Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jG8N6WDJOx.exe

Overview

General Information

Sample name:jG8N6WDJOx.exe
renamed because original name is a hash value
Original sample name:914ca6ae22e3e4d3b6e4fe8442dc7e176037ce54e98dfdec5510a179f4ef3c75.exe
Analysis ID:1588143
MD5:a87229b37b8388f3687aaaa3c132ddf2
SHA1:1390ba7361af77f7d6dbe1b8613faaaec5bc8a47
SHA256:914ca6ae22e3e4d3b6e4fe8442dc7e176037ce54e98dfdec5510a179f4ef3c75
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • jG8N6WDJOx.exe (PID: 5544 cmdline: "C:\Users\user\Desktop\jG8N6WDJOx.exe" MD5: A87229B37B8388F3687AAAA3C132DDF2)
    • powershell.exe (PID: 2504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jG8N6WDJOx.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7188 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HNkDZJwSy.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7632 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7212 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HNkDZJwSy" /XML "C:\Users\user\AppData\Local\Temp\tmp692.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • jG8N6WDJOx.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\jG8N6WDJOx.exe" MD5: A87229B37B8388F3687AAAA3C132DDF2)
  • HNkDZJwSy.exe (PID: 7588 cmdline: C:\Users\user\AppData\Roaming\HNkDZJwSy.exe MD5: A87229B37B8388F3687AAAA3C132DDF2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2944845492.0000000002E2C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000002.2942551985.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000008.00000002.2942551985.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.1733796471.0000000004079000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.1733796471.0000000004079000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.jG8N6WDJOx.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              8.2.jG8N6WDJOx.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                8.2.jG8N6WDJOx.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x334ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33561:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x335eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3367d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x336e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33759:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x337ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x3387f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.jG8N6WDJOx.exe.4bf0008.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.jG8N6WDJOx.exe.4bf0008.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 18 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jG8N6WDJOx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jG8N6WDJOx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\jG8N6WDJOx.exe", ParentImage: C:\Users\user\Desktop\jG8N6WDJOx.exe, ParentProcessId: 5544, ParentProcessName: jG8N6WDJOx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jG8N6WDJOx.exe", ProcessId: 2504, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jG8N6WDJOx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jG8N6WDJOx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\jG8N6WDJOx.exe", ParentImage: C:\Users\user\Desktop\jG8N6WDJOx.exe, ParentProcessId: 5544, ParentProcessName: jG8N6WDJOx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jG8N6WDJOx.exe", ProcessId: 2504, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\jG8N6WDJOx.exe, Initiated: true, ProcessId: 7404, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HNkDZJwSy" /XML "C:\Users\user\AppData\Local\Temp\tmp692.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HNkDZJwSy" /XML "C:\Users\user\AppData\Local\Temp\tmp692.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\jG8N6WDJOx.exe", ParentImage: C:\Users\user\Desktop\jG8N6WDJOx.exe, ParentProcessId: 5544, ParentProcessName: jG8N6WDJOx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HNkDZJwSy" /XML "C:\Users\user\AppData\Local\Temp\tmp692.tmp", ProcessId: 7212, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jG8N6WDJOx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jG8N6WDJOx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\jG8N6WDJOx.exe", ParentImage: C:\Users\user\Desktop\jG8N6WDJOx.exe, ParentProcessId: 5544, ParentProcessName: jG8N6WDJOx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jG8N6WDJOx.exe", ProcessId: 2504, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HNkDZJwSy" /XML "C:\Users\user\AppData\Local\Temp\tmp692.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HNkDZJwSy" /XML "C:\Users\user\AppData\Local\Temp\tmp692.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\jG8N6WDJOx.exe", ParentImage: C:\Users\user\Desktop\jG8N6WDJOx.exe, ParentProcessId: 5544, ParentProcessName: jG8N6WDJOx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HNkDZJwSy" /XML "C:\Users\user\AppData\Local\Temp\tmp692.tmp", ProcessId: 7212, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: jG8N6WDJOx.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\HNkDZJwSy.exeAvira: detection malicious, Label: HEUR/AGEN.1357257
                    Found malware configuration
                    Source: 8.2.jG8N6WDJOx.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\HNkDZJwSy.exeReversingLabs: Detection: 78%
                    Source: C:\Users\user\AppData\Roaming\HNkDZJwSy.exeVirustotal: Detection: 52%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: jG8N6WDJOx.exeReversingLabs: Detection: 78%
                    Source: jG8N6WDJOx.exeVirustotal: Detection: 52%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\HNkDZJwSy.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: jG8N6WDJOx.exeJoe Sandbox ML: detected
                    Source: jG8N6WDJOx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49734 version: TLS 1.2
                    Source: jG8N6WDJOx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.4b713e8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.4af27c8.2.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.4:51543 -> 162.159.36.2:53
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.4:49736 -> 46.175.148.58:25
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
                    Source: jG8N6WDJOx.exe, HNkDZJwSy.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: jG8N6WDJOx.exe, HNkDZJwSy.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: jG8N6WDJOx.exe, HNkDZJwSy.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: jG8N6WDJOx.exe, HNkDZJwSy.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: jG8N6WDJOx.exe, HNkDZJwSy.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: jG8N6WDJOx.exe, HNkDZJwSy.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: jG8N6WDJOx.exe, HNkDZJwSy.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: HNkDZJwSy.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: jG8N6WDJOx.exe, HNkDZJwSy.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: jG8N6WDJOx.exe, 00000008.00000002.2944845492.0000000002E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: jG8N6WDJOx.exe, HNkDZJwSy.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: jG8N6WDJOx.exe, HNkDZJwSy.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                    Source: jG8N6WDJOx.exe, HNkDZJwSy.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: jG8N6WDJOx.exe, HNkDZJwSy.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1731950261.00000000032C9000.00000004.00000800.00020000.00000000.sdmp, jG8N6WDJOx.exe, 00000008.00000002.2944845492.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: jG8N6WDJOx.exe, HNkDZJwSy.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1733796471.0000000004079000.00000004.00000800.00020000.00000000.sdmp, jG8N6WDJOx.exe, 00000000.00000002.1733796471.00000000048E3000.00000004.00000800.00020000.00000000.sdmp, jG8N6WDJOx.exe, 00000008.00000002.2942551985.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1733796471.0000000004079000.00000004.00000800.00020000.00000000.sdmp, jG8N6WDJOx.exe, 00000000.00000002.1733796471.00000000048E3000.00000004.00000800.00020000.00000000.sdmp, jG8N6WDJOx.exe, 00000008.00000002.2942551985.0000000000402000.00000040.00000400.00020000.00000000.sdmp, jG8N6WDJOx.exe, 00000008.00000002.2944845492.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: jG8N6WDJOx.exe, 00000008.00000002.2944845492.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: jG8N6WDJOx.exe, 00000008.00000002.2944845492.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49734 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 8.2.jG8N6WDJOx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.jG8N6WDJOx.exe.4bf0008.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.jG8N6WDJOx.exe.40a4108.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.jG8N6WDJOx.exe.40a4108.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.jG8N6WDJOx.exe.4bf0008.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.jG8N6WDJOx.exe.4b713e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.jG8N6WDJOx.exe.4af27c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0134D74C0_2_0134D74C
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_079355DB0_2_079355DB
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_079364580_2_07936458
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793BC580_2_0793BC58
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793DB800_2_0793DB80
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_07934BA00_2_07934BA0
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793D2800_2_0793D280
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_079337930_2_07933793
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793BF100_2_0793BF10
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793BF000_2_0793BF00
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_079386B00_2_079386B0
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_079386C00_2_079386C0
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793C6380_2_0793C638
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793C6480_2_0793C648
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_07938D290_2_07938D29
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_079374B80_2_079374B8
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_079374A80_2_079374A8
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793BC480_2_0793BC48
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_079363910_2_07936391
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793633A0_2_0793633A
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_07938B580_2_07938B58
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_07938B490_2_07938B49
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_079363710_2_07936371
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793DB700_2_0793DB70
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_079342DE0_2_079342DE
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793C2500_2_0793C250
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_079342500_2_07934250
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793C2410_2_0793C241
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793D2700_2_0793D270
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793C9F90_2_0793C9F9
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793E1300_2_0793E130
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793E1200_2_0793E120
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_079388B90_2_079388B9
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_079388C80_2_079388C8
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793503B0_2_0793503B
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793C8200_2_0793C820
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_02C7E6A18_2_02C7E6A1
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_02C74A988_2_02C74A98
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_02C73E808_2_02C73E80
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_02C741C88_2_02C741C8
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_02C7A9608_2_02C7A960
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_06BA55888_2_06BA5588
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_06BA65E08_2_06BA65E0
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_06BA7D688_2_06BA7D68
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_06BAB20F8_2_06BAB20F
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_06BA30408_2_06BA3040
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_06BA76888_2_06BA7688
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_06BA5CD38_2_06BA5CD3
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_06BAE3888_2_06BAE388
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_06BA23498_2_06BA2349
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_06BA00408_2_06BA0040
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_06BA00068_2_06BA0006
                    Source: jG8N6WDJOx.exeStatic PE information: invalid certificate
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1751921166.00000000076CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameChromeSetup.exe< vs jG8N6WDJOx.exe
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1733796471.0000000004079000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs jG8N6WDJOx.exe
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1733796471.0000000004079000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs jG8N6WDJOx.exe
                    Source: jG8N6WDJOx.exe, 00000000.00000000.1692310779.0000000000CCE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameChromeSetup.exe< vs jG8N6WDJOx.exe
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1760049118.000000000A980000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs jG8N6WDJOx.exe
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1747810944.0000000005AE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs jG8N6WDJOx.exe
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1730939225.00000000013ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs jG8N6WDJOx.exe
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1733796471.00000000048E3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs jG8N6WDJOx.exe
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1733796471.00000000048E3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs jG8N6WDJOx.exe
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1731950261.00000000032C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs jG8N6WDJOx.exe
                    Source: jG8N6WDJOx.exe, 00000008.00000002.2943101125.0000000001158000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs jG8N6WDJOx.exe
                    Source: jG8N6WDJOx.exe, 00000008.00000002.2942551985.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs jG8N6WDJOx.exe
                    Source: jG8N6WDJOx.exe, 00000008.00000002.2942804059.0000000000F59000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs jG8N6WDJOx.exe
                    Source: jG8N6WDJOx.exeBinary or memory string: OriginalFilenameChromeSetup.exe< vs jG8N6WDJOx.exe
                    Source: jG8N6WDJOx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 8.2.jG8N6WDJOx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.jG8N6WDJOx.exe.4bf0008.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.jG8N6WDJOx.exe.40a4108.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.jG8N6WDJOx.exe.40a4108.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.jG8N6WDJOx.exe.4bf0008.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.jG8N6WDJOx.exe.4b713e8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.jG8N6WDJOx.exe.4af27c8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: jG8N6WDJOx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: HNkDZJwSy.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/13@3/2
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeFile created: C:\Users\user\AppData\Roaming\HNkDZJwSy.exeJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1396:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7200:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7236:120:WilError_03
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeFile created: C:\Users\user\AppData\Local\Temp\tmp692.tmpJump to behavior
                    Source: jG8N6WDJOx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: jG8N6WDJOx.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: jG8N6WDJOx.exeReversingLabs: Detection: 78%
                    Source: jG8N6WDJOx.exeVirustotal: Detection: 52%
                    Source: jG8N6WDJOx.exeString found in binary or memory: appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={7845CB06-2203-CC75-ADD7-5EC2F08BF338}&lang=en&browser=2&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&brand=RXQR&installdataindex=empty
                    Source: jG8N6WDJOx.exeString found in binary or memory: appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={7845CB06-2203-CC75-ADD7-5EC2F08BF338}&lang=en&browser=2&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&brand=RXQR&installdataindex=empty0
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeFile read: C:\Users\user\Desktop\jG8N6WDJOx.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\jG8N6WDJOx.exe "C:\Users\user\Desktop\jG8N6WDJOx.exe"
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jG8N6WDJOx.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HNkDZJwSy.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HNkDZJwSy" /XML "C:\Users\user\AppData\Local\Temp\tmp692.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess created: C:\Users\user\Desktop\jG8N6WDJOx.exe "C:\Users\user\Desktop\jG8N6WDJOx.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\HNkDZJwSy.exe C:\Users\user\AppData\Roaming\HNkDZJwSy.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jG8N6WDJOx.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HNkDZJwSy.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HNkDZJwSy" /XML "C:\Users\user\AppData\Local\Temp\tmp692.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess created: C:\Users\user\Desktop\jG8N6WDJOx.exe "C:\Users\user\Desktop\jG8N6WDJOx.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: acgenral.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: acgenral.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: jG8N6WDJOx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: jG8N6WDJOx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793E05B pushfd ; ret 0_2_0793E061
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 0_2_0793D04A push CC0793CCh; retf 0_2_0793D051
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_02C70C55 push edi; retf 8_2_02C70C7A
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_06BAFFBF push es; ret 8_2_06BAFFC0
                    Source: jG8N6WDJOx.exeStatic PE information: section name: .text entropy: 7.69734338252707
                    Source: HNkDZJwSy.exe.0.drStatic PE information: section name: .text entropy: 7.69734338252707
