab9cbadb0a9416361b2577d53c640a30f7bd58fb73df6faf53f7c61ee2395
                              • Opcode Fuzzy Hash: 8ff8d0c5f145ba3b3bd641c2fae158fad108bcd43dc55b48a06bc45e9f31e237
                              • Instruction Fuzzy Hash: 3741E3B0E1420ADBDB08DFAAD5805AEFBF2BB89200F14D56AC815AB254D7349A418F94
                              Function 07D59B20 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c9e0bbe4fc2bc0025b0cac6c48b8fd2ee9a2b526aa9356c6e6341e788c1c9b0a
                              • Instruction ID: 4a1317edeaaa99036d079f26e07cd1a4580553fb1080a9eed920db15d718d1d7
                              • Opcode Fuzzy Hash: c9e0bbe4fc2bc0025b0cac6c48b8fd2ee9a2b526aa9356c6e6341e788c1c9b0a
                              • Instruction Fuzzy Hash: 63210DB1E007589BEB18CF6BD8406DEFBF3AFC9200F14C17AD918A6254EB3406428F55
                              Function 07D59B30 Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1312381284.0000000007D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7d50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1688b8fb56afb1ae5d8896aae9c567f0f4dba49f32d270bfd5ac0e54bf028697
                              • Instruction ID: 7f4584a51ddbb8ba0da7c8391f41359c464ef042c777580368431c1a2d3ad914
                              • Opcode Fuzzy Hash: 1688b8fb56afb1ae5d8896aae9c567f0f4dba49f32d270bfd5ac0e54bf028697
                              • Instruction Fuzzy Hash: 2811ECB1E006189BEB18CFABD8406DEFAF7AFC8300F14C17AC918A6254EB3415458F55

                              Execution Graph

                              Execution Coverage:10.6%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:47
                              Total number of Limit Nodes:6
                              execution_graph 21996 70202a0 21997 70202b5 21996->21997 22001 7025088 21997->22001 22005 7025086 21997->22005 21998 7020512 22002 70250ad 22001->22002 22009 7025318 22002->22009 22003 702510f 22003->21998 22006 7025088 22005->22006 22008 7025318 3 API calls 22006->22008 22007 702510f 22007->21998 22008->22007 22010 7025326 22009->22010 22011 70252ae 22009->22011 22015 7025350 22010->22015 22023 7025360 22010->22023 22011->22003 22012 7025336 22012->22003 22016 7025395 22015->22016 22017 702536d 22015->22017 22031 7024d54 22016->22031 22017->22012 22019 70253b6 22019->22012 22021 702547e GlobalMemoryStatusEx 22022 70254ae 22021->22022 22022->22012 22024 7025395 22023->22024 22025 702536d 22023->22025 22026 7024d54 GlobalMemoryStatusEx 22024->22026 22025->22012 22028 70253b2 22026->22028 22027 70253b6 22027->22012 22028->22027 22029 702547e GlobalMemoryStatusEx 22028->22029 22030 70254ae 22029->22030 22030->22012 22032 7025438 GlobalMemoryStatusEx 22031->22032 22034 70253b2 22032->22034 22034->22019 22034->22021 22035 2f5ad70 22036 2f5adb6 22035->22036 22040 2f5af41 22036->22040 22045 2f5af50 22036->22045 22037 2f5aea3 22041 2f5af4e 22040->22041 22042 2f5af19 22040->22042 22043 2f5af7e 22041->22043 22048 2f5aac4 22041->22048 22042->22037 22043->22037 22046 2f5aac4 DuplicateHandle 22045->22046 22047 2f5af7e 22046->22047 22047->22037 22049 2f5afb8 DuplicateHandle 22048->22049 22050 2f5b04e 22049->22050 22050->22043 22051 2f55c60 22052 2f55ca4 SetWindowsHookExW 22051->22052 22054 2f55cea 22052->22054

                              Executed Functions

                              Function 07025360 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1410 7025360-702536b 1411 7025395-70253b4 call 7024d54 1410->1411 1412 702536d-7025394 call 7021a2c 1410->1412 1418 70253b6-70253b9 1411->1418 1419 70253ba-7025419 1411->1419 1426 702541b-702541e 1419->1426 1427 702541f-70254ac GlobalMemoryStatusEx 1419->1427 1431 70254b5-70254dd 1427->1431 1432 70254ae-70254b4 1427->1432 1432->1431
                              Memory Dump Source
                              • Source File: 00000008.00000002.3775311443.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_7020000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c3fbbd9eb0609f915205a84e160d555c5c369ac80986657f35e53f50b12fb03c
                              • Instruction ID: 595fcdcf7ba191027633758ac02a833f3a0029276cbbf4f9303aaed8d3631933
                              • Opcode Fuzzy Hash: c3fbbd9eb0609f915205a84e160d555c5c369ac80986657f35e53f50b12fb03c
                              • Instruction Fuzzy Hash: CC415572D0436A8FCB14CFB9C8007DEBBF1AF89210F1586AAD808E7241DB749845CBE1
                              Function 070253F1 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1562 70253f1-70253f8 1563 7025432-7025476 1562->1563 1564 70253fa-7025419 1562->1564 1566 702547e-70254ac GlobalMemoryStatusEx 1563->1566 1570 702541b-702541e 1564->1570 1571 702541f-7025476 1564->1571 1567 70254b5-70254dd 1566->1567 1568 70254ae-70254b4 1566->1568 1568->1567 1571->1566
                              APIs
                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,070253B2), ref: 0702549F
                              Memory Dump Source
                              • Source File: 00000008.00000002.3775311443.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_7020000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: GlobalMemoryStatus
                              • String ID:
                              • API String ID: 1890195054-0
                              • Opcode ID: 7cb35750632402ca2c64462f99139f080e05d78e2856522259c74795daf43a11
                              • Instruction ID: 438b184732b4898fae1b48b05afb7c4d72f5fc0bd108f1b37602744faa9677d7
                              • Opcode Fuzzy Hash: 7cb35750632402ca2c64462f99139f080e05d78e2856522259c74795daf43a11
                              • Instruction Fuzzy Hash: A421A0B1C0426A9FDB10DFA9C8007DEFFF4AF49210F2585AAD854A3240D7749951CFA5
                              Function 02F5AFB0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1576 2f5afb0-2f5afb7 1578 2f5afb8-2f5b04c DuplicateHandle 1576->1578 1579 2f5b055-2f5b072 1578->1579 1580 2f5b04e-2f5b054 1578->1580 1580->1579
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F5AF7E,?,?,?,?,?), ref: 02F5B03F
                              Memory Dump Source
                              • Source File: 00000008.00000002.3768277127.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_2f50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: d451bdab4d502edaca8d788d6bad1869588bf6bba53914b5fb6f0fca7a0e07f8