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeFile created: C:\Users\user\AppData\Roaming\HNkDZJwSy.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HNkDZJwSy" /XML "C:\Users\user\AppData\Local\Temp\tmp692.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: jG8N6WDJOx.exe PID: 5544, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeMemory allocated: 1340000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeMemory allocated: 3070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeMemory allocated: 5070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeMemory allocated: 7E10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeMemory allocated: 8E10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeMemory allocated: 8FC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeMemory allocated: 9FC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeMemory allocated: AA00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeMemory allocated: BA00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeMemory allocated: CA00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeMemory allocated: 2BD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeMemory allocated: 2DB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeMemory allocated: 2BD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6911Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2593Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7188Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2271Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeWindow / User API: threadDelayed 3626Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeWindow / User API: threadDelayed 6223Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7268Thread sleep count: 6911 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7468Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7252Thread sleep count: 2593 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7480Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7412Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep count: 35 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7604Thread sleep count: 3626 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -99844s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -99730s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7604Thread sleep count: 6223 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -99625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -99515s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -99394s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -99245s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -99141s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -99031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -98922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -98812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -98703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -98594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -98469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -98359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -98250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -98135s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -98031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -97919s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -97791s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -97687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -97578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -97468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -97359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -97250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -97140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -97031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -96921s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -96811s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -96699s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -96594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -96469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -96274s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -96150s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -96031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -95922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -95812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -95703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -95594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -95484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -95375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -95266s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -95156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -95047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -94938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -94828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -94715s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -94609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -94500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -94390s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exe TID: 7600Thread sleep time: -94281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 99844Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 99730Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 99625Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 99515Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 99394Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 99245Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 99141Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 99031Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 98922Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 98812Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 98703Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 98594Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 98469Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 98359Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 98250Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 98135Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 98031Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 97919Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 97791Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 97687Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 97578Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 97468Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 97359Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 97250Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 97140Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 97031Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 96921Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 96811Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 96699Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 96594Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 96469Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 96274Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 96150Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 96031Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 95922Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 95812Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 95703Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 95594Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 95484Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 95375Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 95266Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 95156Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 95047Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 94938Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 94828Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 94715Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 94609Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 94500Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 94390Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeThread delayed: delay time: 94281Jump to behavior
                    Source: jG8N6WDJOx.exe, 00000000.00000002.1751921166.00000000076A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}tp
                    Source: jG8N6WDJOx.exe, 00000008.00000002.2943737327.0000000001229000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jG8N6WDJOx.exe"
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HNkDZJwSy.exe"
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jG8N6WDJOx.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HNkDZJwSy.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jG8N6WDJOx.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HNkDZJwSy.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HNkDZJwSy" /XML "C:\Users\user\AppData\Local\Temp\tmp692.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeProcess created: C:\Users\user\Desktop\jG8N6WDJOx.exe "C:\Users\user\Desktop\jG8N6WDJOx.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Users\user\Desktop\jG8N6WDJOx.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Users\user\Desktop\jG8N6WDJOx.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeCode function: 8_2_02C76CE8 GetUserNameW,8_2_02C76CE8
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 8.2.jG8N6WDJOx.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.4bf0008.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.40a4108.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.40a4108.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.4bf0008.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.4b713e8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.4af27c8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2944845492.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2942551985.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1733796471.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2944845492.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1733796471.00000000048E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: jG8N6WDJOx.exe PID: 5544, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jG8N6WDJOx.exe PID: 7404, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\jG8N6WDJOx.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 8.2.jG8N6WDJOx.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.4bf0008.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.40a4108.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.40a4108.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.4bf0008.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.4b713e8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.4af27c8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2942551985.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1733796471.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2944845492.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1733796471.00000000048E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: jG8N6WDJOx.exe PID: 5544, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jG8N6WDJOx.exe PID: 7404, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 8.2.jG8N6WDJOx.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.4bf0008.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.40a4108.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.40a4108.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.4bf0008.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.4b713e8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jG8N6WDJOx.exe.4af27c8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2944845492.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2942551985.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1733796471.0000000004079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2944845492.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1733796471.00000000048E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: jG8N6WDJOx.exe PID: 5544, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jG8N6WDJOx.exe PID: 7404, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    Account Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    File and Directory Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		Logon Script (Windows)1
                    Scheduled Task/Job                    		2
                    Software Packing                    		Security Account Manager24
                    System Information Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    DLL Side-Loading                    		NTDS1
                    Query Registry                    		Distributed Component Object ModelInput Capture23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Masquerading                    		LSA Secrets211
                    Security Software Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts141
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials1
                    Process Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Process Injection                    		DCSync141
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588143 Sample: jG8N6WDJOx.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 40 mail.iaa-airferight.com 2->40 42 api.ipify.org 2->42 44 15.164.165.52.in-addr.arpa 2->44 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 8 other signatures 2->56 8 jG8N6WDJOx.exe 7 2->8         started        12 HNkDZJwSy.exe 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\Roaming\HNkDZJwSy.exe, PE32 8->32 dropped 34 C:\Users\...\HNkDZJwSy.exe:Zone.Identifier, ASCII 8->34 dropped 36 C:\Users\user\AppData\Local\Temp\tmp692.tmp, XML 8->36 dropped 38 C:\Users\user\AppData\...\jG8N6WDJOx.exe.log, ASCII 8->38 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->58 60 Uses schtasks.exe or at.exe to add and modify task schedules 8->60 62 Adds a directory exclusion to Windows Defender 8->62 14 jG8N6WDJOx.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        64 Antivirus detection for dropped file 12->64 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 signatures6 process7 dnsIp8 46 api.ipify.org 104.26.13.205, 443, 49734 CLOUDFLARENETUS United States 14->46 48 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->48 70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->70 72 Tries to steal Mail credentials (via file / registry access) 14->72 74 Tries to harvest and steal ftp login credentials 14->74 76 Tries to harvest and steal browser information (history, passwords, etc) 14->76 78 Loading BitLocker PowerShell Module 18->78 24 WmiPrvSE.exe 18->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    jG8N6WDJOx.exe79%ReversingLabsWin32.Infostealer.Pony
                    jG8N6WDJOx.exe52%VirustotalBrowse
                    jG8N6WDJOx.exe100%AviraHEUR/AGEN.1357257
                    jG8N6WDJOx.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\HNkDZJwSy.exe100%AviraHEUR/AGEN.1357257
                    C:\Users\user\AppData\Roaming\HNkDZJwSy.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\HNkDZJwSy.exe79%ReversingLabsWin32.Infostealer.Pony
                    C:\Users\user\AppData\Roaming\HNkDZJwSy.exe52%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truefalse
                      		high
                      api.ipify.org
                      		104.26.13.205
                      		truefalse
                        		high
                        15.164.165.52.in-addr.arpa
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.apache.org/licenses/LICENSE-2.0jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comjG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersGjG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers/?jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/bThejG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://account.dyn.com/jG8N6WDJOx.exe, 00000000.00000002.1733796471.0000000004079000.00000004.00000800.00020000.00000000.sdmp, jG8N6WDJOx.exe, 00000000.00000002.1733796471.00000000048E3000.00000004.00000800.00020000.00000000.sdmp, jG8N6WDJOx.exe, 00000008.00000002.2942551985.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers?jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://mail.iaa-airferight.comjG8N6WDJOx.exe, 00000008.00000002.2944845492.0000000002E2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.tiro.comjG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designersjG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.goodfont.co.krjG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.ipify.org/tjG8N6WDJOx.exe, 00000008.00000002.2944845492.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.carterandcone.comljG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.sajatypeworks.comjG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.typography.netDjG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designers/cabarga.htmlNjG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cn/cThejG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.galapagosdesign.com/staff/dennis.htmjG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.ipify.orgjG8N6WDJOx.exe, 00000000.00000002.1733796471.0000000004079000.00000004.00000800.00020000.00000000.sdmp, jG8N6WDJOx.exe, 00000000.00000002.1733796471.00000000048E3000.00000004.00000800.00020000.00000000.sdmp, jG8N6WDJOx.exe, 00000008.00000002.2942551985.0000000000402000.00000040.00000400.00020000.00000000.sdmp, jG8N6WDJOx.exe, 00000008.00000002.2944845492.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.founder.com.cn/cnjG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.fontbureau.com/designers/frere-user.htmljG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.jiyu-kobo.co.jp/jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.galapagosdesign.com/DPleasejG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.fontbureau.com/designers8jG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.fonts.comjG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.sandoll.co.krjG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.urwpp.deDPleasejG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.zhongyicts.com.cnjG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namejG8N6WDJOx.exe, 00000000.00000002.1731950261.00000000032C9000.00000004.00000800.00020000.00000000.sdmp, jG8N6WDJOx.exe, 00000008.00000002.2944845492.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.sakkal.comjG8N6WDJOx.exe, 00000000.00000002.1748233372.00000000070D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        46.175.148.58
                                                                                        		mail.iaa-airferight.comUkraine
                                                                                        		56394ASLAGIDKOM-NETUAfalse
                                                                                        104.26.13.205
                                                                                        		api.ipify.orgUnited States
                                                                                        		13335CLOUDFLARENETUSfalse