                              • Instruction ID: 1a3779e61022ce6674a213c530634bf4c3a37efbe3aca4b7308de41dc2ecf219
                              • Opcode Fuzzy Hash: d451bdab4d502edaca8d788d6bad1869588bf6bba53914b5fb6f0fca7a0e07f8
                              • Instruction Fuzzy Hash: 9B2127B5D00248AFDB10CFAAD885ADEBFF8FF48310F14841AEA54A3250C774A945CF60
                              Function 02F5AAC4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F5AF7E,?,?,?,?,?), ref: 02F5B03F
                              Memory Dump Source
                              • Source File: 00000008.00000002.3768277127.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_2f50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: db6a2ec9ae9b3b40215a029da7db06b96580c2df7f24a7f8ffa90e0f8725bbe7
                              • Instruction ID: e11b90599dafd7a62390567a1c624b69855e2718e0bbfd73af09614223ce83c2
                              • Opcode Fuzzy Hash: db6a2ec9ae9b3b40215a029da7db06b96580c2df7f24a7f8ffa90e0f8725bbe7
                              • Instruction Fuzzy Hash: 1421D4B5D002599FDB10CF9AD584ADEBBF4EB48310F14801AEA14A7250D375A954CFA0
                              Function 02F55C58 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02F55CDB
                              Memory Dump Source
                              • Source File: 00000008.00000002.3768277127.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_2f50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: HookWindows
                              • String ID:
                              • API String ID: 2559412058-0
                              • Opcode ID: fb8460b5ef780f55304bbba7db45ec85bcb1f3f7e6074e174b2eee7e40e4ce09
                              • Instruction ID: 9ceedcc8fe32705b0e8ba958edb630dfeb54c00a621f18aa68e65b6f1d0751a7
                              • Opcode Fuzzy Hash: fb8460b5ef780f55304bbba7db45ec85bcb1f3f7e6074e174b2eee7e40e4ce09
                              • Instruction Fuzzy Hash: 53215771D002098FCB14CFA9C944BDEFBF1AF88310F108419D918A7250CB749945CFA0
                              Function 02F55C60 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                              Download Yara Rule
                              APIs
                              • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02F55CDB
                              Memory Dump Source
                              • Source File: 00000008.00000002.3768277127.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_2f50000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: HookWindows
                              • String ID:
                              • API String ID: 2559412058-0
                              • Opcode ID: 929332e6c9a3d26b1b15ef69488a716c5d8b56c6a4acb9c34d9d413b08181edb
                              • Instruction ID: 245dc991fa38c0caed17bfda45e8f5b6d7f64200c937fd3d4720e0689ec40c4c
                              • Opcode Fuzzy Hash: 929332e6c9a3d26b1b15ef69488a716c5d8b56c6a4acb9c34d9d413b08181edb
                              • Instruction Fuzzy Hash: 702115B1D002598FDB14DFAAC944BDEBBF5AB88310F108429D929A7250CB74A945CFA0
                              Function 07024D54 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                              Download Yara Rule
                              APIs
                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,070253B2), ref: 0702549F
                              Memory Dump Source
                              • Source File: 00000008.00000002.3775311443.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_7020000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: GlobalMemoryStatus
                              • String ID:
                              • API String ID: 1890195054-0
                              • Opcode ID: 7a1fa2db937379c6687c5be3fe16a9b88da28c57cbce37efc4781492cb71ab7c
                              • Instruction ID: 510ca226d2fb9f472a661a48fe8494d0ba86ada41c074fba7b66b4ca087ac8cd
                              • Opcode Fuzzy Hash: 7a1fa2db937379c6687c5be3fe16a9b88da28c57cbce37efc4781492cb71ab7c
                              • Instruction Fuzzy Hash: F0114AB1C0066A9BCB10DF9AC4457DEFBF4EF48324F10816AD814B7240D378A951CFA5
                              Function 07025430 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                              Download Yara Rule
                              APIs
                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,070253B2), ref: 0702549F
                              Memory Dump Source
                              • Source File: 00000008.00000002.3775311443.0000000007020000.00000040.00000800.00020000.00000000.sdmp, Offset: 07020000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_7020000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID: GlobalMemoryStatus
                              • String ID:
                              • API String ID: 1890195054-0
                              • Opcode ID: eb28526fdf22afcb8fc0a13b8c077af15faa10325c3ff43cd67fec4618d6d7ea
                              • Instruction ID: 32fc88fa19eefc823f611da7a2950d851524fd638aa6942e42d5acc99be49f07
                              • Opcode Fuzzy Hash: eb28526fdf22afcb8fc0a13b8c077af15faa10325c3ff43cd67fec4618d6d7ea
                              • Instruction Fuzzy Hash: D51147B1C0025A9FCB10CF9AC444BDEFBF4AF48314F14826AD818A3340D3789955CFA5
                              Function 0174D514 Relevance: .1, Instructions: 75COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.3767897769.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_174d000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 98481aa2823dd1cf0717a2bf28f12b8f1e81ec15dfc4285509ab98a3c0c2217c
                              • Instruction ID: b55c7b295db2efcae73f833b0eef400decd7a61834fcb3dc0f051120a7629ec2
                              • Opcode Fuzzy Hash: 98481aa2823dd1cf0717a2bf28f12b8f1e81ec15dfc4285509ab98a3c0c2217c
                              • Instruction Fuzzy Hash: 2F2136B1604200DFDB25DF54D9C0B26FF61FB98318F30C1A9E8494B246C736D406CAE2
                              Function 0175D2B4 Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.3767989263.000000000175D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_175d000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bdd73e8dd2c54d7a4ea049a7a09550e7bb388e551bbd4f831b4ea6fec8315489
                              • Instruction ID: 25a59a2bf2f207ac33d9ca16af70728a3a1d07603ca65ed1ff7fa79475b02735
                              • Opcode Fuzzy Hash: bdd73e8dd2c54d7a4ea049a7a09550e7bb388e551bbd4f831b4ea6fec8315489
                              • Instruction Fuzzy Hash: 07212271604204EFDB65DF94D9C4B26FB61FB88324F20C5ADEC490B243C3B6D846CA62
                              Function 0175D0FC Relevance: .1, Instructions: 72COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.3767989263.000000000175D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_175d000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4367bbdf2199618680e6dcb8e9d68ab9b90af2242e851e28534a7b25eab7d05a
                              • Instruction ID: 81f2318d9c07385f7691cc4e1e384cb70dd3949e2a4d0703679de197ad8090b9
                              • Opcode Fuzzy Hash: 4367bbdf2199618680e6dcb8e9d68ab9b90af2242e851e28534a7b25eab7d05a
                              • Instruction Fuzzy Hash: 44212571604200DFEB65DF54D9C4B26FB61EB84314F20C5ADDC094B252C776D846CB62
                              Function 0175D01C Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.3767989263.000000000175D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_175d000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 42922f201e6b435d04f46d6b0b6418eebd08ea00b26651d6174be1905b858490
                              • Instruction ID: 051c6a69deebc2a1ae330ea269acd57504ccc261f6df6e3644c45ae4010cd8f9
                              • Opcode Fuzzy Hash: 42922f201e6b435d04f46d6b0b6418eebd08ea00b26651d6174be1905b858490
                              • Instruction Fuzzy Hash: 7A210E71A04304DFDB64DF64D984B26FBA1EB84254F20C6ADDD0D4B292C2B6C847CA62
                              Function 0175D005 Relevance: .1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.3767989263.000000000175D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_175d000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c23a931c254f2b05cca80c198146a1bbae01b4a829a20b454c6fd5ff6b9ed8c0
                              • Instruction ID: 8ebf0604ce7fda65eab7ff1b5806ea2084350d4baa65a08f522afe8e54f31010
                              • Opcode Fuzzy Hash: c23a931c254f2b05cca80c198146a1bbae01b4a829a20b454c6fd5ff6b9ed8c0
                              • Instruction Fuzzy Hash: 0A219F755483849FDB12CF24D984B15BF71EB46214F28C1EAD8898B2A3C37A9846CB62
                              Function 0174D50F Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.3767897769.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_174d000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                              • Instruction ID: 6d24fb745a8267308a7880be0c9cd57d30857e5efb09e1b4f0598cfb7a84b7f4
                              • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                              • Instruction Fuzzy Hash: 2C11AF76504280CFCB16CF54D5C4B16FF72FB94324F24C5A9D8494B656C336D456CBA1
                              Function 0175D0F7 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.3767989263.000000000175D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_175d000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                              • Instruction ID: 47f8d49276498d873f99820031000606159c4e8d1671d9b5c9b053e5e32a91db
                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                              • Instruction Fuzzy Hash: 7D11BB75504280CFDB16CF54D9C4B15FBA2FB84324F24C6A9DC494B296C37AD84ACBA1
                              Function 0175D2AF Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000008.00000002.3767989263.000000000175D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0175D000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_175d000_pKXxiawkTj.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                              • Instruction ID: 71d724a9b2adf61305e5c86df954d951d92dccdb5f10704f3ca3b94fdecfaf49
                              • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                              • Instruction Fuzzy Hash: 9211A975504280CFDB16CF54D5C0B15FBA2FB84224F28C6A9DC494B293C37AD40ACBA1

                              Execution Graph

                              Execution Coverage:9.6%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:128
                              Total number of Limit Nodes:10
                              execution_graph 26049 eaa034a 26050 eaa02e1 26049->26050 26053 7caebd8 26050->26053 26054 7caec23 ReadProcessMemory 26053->26054 26056 7caec67 26054->26056 25923 7ca0e0b 25928 7ca2778 25923->25928 25931 7ca2827 25923->25931 25939 7ca2770 25923->25939 25924 7ca0e1f 25929 7ca27c0 VirtualProtect 25928->25929 25930 7ca27fa 25929->25930 25930->25924 25932 7ca27c7 VirtualProtect 25931->25932 25935 7ca282b 25931->25935 25933 7ca27fa 25932->25933 25933->25924 25934 7ca2837 25934->25924 25935->25934 25943 7ca2b4a 25935->25943 25947 7ca2b58 25935->25947 25936 7ca291e 25936->25924 25940 7ca2778 VirtualProtect 25939->25940 25942 7ca27fa 25940->25942 25942->25924 25945 7ca2b58 25943->25945 25944 7ca2dac 25944->25936 25945->25944 25951 eaa0ec8 25945->25951 25949 7ca2b7f 25947->25949 25948 7ca2dac 25948->25936 25949->25948 25950 eaa0ec8 2 API calls 25949->25950 25950->25949 25952 eaa0ecf 25951->25952 25956 eaa0e61 25951->25956 25953 eaa1063 25952->25953 25957 eaa1158 PostMessageW 25952->25957 25959 eaa1150 25952->25959 25953->25945 25956->25945 25958 eaa11c4 25957->25958 25958->25952 25960 eaa10e5 25959->25960 25960->25959 25961 eaa1158 PostMessageW 25960->25961 25962 eaa11c4 25961->25962 25962->25952 25963 eaa01e8 25965 eaa017b 25963->25965 25964 eaa016d 25965->25964 25975 7caed70 25965->25975 25976 7caedf9 CreateProcessA 25975->25976 25978 7caefbb 25976->25978 25979 12c4668 25980 12c4672 25979->25980 25982 12c4759 25979->25982 25983 12c477d 25982->25983 25987 12c4868 25983->25987 25991 12c4858 25983->25991 25989 12c488f 25987->25989 