                                                                                        General Information

                                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                                        Analysis ID:1588143
                                                                                        Start date and time:2025-01-10 21:53:39 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 6m 9s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:15
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:jG8N6WDJOx.exe
                                                                                        renamed because original name is a hash value
                                                                                        Original Sample Name:914ca6ae22e3e4d3b6e4fe8442dc7e176037ce54e98dfdec5510a179f4ef3c75.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.spyw.evad.winEXE@14/13@3/2
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 100%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 99%
                                                                                        • Number of executed functions: 83
                                                                                        • Number of non-executed functions: 28
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 184.28.90.27, 172.202.163.200, 52.165.164.15, 20.12.23.50, 13.107.246.45
                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        15:54:33API Interceptor187x Sleep call for process: jG8N6WDJOx.exe modified
                                                                                        15:54:36API Interceptor70x Sleep call for process: powershell.exe modified
                                                                                        20:54:38Task SchedulerRun new task: HNkDZJwSy path: C:\Users\user\AppData\Roaming\HNkDZJwSy.exe

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        46.175.148.58HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        PO for fabric forecast.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                          980001672 PPR for 30887217.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            104.26.13.205Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                            • api.ipify.org/
                                                                                                            BiXS3FRoLe.exeGet hashmaliciousTrojanRansomBrowse
                                                                                                            • api.ipify.org/
                                                                                                            lEUy79aLAW.exeGet hashmaliciousTrojanRansomBrowse
                                                                                                            • api.ipify.org/
                                                                                                            Simple1.exeGet hashmaliciousUnknownBrowse
                                                                                                            • api.ipify.org/
                                                                                                            2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                                                                            • api.ipify.org/
                                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                                            • api.ipify.org/
                                                                                                            file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                            • api.ipify.org/
                                                                                                            file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                                                                            • api.ipify.org/
                                                                                                            file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                            • api.ipify.org/
                                                                                                            Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                                                                            • api.ipify.org/

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            mail.iaa-airferight.comHGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            PO for fabric forecast.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                            • 46.175.148.58
                                                                                                            980001672 PPR for 30887217.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            api.ipify.orgHGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 104.26.13.205
                                                                                                            https://glfbanks.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                            • 104.26.12.205
                                                                                                            s2Jg1MAahY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 104.26.12.205
                                                                                                            Y8Q1voljvb.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 104.26.12.205
                                                                                                            IUqsn1SBGy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 104.26.13.205
                                                                                                            DpTbBYeE7J.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                            • 104.26.12.205
                                                                                                            RJKUWSGxej.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                                                                                            • 104.26.13.205
                                                                                                            7DpzcPcsTS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 172.67.74.152
                                                                                                            B8FnDUj8hy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 104.26.13.205
                                                                                                            FSRHC6mB16.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                            • 172.67.74.152

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            ASLAGIDKOM-NETUAHGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            PO for fabric forecast.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                            • 46.175.148.58
                                                                                                            980001672 PPR for 30887217.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 46.175.148.58
                                                                                                            CLOUDFLARENETUS2CQ2zMn0hb.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 104.21.16.1
                                                                                                            6mGpn6kupm.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 104.21.48.1
                                                                                                            SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.21.64.1
                                                                                                            oEQp0EklDb.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.21.48.1
                                                                                                            gKvjKMCUfq.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 188.114.97.3
                                                                                                            FylY1FW6fl.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.21.32.1
                                                                                                            v4nrZtP7K2.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 104.21.48.1
                                                                                                            xXUnP7uCBJ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 104.21.64.1
                                                                                                            HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 104.26.13.205
                                                                                                            https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8fGet hashmaliciousUnknownBrowse
                                                                                                            • 104.17.25.14

                                                                                                            JA3 Fingerprints

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            3b5074b1b5d032e5620f69f9f700ff0e2CQ2zMn0hb.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 104.26.13.205
                                                                                                            6mGpn6kupm.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 104.26.13.205
                                                                                                            SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.26.13.205
                                                                                                            v4nrZtP7K2.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 104.26.13.205
                                                                                                            xXUnP7uCBJ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 104.26.13.205
                                                                                                            HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 104.26.13.205
                                                                                                            4UQ5wnI389.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 104.26.13.205
                                                                                                            ajRZflJ2ch.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 104.26.13.205
                                                                                                            FUEvp5c8lO.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                            • 104.26.13.205
                                                                                                            http://diebinjmajbkhhg.top/1.php?s=527Get hashmaliciousUnknownBrowse
                                                                                                            • 104.26.13.205

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jG8N6WDJOx.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\jG8N6WDJOx.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:modified
                                                                                                            Size (bytes):1216
                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                            Malicious:true
                                                                                                            Reputation:high, very likely benign file
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):2232
                                                                                                            Entropy (8bit):5.380134126512796
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:+WSU4xc4RQmFoUeW+gZ9tK8NPZHUxL7u1iMuge//ZmUyus:+LHxcIFKLgZ2KRHWLOuggs
                                                                                                            MD5:62DC4E63B1F62F1DED898AF25361C680
                                                                                                            SHA1:0A47F559038057B9F4D675DADDECA31DF059A0B4
                                                                                                            SHA-256:FCF266542D0006B1E56E72E813591B488253941A83B76524EA73204D8BA45FE4
                                                                                                            SHA-512:77B22859EB2A19597EA67F2C7CCE084250CB2A2DFA6230AD284838AB834B19CA80A6958A56BC5E05005B4F9A4585FE97195C93E9A91ABC0864014BA376F7DE45
                                                                                                            Malicious:false
                                                                                                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.ConfigurationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1j3smgav.5bq.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3fjl04yx.1n1.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_erkkbfqe.ais.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lfqzb4bo.fhg.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lpeug3kc.ln3.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oznbv1j0.od4.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s3rv4uii.5js.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zschz2dd.g0q.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\tmp692.tmp

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\jG8N6WDJOx.exe
                                                                                                            File Type:XML 1.0 document, ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1575
                                                                                                            Entropy (8bit):5.116840977996722
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaxxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTgv
                                                                                                            MD5:C77BC37BAE609C34D33F67DC8E4ED3CB
                                                                                                            SHA1:5F78910F55C6BD8360782792AF340EB40807341F
                                                                                                            SHA-256:323AA3BFB2EE323FA62C5F3CDED42CBD6158A37870931DD16C695401B759CFC7
                                                                                                            SHA-512:D7B90425E0369D00D44C00B135B3A5F572B4A3E426CC5892CE70A11DC14CF842FCD43ED1F36094A21C5D815C944056B34C41AE3FC59FEFBC491CFA6ABAE18F77
                                                                                                            Malicious:true
                                                                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                            C:\Users\user\AppData\Roaming\HNkDZJwSy.exe

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\jG8N6WDJOx.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1030192
                                                                                                            Entropy (8bit):7.461054860796241
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12288:12MKhM39TXsTAi2deLrLGAblJKLAP6ghYZ0zsEoxuj0A7JosuLsitF:0Maci2debGAnnLnzsEoAj0AFotLzF
                                                                                                            MD5:A87229B37B8388F3687AAAA3C132DDF2
                                                                                                            SHA1:1390BA7361AF77F7D6DBE1B8613FAAAEC5BC8A47
                                                                                                            SHA-256:914CA6AE22E3E4D3B6E4FE8442DC7E176037CE54E98DFDEC5510A179F4EF3C75
                                                                                                            SHA-512:EE8FF4C10150A3EA9FE5C2DF88F353A7AF28E462628602B7FD4E9F4BE1E92445D31167ECFEE01AE27E1579D800DC4A7B1E8D6DCBCEF9944A37DB36135096ECF8
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 79%
                                                                                                            • Antivirus: Virustotal, Detection: 52%, Browse
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#Yg..............0.................. ........@.. ....................................@.....................................O....................l..0L........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc...............j..............@..B........................H.......|<...*...........f.. i..........................................J.(.....s....}....*..0..J........{......(....o.....(.....r...p..(....o....}.....{.....{.....{.....io....&*b.(.....s....}.....(....*..{.....{....o.....{....o.....{....o.....{....o....o....*z.,..{....,..{....o......(....*..0...............(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s ...}.....s....}.....s....}.....(!....{.....o"....{.......rs#...o$....{........s%...o&....{.

                                                                                                            C:\Users\user\AppData\Roaming\HNkDZJwSy.exe:Zone.Identifier

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\jG8N6WDJOx.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):26
                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                            Malicious:true
                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Entropy (8bit):7.461054860796241
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                            File name:jG8N6WDJOx.exe
                                                                                                            File size:1'030'192 bytes
                                                                                                            MD5:a87229b37b8388f3687aaaa3c132ddf2
                                                                                                            SHA1:1390ba7361af77f7d6dbe1b8613faaaec5bc8a47
                                                                                                            SHA256:914ca6ae22e3e4d3b6e4fe8442dc7e176037ce54e98dfdec5510a179f4ef3c75
                                                                                                            SHA512:ee8ff4c10150a3ea9fe5c2df88f353a7af28e462628602b7fd4e9f4be1e92445d31167ecfee01ae27e1579d800dc4a7b1e8d6dcbcef9944a37db36135096ecf8
                                                                                                            SSDEEP:12288:12MKhM39TXsTAi2deLrLGAblJKLAP6ghYZ0zsEoxuj0A7JosuLsitF:0Maci2debGAnnLnzsEoAj0AFotLzF
                                                                                                            TLSH:9F25F4832A2DA672DE38A73C40159CF891B41D6C6188B5A25BF97F3EE57C0225D0FE1D
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#Yg..............0.................. ........@.. ....................................@................................

                                                                                                            File Icon

                                                                                                            Icon Hash:2946e68e96b3ca4d

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x4ccffe
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:true
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x675923AF [Wed Dec 11 05:31:27 2024 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:4
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:4
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:4
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                            Authenticode Signature

                                                                                                            Signature Valid:false
                                                                                                            Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                                            Error Number:-2146869232
                                                                                                            Not Before, Not After
                                                                                                            • 02/07/2021 01:00:00 11/07/2024 00:59:59
                                                                                                            Subject Chain
                                                                                                            • CN=Google LLC, O=Google LLC, L=Mountain View, S=California, C=US
                                                                                                            Version:3
                                                                                                            Thumbprint MD5:DC429A22AA63D23DB8E84F53D05D1D48
                                                                                                            Thumbprint SHA-1:2673EA6CC23BEFFDA49AC715B121544098A1284C
                                                                                                            Thumbprint SHA-256:7D3D117664F121E592EF897973EF9C159150E3D736326E9CD2755F71E0FEBC0C
                                                                                                            Serial:0E4418E2DEDE36DD2974C3443AFB5CE5

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            jmp dword ptr [00402000h]
                                                                                                            push ebx
                                                                                                            add byte ptr [ecx+00h], bh
                                                                                                            jnc 00007F5F786E5CE2h
                                                                                                            je 00007F5F786E5CE2h
                                                                                                            add byte ptr [ebp+00h], ch
                                                                                                            add byte ptr [edx+00h], dl
                                                                                                            add byte ptr [esi+00h], ah
                                                                                                            insb
                                                                                                            add byte ptr [ebp+00h], ah
                                                                                                            arpl word ptr [eax], ax
                                                                                                            je 00007F5F786E5CE2h
                                                                                                            imul eax, dword ptr [eax], 006E006Fh
                                                                                                            add byte ptr [ecx+00h], al
                                                                                                            jnc 00007F5F786E5CE2h
                                                                                                            jnc 00007F5F786E5CE2h
                                                                                                            add byte ptr [ebp+00h], ch
                                                                                                            bound eax, dword ptr [eax]
                                                                                                            insb
                                                                                                            add byte ptr [ecx+00h], bh
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            dec esp
                                                                                                            add byte ptr [edi+00h], ch
                                                                                                            popad
                                                                                                            add byte ptr [eax+eax+00h], ah
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xccfac0x4f.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xce0000x2b5ac.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xf6c000x4c30
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xfa0000xc.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x20000xcb0440xcb200c9b96465254be0e7f63cfb0ce61916afFalse0.8794387019230769data7.69734338252707IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0xce0000x2b5ac0x2b6000e35e18b593290b68374f358d8ac58adFalse0.20862977305475505data5.110806553807546IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0xfa0000xc0x200e05c072a1996c22e252d310323f0990cFalse0.041015625data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_ICON0xce2980x3751PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9929383518113127
                                                                                                            RT_ICON0xd19ec0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.0891251626641429
                                                                                                            RT_ICON0xe22140x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.13335610678999368
                                                                                                            RT_ICON0xeb6bc0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.16816081330868762
                                                                                                            RT_ICON0xf0b440x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.15594000944733113
                                                                                                            RT_ICON0xf4d6c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.23392116182572614
                                                                                                            RT_ICON0xf73140x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.274624765478424
                                                                                                            RT_ICON0xf83bc0x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.41885245901639345
                                                                                                            RT_ICON0xf8d440x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5
                                                                                                            RT_GROUP_ICON0xf91ac0x84data0.7045454545454546
                                                                                                            RT_GROUP_ICON0xf92300x14data1.05
                                                                                                            RT_VERSION0xf92440x368data0.40940366972477066

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            mscoree.dll_CorExeMain

                                                                                                            Network Behavior

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jan 10, 2025 21:54:37.072803974 CET49734443192.168.2.4104.26.13.205
                                                                                                            Jan 10, 2025 21:54:37.072870016 CET44349734104.26.13.205192.168.2.4
                                                                                                            Jan 10, 2025 21:54:37.072954893 CET49734443192.168.2.4104.26.13.205
                                                                                                            Jan 10, 2025 21:54:37.087002993 CET49734443192.168.2.4104.26.13.205
                                                                                                            Jan 10, 2025 21:54:37.087040901 CET44349734104.26.13.205192.168.2.4
                                                                                                            Jan 10, 2025 21:54:37.557516098 CET44349734104.26.13.205192.168.2.4
                                                                                                            Jan 10, 2025 21:54:37.557607889 CET49734443192.168.2.4104.26.13.205
                                                                                                            Jan 10, 2025 21:54:37.561448097 CET49734443192.168.2.4104.26.13.205
                                                                                                            Jan 10, 2025 21:54:37.561465025 CET44349734104.26.13.205192.168.2.4
                                                                                                            Jan 10, 2025 21:54:37.561712980 CET44349734104.26.13.205192.168.2.4
                                                                                                            Jan 10, 2025 21:54:37.701688051 CET49734443192.168.2.4104.26.13.205
                                                                                                            Jan 10, 2025 21:54:37.962240934 CET49734443192.168.2.4104.26.13.205
                                                                                                            Jan 10, 2025 21:54:38.003464937 CET44349734104.26.13.205192.168.2.4
                                                                                                            Jan 10, 2025 21:54:38.086132050 CET44349734104.26.13.205192.168.2.4
                                                                                                            Jan 10, 2025 21:54:38.086193085 CET44349734104.26.13.205192.168.2.4
                                                                                                            Jan 10, 2025 21:54:38.086414099 CET49734443192.168.2.4104.26.13.205
                                                                                                            Jan 10, 2025 21:54:38.093009949 CET49734443192.168.2.4104.26.13.205
                                                                                                            Jan 10, 2025 21:54:39.022486925 CET4973625192.168.2.446.175.148.58
                                                                                                            Jan 10, 2025 21:54:40.107995987 CET4973625192.168.2.446.175.148.58
                                                                                                            Jan 10, 2025 21:54:42.107899904 CET4973625192.168.2.446.175.148.58
                                                                                                            Jan 10, 2025 21:54:46.107944012 CET4973625192.168.2.446.175.148.58
                                                                                                            Jan 10, 2025 21:54:54.123575926 CET4973625192.168.2.446.175.148.58
                                                                                                            Jan 10, 2025 21:55:03.241264105 CET5154353192.168.2.4162.159.36.2
                                                                                                            Jan 10, 2025 21:55:03.246108055 CET5351543162.159.36.2192.168.2.4
                                                                                                            Jan 10, 2025 21:55:03.246233940 CET5154353192.168.2.4162.159.36.2
                                                                                                            Jan 10, 2025 21:55:03.251245022 CET5351543162.159.36.2192.168.2.4
                                                                                                            Jan 10, 2025 21:55:03.695015907 CET5154353192.168.2.4162.159.36.2
                                                                                                            Jan 10, 2025 21:55:03.700026035 CET5351543162.159.36.2192.168.2.4
                                                                                                            Jan 10, 2025 21:55:03.700167894 CET5154353192.168.2.4162.159.36.2

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jan 10, 2025 21:54:37.007278919 CET6031453192.168.2.41.1.1.1
                                                                                                            Jan 10, 2025 21:54:37.014694929 CET53603141.1.1.1192.168.2.4
                                                                                                            Jan 10, 2025 21:54:39.009987116 CET6444053192.168.2.41.1.1.1
                                                                                                            Jan 10, 2025 21:54:39.021709919 CET53644401.1.1.1192.168.2.4
                                                                                                            Jan 10, 2025 21:55:03.239953995 CET5358234162.159.36.2192.168.2.4
                                                                                                            Jan 10, 2025 21:55:03.705015898 CET5245353192.168.2.41.1.1.1
                                                                                                            Jan 10, 2025 21:55:03.726438999 CET53524531.1.1.1192.168.2.4

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Jan 10, 2025 21:54:37.007278919 CET192.168.2.41.1.1.10x91bbStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                            Jan 10, 2025 21:54:39.009987116 CET192.168.2.41.1.1.10xbc50Standard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false
                                                                                                            Jan 10, 2025 21:55:03.705015898 CET192.168.2.41.1.1.10x6339Standard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Jan 10, 2025 21:54:37.014694929 CET1.1.1.1192.168.2.40x91bbNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                            Jan 10, 2025 21:54:37.014694929 CET1.1.1.1192.168.2.40x91bbNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                            Jan 10, 2025 21:54:37.014694929 CET1.1.1.1192.168.2.40x91bbNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                                            Jan 10, 2025 21:54:39.021709919 CET1.1.1.1192.168.2.40xbc50No error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false
                                                                                                            Jan 10, 2025 21:55:03.726438999 CET1.1.1.1192.168.2.40x6339Name error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • api.ipify.org

                                                                                                            HTTPS Proxied Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.449734104.26.13.2054437404C:\Users\user\Desktop\jG8N6WDJOx.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2025-01-10 20:54:37 UTC155OUTGET / HTTP/1.1
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                            Host: api.ipify.org
                                                                                                            Connection: Keep-Alive
                                                                                                            2025-01-10 20:54:38 UTC424INHTTP/1.1 200 OK
                                                                                                            Date: Fri, 10 Jan 2025 20:54:38 GMT
                                                                                                            Content-Type: text/plain
                                                                                                            Content-Length: 12
                                                                                                            Connection: close
                                                                                                            Vary: Origin
                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 8fff903799a618b4-EWR
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1509&min_rtt=1499&rtt_var=582&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1846932&cwnd=201&unsent_bytes=0&cid=880c96b7625e9504&ts=539&x=0"
                                                                                                            2025-01-10 20:54:38 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                                                            Data Ascii: 8.46.123.189