25988 12c496c 25988->25988 25989->25988 25995 12c44b0 25989->25995 25993 12c488f 25991->25993 25992 12c496c 25992->25992 25993->25992 25994 12c44b0 CreateActCtxA 25993->25994 25994->25992 25996 12c58f8 CreateActCtxA 25995->25996 25998 12c59bb 25996->25998 25998->25998 26062 7ca046c 26064 7ca2778 VirtualProtect 26062->26064 26065 7ca2770 VirtualProtect 26062->26065 26066 7ca2827 3 API calls 26062->26066 26063 7ca049d 26064->26063 26065->26063 26066->26063 26009 eaa07e0 26019 7caeae8 26009->26019 26010 eaa0254 26011 eaa0989 26010->26011 26012 eaa08f9 26010->26012 26015 7caeae8 WriteProcessMemory 26010->26015 26023 7cae0e0 26012->26023 26015->26010 26020 7caeb30 WriteProcessMemory 26019->26020 26022 7caeb87 26020->26022 26022->26010 26024 7cae125 Wow64SetThreadContext 26023->26024 26026 7cae16d 26024->26026 26027 7cae030 26026->26027 26028 7cae070 ResumeThread 26027->26028 26030 7cae0a1 26028->26030 26067 eaa0900 26068 eaa0a98 26067->26068 26070 7cae030 ResumeThread 26068->26070 26069 eaa0aad 26070->26069 26071 12cd000 26072 12cd046 26071->26072 26076 12cd5e8 26072->26076 26079 12cd5d8 26072->26079 26073 12cd133 26082 12cd23c 26076->26082 26080 12cd616 26079->26080 26081 12cd23c DuplicateHandle 26079->26081 26080->26073 26081->26080 26083 12cd650 DuplicateHandle 26082->26083 26084 12cd616 26083->26084 26084->26073 26085 7ca1179 26086 7ca117c 26085->26086 26087 7ca11e1 26086->26087 26088 7ca2778 VirtualProtect 26086->26088 26089 7ca2770 VirtualProtect 26086->26089 26090 7ca2827 3 API calls 26086->26090 26088->26086 26089->26086 26090->26086 26031 eaa057e 26032 eaa05a1 26031->26032 26034 7caeae8 WriteProcessMemory 26032->26034 26033 eaa0731 26034->26033 26096 eaa041f 26097 eaa03be 26096->26097 26098 eaa0429 26097->26098 26108 7cae5f0 26097->26108 26100 eaa05dc 26098->26100 26105 7cae0e0 Wow64SetThreadContext 26098->26105 26099 eaa0c13 26100->26099 26104 7cae030 ResumeThread 26100->26104 26101 eaa0254 26101->26098 26103 eaa0989 26101->26103 26107 7caeae8 WriteProcessMemory 26101->26107 26102 eaa0aad 26104->26102 26105->26100 26107->26101 26109 7cae630 VirtualAllocEx 26108->26109 26111 7cae66d 26109->26111 26111->26101 26112 eaa0291 26114 7cae0e0 Wow64SetThreadContext 26112->26114 26113 eaa02ab 26114->26113 26035 12cac70 26039 12cad68 26035->26039 26044 12cad59 26035->26044 26036 12cac7f 26040 12cad79 26039->26040 26041 12cad9c 26039->26041 26040->26041 26042 12cafa0 GetModuleHandleW 26040->26042 26041->26036 26043 12cafcd 26042->26043 26043->26036 26045 12cad9c 26044->26045 26046 12cad79 26044->26046 26045->26036 26046->26045 26047 12cafa0 GetModuleHandleW 26046->26047 26048 12cafcd 26047->26048 26048->26036

                              Executed Functions

                              Function 07CA2827 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 206memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 317 7ca2827-7ca2829 318 7ca282b-7ca2835 317->318 319 7ca27c7-7ca27f8 VirtualProtect 317->319 322 7ca289d-7ca2915 318->322 323 7ca2837-7ca2850 318->323 320 7ca27fa-7ca2800 319->320 321 7ca2801-7ca2822 319->321 320->321 353 7ca2918 call 7ca2b4a 322->353 354 7ca2918 call 7ca2b58 322->354 324 7ca2852 323->324 325 7ca2857-7ca286c 323->325 324->325 334 7ca291e-7ca2aca 353->334 354->334
                              APIs
                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07CA27EB
                              Strings
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1362620504.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7ca0000_VfcnvkK.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID: FKy
                              • API String ID: 544645111-635708487
                              • Opcode ID: c99aae5e57de0d8d7da9850ee9c7a54455117d7fd791b8667060f945a546f08c
                              • Instruction ID: 2f30b798ab3a3a83f40585153ebb5cb430ff24dde9fc829bd15732e96e92a481
                              • Opcode Fuzzy Hash: c99aae5e57de0d8d7da9850ee9c7a54455117d7fd791b8667060f945a546f08c
                              • Instruction Fuzzy Hash: A1915B75A01209DFCB14EFA8D584AADBBF2FF89311F208169E805A7354DB359906CF61
                              Function 07CAED70 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 432 7caed70-7caee05 434 7caee3e-7caee5e 432->434 435 7caee07-7caee11 432->435 442 7caee60-7caee6a 434->442 443 7caee97-7caeec6 434->443 435->434 436 7caee13-7caee15 435->436 437 7caee38-7caee3b 436->437 438 7caee17-7caee21 436->438 437->434 440 7caee23 438->440 441 7caee25-7caee34 438->441 440->441 441->441 445 7caee36 441->445 442->443 444 7caee6c-7caee6e 442->444 451 7caeec8-7caeed2 443->451 452 7caeeff-7caefb9 CreateProcessA 443->452 446 7caee70-7caee7a 444->446 447 7caee91-7caee94 444->447 445->437 449 7caee7e-7caee8d 446->449 450 7caee7c 446->450 447->443 449->449 453 7caee8f 449->453 450->449 451->452 454 7caeed4-7caeed6 451->454 463 7caefbb-7caefc1 452->463 464 7caefc2-7caf048 452->464 453->447 456 7caeed8-7caeee2 454->456 457 7caeef9-7caeefc 454->457 458 7caeee6-7caeef5 456->458 459 7caeee4 456->459 457->452 458->458 461 7caeef7 458->461 459->458 461->457 463->464 474 7caf04a-7caf04e 464->474 475 7caf058-7caf05c 464->475 474->475 476 7caf050 474->476 477 7caf05e-7caf062 475->477 478 7caf06c-7caf070 475->478 476->475 477->478 481 7caf064 477->481 479 7caf072-7caf076 478->479 480 7caf080-7caf084 478->480 479->480 482 7caf078 479->482 483 7caf096-7caf09d 480->483 484 7caf086-7caf08c 480->484 481->478 482->480 485 7caf09f-7caf0ae 483->485 486 7caf0b4 483->486 484->483 485->486
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07CAEFA6
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1362620504.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7ca0000_VfcnvkK.jbxd
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: 6b45af5d1b41f09c37f64f71c97713fcf39801ed5fb6deaa22c1b690c27d622d
                              • Instruction ID: a3532ee74e3d2e40168cc41079f22562fae60cd4a1a3e04bf2aa87af50a985b3
                              • Opcode Fuzzy Hash: 6b45af5d1b41f09c37f64f71c97713fcf39801ed5fb6deaa22c1b690c27d622d
                              • Instruction Fuzzy Hash: BE916DB1D0071ADFEB24DF68C8817EDBBB2BF48315F148169E808A7240DB759A85CF91
                              Function 012CAD68 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 488 12cad68-12cad77 489 12cad79-12cad86 call 12ca08c 488->489 490 12cada3-12cada7 488->490 495 12cad9c 489->495 496 12cad88 489->496 491 12cada9-12cadb3 490->491 492 12cadbb-12cadfc 490->492 491->492 499 12cadfe-12cae06 492->499 500 12cae09-12cae17 492->500 495->490 543 12cad8e call 12caff0 496->543 544 12cad8e call 12cb000 496->544 499->500 502 12cae19-12cae1e 500->502 503 12cae3b-12cae3d 500->503 501 12cad94-12cad96 501->495 506 12caed8-12caf98 501->506 504 12cae29 502->504 505 12cae20-12cae27 call 12ca098 502->505 507 12cae40-12cae47 503->507 509 12cae2b-12cae39 504->509 505->509 538 12caf9a-12caf9d 506->538 539 12cafa0-12cafcb GetModuleHandleW 506->539 510 12cae49-12cae51 507->510 511 12cae54-12cae5b 507->511 509->507 510->511 513 12cae5d-12cae65 511->513 514 12cae68-12cae71 call 12ca0a8 511->514 513->514 519 12cae7e-12cae83 514->519 520 12cae73-12cae7b 514->520 522 12cae85-12cae8c 519->522 523 12caea1-12caea5 519->523 520->519 522->523 524 12cae8e-12cae9e call 12ca0b8 call 12ca0c8 522->524 527 12caeab-12caeae 523->527 524->523 529 12caeb0-12caece 527->529 530 12caed1-12caed7 527->530 529->530 538->539 540 12cafcd-12cafd3 539->540 541 12cafd4-12cafe8 539->541 540->541 543->501 544->501
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 012CAFBE
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1357680633.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_12c0000_VfcnvkK.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: c07f76c8c8b4726a3de8fe4cd9d027741a6696691ceae97242133b219eda03c8
                              • Instruction ID: c6b8080a63e3fe3ba20871200dca3f6a6d8b3b8155d3b9630f49b76c294cb707
                              • Opcode Fuzzy Hash: c07f76c8c8b4726a3de8fe4cd9d027741a6696691ceae97242133b219eda03c8
                              • Instruction Fuzzy Hash: C5713570A20B0A8FE724DF29D14475ABBF1FF88604F008A2DD64AD7A50E775E849CF91
                              Function 012C44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 653 12c44b0-12c59b9 CreateActCtxA 656 12c59bb-12c59c1 653->656 657 12c59c2-12c5a1c 653->657 656->657 664 12c5a1e-12c5a21 657->664 665 12c5a2b-12c5a2f 657->665 664->665 666 12c5a40 665->666 667 12c5a31-12c5a3d 665->667 668 12c5a41 666->668 667->666 668->668
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 012C59A9
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1357680633.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_12c0000_VfcnvkK.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: f70c2e1e97d155eac900eae7aad6dba19432fd24e10da81d9ee9635a7b010458
                              • Instruction ID: 0d89ca4907beb632fed25435e7c3903af42e6a79de5c592a4f17fbdb08212f83
                              • Opcode Fuzzy Hash: f70c2e1e97d155eac900eae7aad6dba19432fd24e10da81d9ee9635a7b010458
                              • Instruction Fuzzy Hash: AB410270D1072DCBDB24DFAAC8847CDBBB1BF48714F20816AD508AB251DB756946CF90
                              Function 012C58ED Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 670 12c58ed-12c59b9 CreateActCtxA 672 12c59bb-12c59c1 670->672 673 12c59c2-12c5a1c 670->673 672->673 680 12c5a1e-12c5a21 673->680 681 12c5a2b-12c5a2f 673->681 680->681 682 12c5a40 681->682 683 12c5a31-12c5a3d 681->683 684 12c5a41 682->684 683->682 684->684
                              APIs
                              • CreateActCtxA.KERNEL32(?), ref: 012C59A9
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1357680633.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_12c0000_VfcnvkK.jbxd
                              Similarity
                              • API ID: Create
                              • String ID:
                              • API String ID: 2289755597-0
                              • Opcode ID: 807bcb33f8f09a4d0ebf076854c01385d44d6355f60a4b360af4f58ae8a6c0f0
                              • Instruction ID: 82481260c9707e6b8150680f5d87897d9a5c8b34a0ecc9869d02c76b3c823f62
                              • Opcode Fuzzy Hash: 807bcb33f8f09a4d0ebf076854c01385d44d6355f60a4b360af4f58ae8a6c0f0
                              • Instruction Fuzzy Hash: 55411371D1072ACBDB24CFAAC8847CDBBF1BF48714F20816AD508AB251DB756946CF90
                              Function 07CAEAE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 686 7caeae8-7caeb36 688 7caeb38-7caeb44 686->688 689 7caeb46-7caeb85 WriteProcessMemory 686->689 688->689 691 7caeb8e-7caebbe 689->691 692 7caeb87-7caeb8d 689->692 692->691
                              APIs
                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07CAEB78
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1362620504.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7ca0000_VfcnvkK.jbxd
                              Similarity
                              • API ID: MemoryProcessWrite
                              • String ID:
                              • API String ID: 3559483778-0
                              • Opcode ID: 48d1f9a21153c9794c60746a0ee4ccbe8b92ec13155e50d202daa59733c29e6a
                              • Instruction ID: 87f887522c61fb24142fcb249565ee9a74eb8570c25cf8351f2fdbdc370681f6
                              • Opcode Fuzzy Hash: 48d1f9a21153c9794c60746a0ee4ccbe8b92ec13155e50d202daa59733c29e6a
                              • Instruction Fuzzy Hash: 282166B1D0031A9FDB10CFAAC885BDEBBF5FF48310F10852AE919A7240C7789941CBA4
                              Function 012CD23C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 696 12cd23c-12cd6e4 DuplicateHandle 698 12cd6ed-12cd70a 696->698 699 12cd6e6-12cd6ec 696->699 699->698
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012CD616,?,?,?,?,?), ref: 012CD6D7
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1357680633.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_12c0000_VfcnvkK.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: da719f0e5a173c79303a25d8a0a2312596f823229f63024266b327ac1dab6270
                              • Instruction ID: 2f847ce78325b03cd26cde7bade257846bece8eb38d4ac3e04f6005f08bb1332
                              • Opcode Fuzzy Hash: da719f0e5a173c79303a25d8a0a2312596f823229f63024266b327ac1dab6270