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:15:54:32
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Users\user\Desktop\jG8N6WDJOx.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\jG8N6WDJOx.exe"
                                                                                                            Imagebase:0xc00000
                                                                                                            File size:1'030'192 bytes
                                                                                                            MD5 hash:A87229B37B8388F3687AAAA3C132DDF2
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1733796471.0000000004079000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1733796471.0000000004079000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1733796471.00000000048E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1733796471.00000000048E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:2
                                                                                                            Start time:15:54:34
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jG8N6WDJOx.exe"
                                                                                                            Imagebase:0x430000
                                                                                                            File size:433'152 bytes
                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:3
                                                                                                            Start time:15:54:34
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:4
                                                                                                            Start time:15:54:34
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\HNkDZJwSy.exe"
                                                                                                            Imagebase:0x430000
                                                                                                            File size:433'152 bytes
                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:5
                                                                                                            Start time:15:54:35
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:6
                                                                                                            Start time:15:54:35
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HNkDZJwSy" /XML "C:\Users\user\AppData\Local\Temp\tmp692.tmp"
                                                                                                            Imagebase:0x640000
                                                                                                            File size:187'904 bytes
                                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:7
                                                                                                            Start time:15:54:35
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:8
                                                                                                            Start time:15:54:35
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Users\user\Desktop\jG8N6WDJOx.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\jG8N6WDJOx.exe"
                                                                                                            Imagebase:0xac0000
                                                                                                            File size:1'030'192 bytes
                                                                                                            MD5 hash:A87229B37B8388F3687AAAA3C132DDF2
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2944845492.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2942551985.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2942551985.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2944845492.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2944845492.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:9
                                                                                                            Start time:15:54:38
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Users\user\AppData\Roaming\HNkDZJwSy.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Users\user\AppData\Roaming\HNkDZJwSy.exe
                                                                                                            Imagebase:0x890000
                                                                                                            File size:1'030'192 bytes
                                                                                                            MD5 hash:A87229B37B8388F3687AAAA3C132DDF2
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Avira
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            • Detection: 79%, ReversingLabs
                                                                                                            • Detection: 52%, Virustotal, Browse
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:10
                                                                                                            Start time:15:54:39
                                                                                                            Start date:10/01/2025
                                                                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                            Imagebase:0x7ff693ab0000
                                                                                                            File size:496'640 bytes
                                                                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:10.7%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:0%
                                                                                                              Total number of Nodes:40
                                                                                                              Total number of Limit Nodes:6
                                                                                                              execution_graph 21634 793b470 21635 793b473 VirtualProtect 21634->21635 21637 793b4f2 21635->21637 21638 134d1d8 21639 134d21e GetCurrentProcess 21638->21639 21641 134d270 GetCurrentThread 21639->21641 21642 134d269 21639->21642 21643 134d2a6 21641->21643 21644 134d2ad GetCurrentProcess 21641->21644 21642->21641 21643->21644 21645 134d2e3 21644->21645 21646 134d30b GetCurrentThreadId 21645->21646 21647 134d33c 21646->21647 21648 134ad28 21651 134b209 21648->21651 21649 134ad37 21652 134b239 21651->21652 21653 134b25c 21651->21653 21652->21653 21654 134b254 21652->21654 21658 134b4b0 21652->21658 21653->21649 21654->21653 21655 134b460 GetModuleHandleW 21654->21655 21656 134b48d 21655->21656 21656->21649 21659 134b461 GetModuleHandleW 21658->21659 21661 134b4ba 21658->21661 21660 134b48d 21659->21660 21660->21654 21661->21654 21662 134d828 DuplicateHandle 21663 134d8be 21662->21663 21664 1344668 21665 1344672 21664->21665 21667 1344758 21664->21667 21668 1344765 21667->21668 21672 1344868 21668->21672 21676 1344858 21668->21676 21673 134488f 21672->21673 21674 134496c 21673->21674 21680 134449c 21673->21680 21678 1344868 21676->21678 21677 134496c 21677->21677 21678->21677 21679 134449c CreateActCtxA 21678->21679 21679->21677 21681 13458f8 CreateActCtxA 21680->21681 21683 13459bb 21681->21683

                                                                                                              Executed Functions

                                                                                                              Function 07934250 Relevance: 4.0, Strings: 3, Instructions: 271COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 338 7934250-7934258 339 793429a-79342a7 338->339 340 793425a-793426c 338->340 341 79342a8-7934374 339->341 340->341 342 793426e-7934295 340->342 347 7934377 341->347 342->339 348 793437e-793439a 347->348 349 79343a3-79343a4 348->349 350 793439c 348->350 351 7934550-79345c0 349->351 350->347 350->349 350->351 352 79344f3-793450e 350->352 353 79343d3-79343e5 350->353 354 7934513-793452a 350->354 355 793443c-7934466 350->355 356 79344c0-79344ee 350->356 357 79343e7-79343ef call 7934ba0 350->357 358 79344a6-79344bb 350->358 359 793446b-79344a1 350->359 360 79343a9-79343d1 350->360 361 793452f-793454b 350->361 362 793440c-7934437 350->362 377 79345c2 call 79355db 351->377 378 79345c2 call 79358ab 351->378 352->348 353->348 354->348 355->348 356->348 370 79343f5-7934407 357->370 358->348 359->348 360->348 361->348 361->351 362->348 370->348 376 79345c8-79345d2 377->376 378->376
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Te^q$Te^q$z^I
                                                                                                              • API String ID: 0-2886491258
                                                                                                              • Opcode ID: 4bd8f3b1768ef4f9e5d2ef9d6015f5ac0f90fe1ef0600dc63ae07b4041ac414d
                                                                                                              • Instruction ID: 17c073ad9bcb656aa8f8a6e132aa3248f0f9c1a8671ed3a16063c906736b126f
                                                                                                              • Opcode Fuzzy Hash: 4bd8f3b1768ef4f9e5d2ef9d6015f5ac0f90fe1ef0600dc63ae07b4041ac414d
                                                                                                              • Instruction Fuzzy Hash: 17B189B4E052698FCB04CFE9C9809EDFBB2FF89310F14852AD415AB268D7349946CF94
                                                                                                              Function 0793633A Relevance: 2.9, Strings: 2, Instructions: 409COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 403 793633a-7936346 405 7936398-79363c0 403->405 406 7936348-793634a 403->406 408 79363c2-7936418 405->408 409 7936419-793647d 405->409 406->405 408->409 412 7936484-79364c2 call 7936a00 409->412 413 793647f 409->413 416 79364c8 412->416 413->412 417 79364cf-79364eb 416->417 418 79364f4-79364f5 417->418 419 79364ed 417->419 434 793684b-7936852 418->434 419->416 419->418 420 79366d3-79366e8 419->420 421 7936570-7936588 419->421 422 793653b-7936544 419->422 423 79367db-79367e1 419->423 424 79364fa-79364fe 419->424 425 793671d-7936721 419->425 426 79365dd-79365fb 419->426 427 79366c1-79366ce 419->427 428 7936600-793660c 419->428 429 79366a7-79366bc 419->429 430 7936527-7936539 419->430 431 7936666-7936686 419->431 432 79365c6-79365d8 419->432 433 7936805-7936811 419->433 419->434 435 793668b-79366a2 419->435 436 793662a-793664a 419->436 437 793664f-7936661 419->437 438 793682f-7936846 419->438 439 79366ed-79366f1 419->439 440 793674d-7936759 419->440 420->417 451 793658a 421->451 452 793658f-79365a5 421->452 449 7936557-793655e 422->449 450 7936546-7936555 422->450 463 79367e9-7936800 423->463 447 7936511-7936518 424->447 448 7936500-793650f 424->448 441 7936723-7936732 425->441 442 7936734-793673b 425->442 426->417 427->417 445 7936613-7936625 428->445 446 793660e 428->446 429->417 430->417 431->417 432->417 453 7936813 433->453 454 7936818-793682a 433->454 435->417 436->417 437->417 438->417 455 79366f3-7936702 439->455 456 7936704-793670b 439->456 443 7936760-7936776 440->443 444 793675b 440->444 457 7936742-7936748 441->457 442->457 471 7936778 443->471 472 793677d-7936793 443->472 444->443 445->417 446->445 460 793651f-7936525 447->460 448->460 462 7936565-793656b 449->462 450->462 451->452 469 79365a7 452->469 470 79365ac-79365c1 452->470 453->454 454->417 464 7936712-7936718 455->464 456->464 457->417 460->417 462->417 463->417 464->417 469->470 470->417 471->472 475 7936795 472->475 476 793679a-79367b0 472->476 475->476 478 79367b2 476->478 479 79367b7-79367d6 476->479 478->479 479->417
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ry$ry
                                                                                                              • API String ID: 0-883804406
                                                                                                              • Opcode ID: a7117c9ea256d5deca25c87bf05085a3ec73faa40824ac009d880bdfc252195d
                                                                                                              • Instruction ID: 98c1d7615bb7651e7d2c23f7c2696fcf05e8726064801a57eeb79a29b251031b
                                                                                                              • Opcode Fuzzy Hash: a7117c9ea256d5deca25c87bf05085a3ec73faa40824ac009d880bdfc252195d
                                                                                                              • Instruction Fuzzy Hash: 41F1AEB5E05216EFDB04CFA9D8854EEFBB2FF89314B10856AD405AB345C734A946CF90
                                                                                                              Function 07936391 Relevance: 2.9, Strings: 2, Instructions: 405COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 482 7936391-7936394 483 79363f6-7936418 482->483 484 7936396-79363c0 482->484 486 7936419-793647d 483->486 484->486 491 79363c2-79363f5 484->491 489 7936484-79364c2 call 7936a00 486->489 490 793647f 486->490 494 79364c8 489->494 490->489 491->483 495 79364cf-79364eb 494->495 496 79364f4-79364f5 495->496 497 79364ed 495->497 512 793684b-7936852 496->512 497->494 497->496 498 79366d3-79366e8 497->498 499 7936570-7936588 497->499 500 793653b-7936544 497->500 501 79367db-79367e1 497->501 502 79364fa-79364fe 497->502 503 793671d-7936721 497->503 504 79365dd-79365fb 497->504 505 79366c1-79366ce 497->505 506 7936600-793660c 497->506 507 79366a7-79366bc 497->507 508 7936527-7936539 497->508 509 7936666-7936686 497->509 510 79365c6-79365d8 497->510 511 7936805-7936811 497->511 497->512 513 793668b-79366a2 497->513 514 793662a-793664a 497->514 515 793664f-7936661 497->515 516 793682f-7936846 497->516 517 79366ed-79366f1 497->517 518 793674d-7936759 497->518 498->495 529 793658a 499->529 530 793658f-79365a5 499->530 527 7936557-793655e 500->527 528 7936546-7936555 500->528 541 79367e9-7936800 501->541 525 7936511-7936518 502->525 526 7936500-793650f 502->526 519 7936723-7936732 503->519 520 7936734-793673b 503->520 504->495 505->495 523 7936613-7936625 506->523 524 793660e 506->524 507->495 508->495 509->495 510->495 531 7936813 511->531 532 7936818-793682a 511->532 513->495 514->495 515->495 516->495 533 79366f3-7936702 517->533 534 7936704-793670b 517->534 521 7936760-7936776 518->521 522 793675b 518->522 535 7936742-7936748 519->535 520->535 549 7936778 521->549 550 793677d-7936793 521->550 522->521 523->495 524->523 538 793651f-7936525 525->538 526->538 540 7936565-793656b 527->540 528->540 529->530 547 79365a7 530->547 548 79365ac-79365c1 530->548 531->532 532->495 542 7936712-7936718 533->542 534->542 535->495 538->495 540->495 541->495 542->495 547->548 548->495 549->550 553 7936795 550->553 554 793679a-79367b0 550->554 553->554 556 79367b2 554->556 557 79367b7-79367d6 554->557 556->557 557->495
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ry$ry
                                                                                                              • API String ID: 0-883804406
                                                                                                              • Opcode ID: ece96f2c4890a9f45dc52099ba48ebf2860db8e27c68b4d372f4f0c411fe2d34
                                                                                                              • Instruction ID: f7aa9b2f69d3192c84806a31ffb66a55027f778dff4df76d68abfab3b8647b2e
                                                                                                              • Opcode Fuzzy Hash: ece96f2c4890a9f45dc52099ba48ebf2860db8e27c68b4d372f4f0c411fe2d34
                                                                                                              • Instruction Fuzzy Hash: F3E1AEB5E09216EFDB04CFA9D8854EEFBB2FF89314B10856AD405AB345C734A946CF90
                                                                                                              Function 07936371 Relevance: 2.9, Strings: 2, Instructions: 357COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 560 7936371-7936388 561 793638a-793638f 560->561 562 79363ec-793647d 560->562 561->562 566 7936484-79364c2 call 7936a00 562->566 567 793647f 562->567 569 79364c8 566->569 567->566 570 79364cf-79364eb 569->570 571 79364f4-79364f5 570->571 572 79364ed 570->572 587 793684b-7936852 571->587 572->569 572->571 573 79366d3-79366e8 572->573 574 7936570-7936588 572->574 575 793653b-7936544 572->575 576 79367db-79367e1 572->576 577 79364fa-79364fe 572->577 578 793671d-7936721 572->578 579 79365dd-79365fb 572->579 580 79366c1-79366ce 572->580 581 7936600-793660c 572->581 582 79366a7-79366bc 572->582 583 7936527-7936539 572->583 584 7936666-7936686 572->584 585 79365c6-79365d8 572->585 586 7936805-7936811 572->586 572->587 588 793668b-79366a2 572->588 589 793662a-793664a 572->589 590 793664f-7936661 572->590 591 793682f-7936846 572->591 592 79366ed-79366f1 572->592 593 793674d-7936759 572->593 573->570 604 793658a 574->604 605 793658f-79365a5 574->605 602 7936557-793655e 575->602 603 7936546-7936555 575->603 616 79367e9-7936800 576->616 600 7936511-7936518 577->600 601 7936500-793650f 577->601 594 7936723-7936732 578->594 595 7936734-793673b 578->595 579->570 580->570 598 7936613-7936625 581->598 599 793660e 581->599 582->570 583->570 584->570 585->570 606 7936813 586->606 607 7936818-793682a 586->607 588->570 589->570 590->570 591->570 608 79366f3-7936702 592->608 609 7936704-793670b 592->609 596 7936760-7936776 593->596 597 793675b 593->597 610 7936742-7936748 594->610 595->610 624 7936778 596->624 625 793677d-7936793 596->625 597->596 598->570 599->598 613 793651f-7936525 600->613 601->613 615 7936565-793656b 602->615 603->615 604->605 622 79365a7 605->622 623 79365ac-79365c1 605->623 606->607 607->570 617 7936712-7936718 608->617 609->617 610->570 613->570 615->570 616->570 617->570 622->623 623->570 624->625 628 7936795 625->628 629 793679a-79367b0 625->629 628->629 631 79367b2 629->631 632 79367b7-79367d6 629->632 631->632 632->570
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ry$ry
                                                                                                              • API String ID: 0-883804406
                                                                                                              • Opcode ID: 353aa69e28c9cd0d178ab0f46b79abe9564e685b81a91a0f5b286e2e838d6dac
                                                                                                              • Instruction ID: cd7e10355aea70fee360b587a2f5fa53e471f3c8a4a7b7a8c1be420ad64d5389
                                                                                                              • Opcode Fuzzy Hash: 353aa69e28c9cd0d178ab0f46b79abe9564e685b81a91a0f5b286e2e838d6dac
                                                                                                              • Instruction Fuzzy Hash: D8E18CB4D0521AEFDB04CFA9D8854EEFBB2FF89304B10856AD405AB345D734AA46CF94
                                                                                                              Function 07936458 Relevance: 2.8, Strings: 2, Instructions: 284COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 635 7936458-793647d 636 7936484-79364c2 call 7936a00 635->636 637 793647f 635->637 639 79364c8 636->639 637->636 640 79364cf-79364eb 639->640 641 79364f4-79364f5 640->641 642 79364ed 640->642 657 793684b-7936852 641->657 642->639 642->641 643 79366d3-79366e8 642->643 644 7936570-7936588 642->644 645 793653b-7936544 642->645 646 79367db-79367e1 642->646 647 79364fa-79364fe 642->647 648 793671d-7936721 642->648 649 79365dd-79365fb 642->649 650 79366c1-79366ce 642->650 651 7936600-793660c 642->651 652 79366a7-79366bc 642->652 653 7936527-7936539 642->653 654 7936666-7936686 642->654 655 79365c6-79365d8 642->655 656 7936805-7936811 642->656 642->657 658 793668b-79366a2 642->658 659 793662a-793664a 642->659 660 793664f-7936661 642->660 661 793682f-7936846 642->661 662 79366ed-79366f1 642->662 663 793674d-7936759 642->663 643->640 674 793658a 644->674 675 793658f-79365a5 644->675 672 7936557-793655e 645->672 673 7936546-7936555 645->673 686 79367e9-7936800 646->686 670 7936511-7936518 647->670 671 7936500-793650f 647->671 664 7936723-7936732 648->664 665 7936734-793673b 648->665 649->640 650->640 668 7936613-7936625 651->668 669 793660e 651->669 652->640 653->640 654->640 655->640 676 7936813 656->676 677 7936818-793682a 656->677 658->640 659->640 660->640 661->640 678 79366f3-7936702 662->678 679 7936704-793670b 662->679 666 7936760-7936776 663->666 667 793675b 663->667 680 7936742-7936748 664->680 665->680 694 7936778 666->694 695 793677d-7936793 666->695 667->666 668->640 669->668 683 793651f-7936525 670->683 671->683 685 7936565-793656b 672->685 673->685 674->675 692 79365a7 675->692 693 79365ac-79365c1 675->693 676->677 677->640 687 7936712-7936718 678->687 679->687 680->640 683->640 685->640 686->640 687->640 692->693 693->640 694->695 698 7936795 695->698 699 793679a-79367b0 695->699 698->699 701 79367b2 699->701 702 79367b7-79367d6 699->702 701->702 702->640
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ry$ry
                                                                                                              • API String ID: 0-883804406
                                                                                                              • Opcode ID: 3f3dcc505327bcb7c6d3886c5e5f5e34acec63a1dd6235c3fe3e4c9565f97acb
                                                                                                              • Instruction ID: 4b8ab9e1f1db7113335247298cde0ee39cfe691f9125e3aed1527f9a03ecc959
                                                                                                              • Opcode Fuzzy Hash: 3f3dcc505327bcb7c6d3886c5e5f5e34acec63a1dd6235c3fe3e4c9565f97acb
                                                                                                              • Instruction Fuzzy Hash: B6C13AB4D1520AEFDB04CFA9C4858AEFBB2FF89300F109569D515AB318D774A982CF94