                              • Instruction Fuzzy Hash: 2B2105B5D1024D9FDB10CF9AD484ADEBBF4EB48320F10802AEA18A7350D374A940CFA4
                              Function 07CAE0E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 707 7cae0e0-7cae12b 709 7cae13b-7cae16b Wow64SetThreadContext 707->709 710 7cae12d-7cae139 707->710 712 7cae16d-7cae173 709->712 713 7cae174-7cae1a4 709->713 710->709 712->713
                              APIs
                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07CAE15E
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1362620504.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7ca0000_VfcnvkK.jbxd
                              Similarity
                              • API ID: ContextThreadWow64
                              • String ID:
                              • API String ID: 983334009-0
                              • Opcode ID: e1ce88311a1920922c56c306be02f8f33e528687486112dc109ce1b0333da525
                              • Instruction ID: 1c0fc429c8cb12a5293dd695db69bc99541a9881a52efcfff54d1dd6ca7bd959
                              • Opcode Fuzzy Hash: e1ce88311a1920922c56c306be02f8f33e528687486112dc109ce1b0333da525
                              • Instruction Fuzzy Hash: 9B2179B1D0031A9FDB10DFAAC481BEEBBF4EF48314F508429D519A7240CB789945CFA0
                              Function 07CAEBD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 717 7caebd8-7caec65 ReadProcessMemory 720 7caec6e-7caec9e 717->720 721 7caec67-7caec6d 717->721 721->720
                              APIs
                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07CAEC58
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1362620504.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7ca0000_VfcnvkK.jbxd
                              Similarity
                              • API ID: MemoryProcessRead
                              • String ID:
                              • API String ID: 1726664587-0
                              • Opcode ID: 5e3516bc7ff16cf48d6c30a28f0618b163c14da5490f0b0a9cd8494af7ecc1b1
                              • Instruction ID: c10fca519870871e345a8c85806956e888afc167281e7d38c630c7888454f892
                              • Opcode Fuzzy Hash: 5e3516bc7ff16cf48d6c30a28f0618b163c14da5490f0b0a9cd8494af7ecc1b1
                              • Instruction Fuzzy Hash: 242125B1C003599FDB10DFAAC881BEEBBF5FF48310F50842AE958A7240C7799901CBA4
                              Function 012CD648 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 702 12cd648-12cd6e4 DuplicateHandle 703 12cd6ed-12cd70a 702->703 704 12cd6e6-12cd6ec 702->704 704->703
                              APIs
                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012CD616,?,?,?,?,?), ref: 012CD6D7
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1357680633.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_12c0000_VfcnvkK.jbxd
                              Similarity
                              • API ID: DuplicateHandle
                              • String ID:
                              • API String ID: 3793708945-0
                              • Opcode ID: 83685636e6fa1d63be19f43133a74f6879e1aea77e229f683b36f4d43c1cc2ca
                              • Instruction ID: 21497e9f70229ecbfc2e6430c35639e1c1b50a48e87a0e37568168d1c4a4e3f4
                              • Opcode Fuzzy Hash: 83685636e6fa1d63be19f43133a74f6879e1aea77e229f683b36f4d43c1cc2ca
                              • Instruction Fuzzy Hash: 222103B5D002099FDB10CFAAD585ADEBBF4FB48310F24802AE958A7350C378A941CFA0
                              Function 07CA2770 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07CA27EB
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1362620504.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7ca0000_VfcnvkK.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 5c64b3345e51ecc8843ee1bf1c91556bacdc2cdfa1486128efa593dcdfa0f567
                              • Instruction ID: 2d95bee517b19fad2e798d4842d958bff4f11c78b497a432f3b88b8906ac4212
                              • Opcode Fuzzy Hash: 5c64b3345e51ecc8843ee1bf1c91556bacdc2cdfa1486128efa593dcdfa0f567
                              • Instruction Fuzzy Hash: 3421E5B59002599FDB10DF9AC885BDEFBF4FB48320F108429E868A7250D375A645CFA1
                              Function 07CA2778 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07CA27EB
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1362620504.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7ca0000_VfcnvkK.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 71009956685c0fa2fbea6e912d62d09c2081d47d30cc6fe74497e44190bae6d8
                              • Instruction ID: 05c5e3ec13ebd2541bb71a7ceacb300239bc2da35ead4772f0b36b4062fdcd09
                              • Opcode Fuzzy Hash: 71009956685c0fa2fbea6e912d62d09c2081d47d30cc6fe74497e44190bae6d8
                              • Instruction Fuzzy Hash: 9B21D6B5D002599FDB10DF9AC885BDEFBF4FB48320F108429E958A7250D379A645CFA1
                              Function 07CAE5F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07CAE65E
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1362620504.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7ca0000_VfcnvkK.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: d5bcc3fc753b5e57bfed2d90361a09666653525e863ecff1ee5fb66da418e20b
                              • Instruction ID: 55f806d420415e1d0086c64dce4dd347a16be4ae3910bc7b19be59f507a60468
                              • Opcode Fuzzy Hash: d5bcc3fc753b5e57bfed2d90361a09666653525e863ecff1ee5fb66da418e20b
                              • Instruction Fuzzy Hash: BE112671C003499FDB20DFAAC845BDEBBF5EF48324F148819E915A7250CB759941CFA5
                              Function 0EAA1150 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,?,?,?), ref: 0EAA11B5
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1364072048.000000000EAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EAA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_eaa0000_VfcnvkK.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 0876255ab190b1c5e5a973553e232ad8eee3935b44e952b3261dddddbc56aa5d
                              • Instruction ID: df47b78c6dca38293f01bab940be79e0888978130575474f54b78e451bf46329