                                                                                                              Function 079342DE Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 705 79342de-79342e1 706 79342e3-7934313 705->706 707 7934355-793435d 705->707 713 7934315 706->713 714 793431a-7934346 706->714 708 7934347-793434f call 7934354 707->708 709 793435f-7934374 707->709 708->707 715 7934377 709->715 713->714 714->708 716 793437e-793439a 715->716 717 79343a3-79343a4 716->717 718 793439c 716->718 719 7934550-79345c0 717->719 718->715 718->717 718->719 720 79344f3-793450e 718->720 721 79343d3-79343e5 718->721 722 7934513-793452a 718->722 723 793443c-7934466 718->723 724 79344c0-79344ee 718->724 725 79343e7-79343ef call 7934ba0 718->725 726 79344a6-79344bb 718->726 727 793446b-79344a1 718->727 728 79343a9-79343d1 718->728 729 793452f-793454b 718->729 730 793440c-7934437 718->730 746 79345c2 call 79355db 719->746 747 79345c2 call 79358ab 719->747 720->716 721->716 722->716 723->716 724->716 738 79343f5-7934407 725->738 726->716 727->716 728->716 729->716 729->719 730->716 738->716 744 79345c8-79345d2 746->744 747->744
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Te^q$z^I
                                                                                                              • API String ID: 0-3592684243
                                                                                                              • Opcode ID: b189f4bdbf4d59cb7c65d9381848a0ec7500aa914354e61a79ebeb077d8bb5f4
                                                                                                              • Instruction ID: ee20175562dc8c08d3e2df5500d1d192be5356bd5cb799c26d7c7f32c9b539ac
                                                                                                              • Opcode Fuzzy Hash: b189f4bdbf4d59cb7c65d9381848a0ec7500aa914354e61a79ebeb077d8bb5f4
                                                                                                              • Instruction Fuzzy Hash: DEA114B4E112598FCB08CFE9C9805EEFBB2FF89350F24942AD419AB268D7349905CF54
                                                                                                              Function 0793D280 Relevance: 2.7, Strings: 2, Instructions: 224COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 748 793d280-793d2a5 749 793d2a7 748->749 750 793d2ac-793d2dd 748->750 749->750 751 793d2de 750->751 752 793d2e5-793d301 751->752 753 793d303 752->753 754 793d30a-793d30b 752->754 753->751 753->754 755 793d513-793d525 753->755 756 793d310-793d341 753->756 757 793d577-793d580 753->757 758 793d4b7-793d4ca 753->758 759 793d4f6-793d50e 753->759 760 793d414-793d418 753->760 761 793d354-793d367 753->761 762 793d398-793d3aa 753->762 763 793d47d-793d486 753->763 764 793d55d-793d572 753->764 765 793d3fc-793d40f 753->765 766 793d463-793d478 753->766 767 793d541-793d558 753->767 768 793d3e0-793d3f7 753->768 769 793d48b-793d4b2 753->769 770 793d44b-793d45e 753->770 771 793d52a-793d53c 753->771 772 793d3af-793d3b5 call 793b5ac 753->772 773 793d36c-793d393 753->773 754->757 755->752 786 793d344 call 793d8f0 756->786 787 793d344 call 793d8e0 756->787 788 793d344 call 793b5d8 756->788 789 793d344 call 793d808 756->789 776 793d4dd-793d4e4 758->776 777 793d4cc-793d4db 758->777 759->752 774 793d42b-793d432 760->774 775 793d41a-793d429 760->775 761->752 762->752 763->752 764->752 765->752 766->752 767->752 768->752 769->752 770->752 771->752 783 793d3bb-793d3db 772->783 773->752 778 793d439-793d446 774->778 775->778 782 793d4eb-793d4f1 776->782 777->782 778->752 782->752 783->752 784 793d34a-793d352 784->752 786->784 787->784 788->784 789->784
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: TuA$UC;"
                                                                                                              • API String ID: 0-2071649361
                                                                                                              • Opcode ID: bba80ab56a418a89393ca013dab01a3d9cc95f854de87e932bf37fab96a56798
                                                                                                              • Instruction ID: 8f1e0fdb415d505a1fa11c601e0670ce6e40ca8bd7882ffb20a195e0d6e4e589
                                                                                                              • Opcode Fuzzy Hash: bba80ab56a418a89393ca013dab01a3d9cc95f854de87e932bf37fab96a56798
                                                                                                              • Instruction Fuzzy Hash: 209117B1E24209EFCB08CFE6E49199EFBB2FF89314F10942AE415A7264D7709942CF14
                                                                                                              Function 0793D270 Relevance: 2.7, Strings: 2, Instructions: 221COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 790 793d270-793d2a5 791 793d2a7 790->791 792 793d2ac-793d2dd 790->792 791->792 793 793d2de 792->793 794 793d2e5-793d301 793->794 795 793d303 794->795 796 793d30a-793d30b 794->796 795->793 795->796 797 793d513-793d525 795->797 798 793d310-793d341 795->798 799 793d577-793d580 795->799 800 793d4b7-793d4ca 795->800 801 793d4f6-793d50e 795->801 802 793d414-793d418 795->802 803 793d354-793d367 795->803 804 793d398-793d3aa 795->804 805 793d47d-793d486 795->805 806 793d55d-793d572 795->806 807 793d3fc-793d40f 795->807 808 793d463-793d478 795->808 809 793d541-793d558 795->809 810 793d3e0-793d3f7 795->810 811 793d48b-793d4b2 795->811 812 793d44b-793d45e 795->812 813 793d52a-793d53c 795->813 814 793d3af-793d3b5 call 793b5ac 795->814 815 793d36c-793d393 795->815 796->799 797->794 828 793d344 call 793d8f0 798->828 829 793d344 call 793d8e0 798->829 830 793d344 call 793b5d8 798->830 831 793d344 call 793d808 798->831 818 793d4dd-793d4e4 800->818 819 793d4cc-793d4db 800->819 801->794 816 793d42b-793d432 802->816 817 793d41a-793d429 802->817 803->794 804->794 805->794 806->794 807->794 808->794 809->794 810->794 811->794 812->794 813->794 825 793d3bb-793d3db 814->825 815->794 820 793d439-793d446 816->820 817->820 824 793d4eb-793d4f1 818->824 819->824 820->794 824->794 825->794 826 793d34a-793d352 826->794 828->826 829->826 830->826 831->826
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: TuA$UC;"
                                                                                                              • API String ID: 0-2071649361
                                                                                                              • Opcode ID: d04bb8f7b42e12e2feb6316b329bda05e2c58b6fb5509e132d1692ce42c4b7be
                                                                                                              • Instruction ID: 993ea3cc167b866bbb50c6b12684b18d0ca5c96eed4e91f367e32fefdc1f4fc4
                                                                                                              • Opcode Fuzzy Hash: d04bb8f7b42e12e2feb6316b329bda05e2c58b6fb5509e132d1692ce42c4b7be
                                                                                                              • Instruction Fuzzy Hash: F09116B1E24209EFCB08CFA6E59199EFBB2FF89314F10942AE415A7264D7349942CF14
                                                                                                              Function 0793BC48 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 5=6
                                                                                                              • API String ID: 0-2897083178
                                                                                                              • Opcode ID: 0d5d1b2467fb72a40c4ab903f8ec65b2da50b339870125e2dd24f6feb67a1d04
                                                                                                              • Instruction ID: 5f3c6da330306897615227420becf65defb57e8dec4f5697fcdda6921229028f
                                                                                                              • Opcode Fuzzy Hash: 0d5d1b2467fb72a40c4ab903f8ec65b2da50b339870125e2dd24f6feb67a1d04
                                                                                                              • Instruction Fuzzy Hash: 83715AB4E2520A9FCB04CFA9D9455AEFBB2BF89201F10D92BD01AE7254DB749A01CF51
                                                                                                              Function 0793BC58 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 5=6
                                                                                                              • API String ID: 0-2897083178
                                                                                                              • Opcode ID: 60f6a8146cfaa49f47d92b8ffaa76426c68aad769211a774118f3f694bbd6147
                                                                                                              • Instruction ID: 51190748a31c9d89c557a9f4985eb8f403d967aab961cfbad4ecb5f1904f3597
                                                                                                              • Opcode Fuzzy Hash: 60f6a8146cfaa49f47d92b8ffaa76426c68aad769211a774118f3f694bbd6147
                                                                                                              • Instruction Fuzzy Hash: 23615BB4E2520A9FCB04CFA9D8415AEFBF2FF89201F10D92AD01AE7254DB749A01CF55
                                                                                                              Function 07934BA0 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: -2m
                                                                                                              • API String ID: 0-2686427999
                                                                                                              • Opcode ID: bfdf938a98b666a0a859ee068e1a827953021cfb54cf1f18b7c7eb061b94d129
                                                                                                              • Instruction ID: 90ec47343404f9907583aebf962dddfd64541bdc05a07fe69c4e603acc4cb4b6
                                                                                                              • Opcode Fuzzy Hash: bfdf938a98b666a0a859ee068e1a827953021cfb54cf1f18b7c7eb061b94d129
                                                                                                              • Instruction Fuzzy Hash: 2A513AB0E042498FDB08CFAAD4406AEFBF2FF89304F29D06AD419A7255D7745940CB55
                                                                                                              Function 0793DB70 Relevance: .3, Instructions: 257COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 660cefd84942a7d440af2084aedbe698ce753f1625be70b9bb5a4a4b77787854
                                                                                                              • Instruction ID: 70908c33b34f9cde60684c59bb25db5ee64a8f816d2ff5d726b536c6d0c19ecb
                                                                                                              • Opcode Fuzzy Hash: 660cefd84942a7d440af2084aedbe698ce753f1625be70b9bb5a4a4b77787854
                                                                                                              • Instruction Fuzzy Hash: DAB119B1E15209DFDB18CFA6D99059EFBB2FF89304F20D42AD019A7254DB749A06CF90
                                                                                                              Function 0793DB80 Relevance: .3, Instructions: 254COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: adbd90a8eaef354c63da3f85a32c3639ca88f346c1d91ef33d45b26c633b792b
                                                                                                              • Instruction ID: 951d64911ab02e288aeffb32f02a0f091b130dba17a9685bedc05b365cd9a037
                                                                                                              • Opcode Fuzzy Hash: adbd90a8eaef354c63da3f85a32c3639ca88f346c1d91ef33d45b26c633b792b
                                                                                                              • Instruction Fuzzy Hash: 1AB108B1E15209DFDB18CFA6D99059EFBB2FF89304F20D42AD019AB254DB749A06CF50
                                                                                                              Function 079355DB Relevance: .1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6b333b37a6815f94010c98d8c75838ec1f67342490634d168c290f80168254e6
                                                                                                              • Instruction ID: 5ddb019ccfb186659925a52ea6f7e58b1d9f2bb5d49a7d3c2041081d3cf8d860
                                                                                                              • Opcode Fuzzy Hash: 6b333b37a6815f94010c98d8c75838ec1f67342490634d168c290f80168254e6
                                                                                                              • Instruction Fuzzy Hash: 5B3146B0E016188BDB18CFAAD8402DEBBB3BFC9310F14C06AD408A7264DB345A56CF90
                                                                                                              Function 0134D1C8 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 294 134d1c8-134d267 GetCurrentProcess 298 134d270-134d2a4 GetCurrentThread 294->298 299 134d269-134d26f 294->299 300 134d2a6-134d2ac 298->300 301 134d2ad-134d2e1 GetCurrentProcess 298->301 299->298 300->301 303 134d2e3-134d2e9 301->303 304 134d2ea-134d305 call 134d3a8 301->304 303->304 307 134d30b-134d33a GetCurrentThreadId 304->307 308 134d343-134d3a5 307->308 309 134d33c-134d342 307->309 309->308
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0134D256
                                                                                                              • GetCurrentThread.KERNEL32 ref: 0134D293
                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0134D2D0
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0134D329
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730638260.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1340000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Current$ProcessThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 2063062207-0
                                                                                                              • Opcode ID: 2e28df6e187847619eb3cac41165c8c4d3ec6e65b74d27304f547a0178cecf16
                                                                                                              • Instruction ID: d7c49b6443300b31166db304e4c13b86a764672e3f532dc0cc89795636186abb
                                                                                                              • Opcode Fuzzy Hash: 2e28df6e187847619eb3cac41165c8c4d3ec6e65b74d27304f547a0178cecf16
                                                                                                              • Instruction Fuzzy Hash: 545145B0900249CFDB18DFA9D548B9EBBF1FF98318F208459D019A7260DB34A988CF65
                                                                                                              Function 0134D1D8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 316 134d1d8-134d267 GetCurrentProcess 320 134d270-134d2a4 GetCurrentThread 316->320 321 134d269-134d26f 316->321 322 134d2a6-134d2ac 320->322 323 134d2ad-134d2e1 GetCurrentProcess 320->323 321->320 322->323 325 134d2e3-134d2e9 323->325 326 134d2ea-134d305 call 134d3a8 323->326 325->326 329 134d30b-134d33a GetCurrentThreadId 326->329 330 134d343-134d3a5 329->330 331 134d33c-134d342 329->331 331->330