                              • Opcode Fuzzy Hash: 0876255ab190b1c5e5a973553e232ad8eee3935b44e952b3261dddddbc56aa5d
                              • Instruction Fuzzy Hash: A91113B68003499FDB20DF9AC985BDEBBF8EB58320F248419E558A7240D375A944CFA5
                              Function 07CAE030 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1362620504.0000000007CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_7ca0000_VfcnvkK.jbxd
                              Similarity
                              • API ID: ResumeThread
                              • String ID:
                              • API String ID: 947044025-0
                              • Opcode ID: 08a2f05328df02e7d2ff82beb1ca34a7d49f002ef259950c0c46411b7f4e6762
                              • Instruction ID: f42c493967c7ee5f188f8ec5e49f26897f9e68381ca887480193665cd257a338
                              • Opcode Fuzzy Hash: 08a2f05328df02e7d2ff82beb1ca34a7d49f002ef259950c0c46411b7f4e6762
                              • Instruction Fuzzy Hash: 14116AB1C003498FDB20DFAAC44579EFBF4EF48324F208429D519A7240CB756901CFA4
                              Function 012CAF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNELBASE(00000000), ref: 012CAFBE
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1357680633.00000000012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012C0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_12c0000_VfcnvkK.jbxd
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: efc6643704a3ee90ed9ed878fdf7c34efd6139f1064d0eee7ffb106bd1b460c7
                              • Instruction ID: e8cea3b330b325448736989b575d4c8ca838c1c9741a3a5f2a0b18b38d88ca9e
                              • Opcode Fuzzy Hash: efc6643704a3ee90ed9ed878fdf7c34efd6139f1064d0eee7ffb106bd1b460c7
                              • Instruction Fuzzy Hash: 2C1102B5C0024A8FDB20CF9AC444BDEFBF4AB88214F10851AD519A7650D379A545CFA1
                              Function 0EAA1158 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,?,?,?), ref: 0EAA11B5
                              Memory Dump Source
                              • Source File: 0000000B.00000002.1364072048.000000000EAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0EAA0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_11_2_eaa0000_VfcnvkK.jbxd
                              Similarity
                              • API ID: MessagePost
                              • String ID:
                              • API String ID: 410705778-0
                              • Opcode ID: 2d56022a436f93e2ded2a19f50564a63a251ed095b018779c7cb31706008dd82
                              • Instruction ID: 8408eec48102316c35083ba82fffc727c7607b981702608d89bc5a840fdda47e
                              • Opcode Fuzzy Hash: 2d56022a436f93e2ded2a19f50564a63a251ed095b018779c7cb31706008dd82
                              • Instruction Fuzzy Hash: 7811E5B58003499FDB10DF9AC985BDEFBF8FB48320F148419E558A7240C375A944CFA5

                              Executed Functions

                              Function 028D1360 Relevance: 4.2, Strings: 3, Instructions: 457COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.1377839148.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_14_2_28d0000_VfcnvkK.jbxd
                              Similarity
                              • API ID:
                              • String ID: $q$$q$$q
                              • API String ID: 0-3067366958
                              • Opcode ID: f2bb6dd818066ddd98374228d061b7515c958e6ad920a7c4be5e8d985989ae0c
                              • Instruction ID: 7fe55671bf65c03dd9e3068456749fc65bf1af3d9e2358106e707e04aa93f008
                              • Opcode Fuzzy Hash: f2bb6dd818066ddd98374228d061b7515c958e6ad920a7c4be5e8d985989ae0c
                              • Instruction Fuzzy Hash: 10F165387002049FDB15AB75E85976E7BB2FF88310F148569E50AEB3E5DF719C0A8B81
                              Function 028D117F Relevance: 3.1, Strings: 2, Instructions: 576COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.1377839148.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_14_2_28d0000_VfcnvkK.jbxd
                              Similarity
                              • API ID:
                              • String ID: $q$$q
                              • API String ID: 0-3126353813
                              • Opcode ID: cba49f9d8265a8bb06981c7c6cfb4e9980577381eda7ad482179652f45fbfb5a
                              • Instruction ID: e52b9768d678fd5385f6ec8d56896abba1242eab62258035ba5978b468b9762e
                              • Opcode Fuzzy Hash: cba49f9d8265a8bb06981c7c6cfb4e9980577381eda7ad482179652f45fbfb5a
                              • Instruction Fuzzy Hash: 39D144387002048FDB15AB75E85876E7BB2FF88311F148569D40AEB3A9DF759C0ACB81
                              Function 028D1350 Relevance: 2.8, Strings: 2, Instructions: 345COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.1377839148.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_14_2_28d0000_VfcnvkK.jbxd
                              Similarity
                              • API ID:
                              • String ID: $q$$q
                              • API String ID: 0-3126353813
                              • Opcode ID: 4d5b9b8c7be9ab29938a52d1fa56099565ead79aa8a3533758ec735eea805030
                              • Instruction ID: 1629a9a50415f505da80d943d546b26a87ad161b3ff48cd83bd07614caf20758
                              • Opcode Fuzzy Hash: 4d5b9b8c7be9ab29938a52d1fa56099565ead79aa8a3533758ec735eea805030
                              • Instruction Fuzzy Hash: 05D145387002048FDB15AB75E85876E7BB2FF88311F148569D40AEB3A9DF759C0ACB81
                              Function 028D14ED Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.1377839148.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_14_2_28d0000_VfcnvkK.jbxd
                              Similarity
                              • API ID:
                              • String ID: $q$$q
                              • API String ID: 0-3126353813
                              • Opcode ID: a3ccb776af37494b7871962cbe2f2250fb7b8d35e92a284fa0d608576aec037c
                              • Instruction ID: 1852d7f7f8d41f7533d1c1904b5fc4b60b172d9311f1941a1c4d7d8705f185b4
                              • Opcode Fuzzy Hash: a3ccb776af37494b7871962cbe2f2250fb7b8d35e92a284fa0d608576aec037c
                              • Instruction Fuzzy Hash: 809182387003048FEB19AB75D85576E7BE3AF88300F188569E80EEB395DF759C068B91
                              Function 028D0E60 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.1377839148.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_14_2_28d0000_VfcnvkK.jbxd
                              Similarity
                              • API ID:
                              • String ID: LRq
                              • API String ID: 0-3187445251
                              • Opcode ID: 2398215c8c65bf7e4331c86d56169cd35be4dd358cdbbc7f3e7391795e0458c9
                              • Instruction ID: 882857ca7fce0b332b4ae88f03758282bb410f69e7efd58d2199b8916f4ff34b
                              • Opcode Fuzzy Hash: 2398215c8c65bf7e4331c86d56169cd35be4dd358cdbbc7f3e7391795e0458c9
                              • Instruction Fuzzy Hash: C721D034B012189FCB59EB79885477E7BE2BFC9300B24846AD009EB395DE74CD068792
                              Function 028D0E50 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.1377839148.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_14_2_28d0000_VfcnvkK.jbxd
                              Similarity
                              • API ID:
                              • String ID: LRq
                              • API String ID: 0-3187445251
                              • Opcode ID: eaca8838dc6a2d9006f2b18a58add8688d94beaf04c11211e1824ea96f793e4d
                              • Instruction ID: 48d43b89892d228aae67f209d1709452f9679ffe951c75d35e8f7f45a80cf998
                              • Opcode Fuzzy Hash: eaca8838dc6a2d9006f2b18a58add8688d94beaf04c11211e1824ea96f793e4d
                              • Instruction Fuzzy Hash: 2121EC34B012188FCB54EB3D885077E7BE2AFC9310B28856AE419EB396DE74DD068791
                              Function 028D0959 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 0000000E.00000002.1377839148.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_14_2_28d0000_VfcnvkK.jbxd
                              Similarity
                              • API ID:
                              • String ID: Hq
                              • API String ID: 0-1594803414
                              • Opcode ID: 8cee8e0605e3918c310bf06bc164b4d526894dd74db37cfb914f2670c4683381
                              • Instruction ID: aedc8d440268fa705fd8c6b010599ab5565eb834e1bc33e48d1baf0e91130319
                              • Opcode Fuzzy Hash: 8cee8e0605e3918c310bf06bc164b4d526894dd74db37cfb914f2670c4683381
                              • Instruction Fuzzy Hash: 95218E30A052089FCB58EFB8D8557AE7BA2AF84310F1485ADC40DE7295DB304A15CB81
                              Function 028D0D40 Relevance: .1, Instructions: 82COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.1377839148.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_14_2_28d0000_VfcnvkK.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: faae1abfd283efba280df627f4fddd1d54652d9f19e7f4a1946b243fc486606c
                              • Instruction ID: d2fd7f94ddb050581fe0d5aa88e51bb1c38ce41493f6eeed278d77e8ce699fea
                              • Opcode Fuzzy Hash: faae1abfd283efba280df627f4fddd1d54652d9f19e7f4a1946b243fc486606c
                              • Instruction Fuzzy Hash: 6E21C275B002184FDB54ABB958193AEBBEAEFC8350B28842ED44FD7742DE349C0647A1
                              Function 028D0C2A Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.1377839148.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_14_2_28d0000_VfcnvkK.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 13f172497cfeaaf7de0d8131f7fcd36f8d2cdd28c25ad804bca501f19011da9f
                              • Instruction ID: fd07fbe77d789691456d604c55207bfa8963484126cebac167d4608d871a9b60
                              • Opcode Fuzzy Hash: 13f172497cfeaaf7de0d8131f7fcd36f8d2cdd28c25ad804bca501f19011da9f
                              • Instruction Fuzzy Hash: AD215E78D00209DFDB41EBB4D8546AE7BB2FF88300F10856AD505BB354EF34AA46CB51
                              Function 028D0C30 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.1377839148.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_14_2_28d0000_VfcnvkK.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 30f243e77b6761082f184c9a1c61f95605dc0b0c2a53dd89b8c9efc51b533b77
                              • Instruction ID: e931f5caf14eb3293f59c3845d1183c85fed1f8ff332393d51d7721ca5b4fea6
                              • Opcode Fuzzy Hash: 30f243e77b6761082f184c9a1c61f95605dc0b0c2a53dd89b8c9efc51b533b77
                              • Instruction Fuzzy Hash: 79213D78D00209DFDB41EBB5D8546AE7BB6FF88300F10856AD105BB354EF746A46CB51
                              Function 028D0838 Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.1377839148.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_14_2_28d0000_VfcnvkK.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4225b38a0b90ddb6b0b1bc9b8967abede414578370e06de548598e139b78910e
                              • Instruction ID: c4f186c48171d14903423dacb9d593cb6717b1a27542304fcb8a057f687453d9
                              • Opcode Fuzzy Hash: 4225b38a0b90ddb6b0b1bc9b8967abede414578370e06de548598e139b78910e
                              • Instruction Fuzzy Hash: 86219E3850525AAFDF12FB64F984A5A3BB5FB49205B005A56D004AF26DDE707D0FCF81
                              Function 028D0848 Relevance: .1, Instructions: 53COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 0000000E.00000002.1377839148.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_14_2_28d0000_VfcnvkK.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2e27fcf12b67781465064d3900752909dacdf6bb3009b70ac3eb783d528004ed
                              • Instruction ID: b1ecfed9407f202834dc4f2f1df353f963ad92cb075240fef80e7d2142389960
                              • Opcode Fuzzy Hash: 2e27fcf12b67781465064d3900752909dacdf6bb3009b70ac3eb783d528004ed
                              • Instruction Fuzzy Hash: F421597850121AAFDF12FB24F985A467BB5F748205B109A569008AF26DDE707D4F8FC1