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0134D256
                                                                                                              • GetCurrentThread.KERNEL32 ref: 0134D293
                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0134D2D0
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0134D329
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730638260.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1340000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Current$ProcessThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 2063062207-0
                                                                                                              • Opcode ID: a2f6b276252208668f10bf1f2684458fcd525924a72536d9ae4016336187e4c2
                                                                                                              • Instruction ID: d82734e4737149e154407fb2fec2af7588d1a3bfc85472520e60fd04fa79465d
                                                                                                              • Opcode Fuzzy Hash: a2f6b276252208668f10bf1f2684458fcd525924a72536d9ae4016336187e4c2
                                                                                                              • Instruction Fuzzy Hash: 565126B4900249CFDB14DFAAD548BDEBBF5FB88318F208459D019A7360DB74A988CF65
                                                                                                              Function 0134B209 Relevance: 1.7, APIs: 1, Instructions: 213COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 868 134b209-134b237 869 134b263-134b267 868->869 870 134b239-134b246 call 1349d9c 868->870 872 134b269-134b273 869->872 873 134b27b-134b2bc 869->873 876 134b25c 870->876 877 134b248 870->877 872->873 879 134b2be-134b2c6 873->879 880 134b2c9-134b2d7 873->880 876->869 923 134b24e call 134b4b0 877->923 924 134b24e call 134b4c0 877->924 879->880 881 134b2d9-134b2de 880->881 882 134b2fb-134b2fd 880->882 884 134b2e0-134b2e7 call 1349da8 881->884 885 134b2e9 881->885 887 134b300-134b307 882->887 883 134b254-134b256 883->876 886 134b398-134b458 883->886 889 134b2eb-134b2f9 884->889 885->889 918 134b460-134b48b GetModuleHandleW 886->918 919 134b45a-134b45d 886->919 890 134b314-134b31b 887->890 891 134b309-134b311 887->891 889->887 894 134b31d-134b325 890->894 895 134b328-134b331 call 1349db8 890->895 891->890 894->895 899 134b333-134b33b 895->899 900 134b33e-134b343 895->900 899->900 901 134b345-134b34c 900->901 902 134b361-134b36e 900->902 901->902 904 134b34e-134b35e call 1349dc8 call 134ae14 901->904 909 134b370-134b38e 902->909 910 134b391-134b397 902->910 904->902 909->910 920 134b494-134b4a8 918->920 921 134b48d-134b493 918->921 919->918 921->920 923->883 924->883
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0134B47E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730638260.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1340000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 4139908857-0
                                                                                                              • Opcode ID: 7ccd08cff73ce213edf60729b9695454f8b3fcbcc0c1e18efb3cbfb42d930fbc
                                                                                                              • Instruction ID: 19362c4cd50e2b2c7a2c31eeed86aa9d52f4289c1e594f00dd68027030f0bc33
                                                                                                              • Opcode Fuzzy Hash: 7ccd08cff73ce213edf60729b9695454f8b3fcbcc0c1e18efb3cbfb42d930fbc
                                                                                                              • Instruction Fuzzy Hash: ED814470A00B458FD765DF2AC44079ABBF5FF89308F008A2ED48ADBA54D735E849CB91
                                                                                                              Function 0134449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 925 134449c-13459b9 CreateActCtxA 928 13459c2-1345a1c 925->928 929 13459bb-13459c1 925->929 936 1345a1e-1345a21 928->936 937 1345a2b-1345a2f 928->937 929->928 936->937 938 1345a40 937->938 939 1345a31-1345a3d 937->939 941 1345a41 938->941 939->938 941->941
                                                                                                              APIs
                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 013459A9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730638260.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1340000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2289755597-0
                                                                                                              • Opcode ID: 8e119f8140716960c7a6e1c243d84e4d97dc98179517e4c4cdee7d72d0b7f390
                                                                                                              • Instruction ID: 3b74c7f7ba73e7beae6ff6ccc9a35b33f426a94352c43e8065cdf7070ba44758
                                                                                                              • Opcode Fuzzy Hash: 8e119f8140716960c7a6e1c243d84e4d97dc98179517e4c4cdee7d72d0b7f390
                                                                                                              • Instruction Fuzzy Hash: 0741D0B0C00719CBDB24CFA9C844B9DBBF5FF49308F24806AD408AB255DB756989CF91
                                                                                                              Function 013458ED Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 013459A9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730638260.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1340000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2289755597-0
                                                                                                              • Opcode ID: 41e160cae4ad7d6773b531d06cc8843f5f8fdeb63c4b39bd145afcb9d47e3577
                                                                                                              • Instruction ID: 6e0009d1db1c9aa4e6407fb877d4ab851ed5b8320c88867c3b28e2850b7bcc3e
                                                                                                              • Opcode Fuzzy Hash: 41e160cae4ad7d6773b531d06cc8843f5f8fdeb63c4b39bd145afcb9d47e3577
                                                                                                              • Instruction Fuzzy Hash: 4541D0B0C00719CFDB24CFA9C88479DBBF5BF49308F24806AD409AB255DB75698ACF91
                                                                                                              Function 0134D824 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0134D8AF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730638260.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1340000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DuplicateHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 3793708945-0
                                                                                                              • Opcode ID: 8ae1c007f8ecf31e1309faea7808902744dba4d38b37b164ae07bfe58cb0834d
                                                                                                              • Instruction ID: 2c28ae0f03b75ff7b8b1ea22ff74c71efd9da9fbe159ec6406123f6b2f68b3be
                                                                                                              • Opcode Fuzzy Hash: 8ae1c007f8ecf31e1309faea7808902744dba4d38b37b164ae07bfe58cb0834d
                                                                                                              • Instruction Fuzzy Hash: 7121B3B5900258DFDB10CFA9D584AEEBFF4FB48324F14842AE959A7310D378A944CF65
                                                                                                              Function 0134B4B0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0134B47E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730638260.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1340000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 4139908857-0
                                                                                                              • Opcode ID: 30e8b86d63908d0dd30f031507e1d45996487d42052f2dbf0056ae7ac8dfee07
                                                                                                              • Instruction ID: 7eb846883aa0e1806b64635814a564ef81ddf66781fc759103f6b69e2b090381
                                                                                                              • Opcode Fuzzy Hash: 30e8b86d63908d0dd30f031507e1d45996487d42052f2dbf0056ae7ac8dfee07
                                                                                                              • Instruction Fuzzy Hash: DB11E371A003049FEB14DF6ED8007AAFBF9EFD5318F0480BAD108E7265C678A845CBA1
                                                                                                              Function 0134D828 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0134D8AF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730638260.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1340000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DuplicateHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 3793708945-0
                                                                                                              • Opcode ID: 78c027c3566d599a3ebe5016590ebc5cb1555c19d794cc1cd2acf2b38ccd3818
                                                                                                              • Instruction ID: 555fa9c3236b6a764912e55aceac9abf9a32addc53469a27e2cf7e8dfc4e5d49
                                                                                                              • Opcode Fuzzy Hash: 78c027c3566d599a3ebe5016590ebc5cb1555c19d794cc1cd2acf2b38ccd3818
                                                                                                              • Instruction Fuzzy Hash: 7B21C4B5900258DFDB10CF9AD584ADEBFF4FB48314F14841AE958A7310D374A944CFA5
                                                                                                              Function 0793B468 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 0793B4E3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: 3026f415e8400efcb57fc2f9131010dec9000b2e285f36e673fdce2ae46f7905
                                                                                                              • Instruction ID: 2c3437284969772be80a54fbc63b88fa99e79d44417893efbb7cec01a25ec540
                                                                                                              • Opcode Fuzzy Hash: 3026f415e8400efcb57fc2f9131010dec9000b2e285f36e673fdce2ae46f7905
                                                                                                              • Instruction Fuzzy Hash: 082106B5900249DFDB10CF9AD484BDEFFF4EB48324F10842AE968A7250D774A685CFA5
                                                                                                              Function 0793B470 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualProtect.KERNEL32(?,?,?,?), ref: 0793B4E3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: f429aa39ab0eff98c9509ac2cc2fcb0aa9beab2e29483d921f87bfd396292370
                                                                                                              • Instruction ID: 032338a1a6a928f9106c264cfa3bb88a9f4471cfb8eb21d13952c85eb3d0e5bd
                                                                                                              • Opcode Fuzzy Hash: f429aa39ab0eff98c9509ac2cc2fcb0aa9beab2e29483d921f87bfd396292370
                                                                                                              • Instruction Fuzzy Hash: 4821E4B5900249DFDB10CF9AC484BDEFBF4FB48324F108429E958A7250D778A544CFA5
                                                                                                              Function 0134B418 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0134B47E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730638260.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1340000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 4139908857-0
                                                                                                              • Opcode ID: ef8f41fbb492e36a161d44625b5029f897805f9c02bf824ecf2151b561c66e93
                                                                                                              • Instruction ID: 4a341ff3d490bfed63a004e985f998e1d0ec905433ea4da19abf129d39d4ce38
                                                                                                              • Opcode Fuzzy Hash: ef8f41fbb492e36a161d44625b5029f897805f9c02bf824ecf2151b561c66e93
                                                                                                              • Instruction Fuzzy Hash: 8B11DFB5C002498FDB10CFAAD444ADEFBF4EB88228F14842AD959B7314D379A549CFA5
                                                                                                              Function 012DD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730126581.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_12dd000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 58713fe9078e2006bcd71e7814587e676470086746cb1466d5d058a57a20231c
                                                                                                              • Instruction ID: 0150a1e321cc8e166ac2d7fd2d3ca4d47c8a5538b9bcd054f81f05a121d4bac6
                                                                                                              • Opcode Fuzzy Hash: 58713fe9078e2006bcd71e7814587e676470086746cb1466d5d058a57a20231c
                                                                                                              • Instruction Fuzzy Hash: 81216771550648DFCB01DF58E9C0F27BF65FB84318F20C169E9090B296C336D446CBA1
                                                                                                              Function 012DD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730126581.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_12dd000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 76457a3db98c24d6673bc388ffb10c6b91cd19b535d05cfaaad97850352387b9
                                                                                                              • Instruction ID: 7c2b6de3d4d0885e7c3fb5eee29e9bf28f432083884ecf882bb2e7940f849726
                                                                                                              • Opcode Fuzzy Hash: 76457a3db98c24d6673bc388ffb10c6b91cd19b535d05cfaaad97850352387b9
                                                                                                              • Instruction Fuzzy Hash: E2216775110648DFDB01DF98C9C0B6BBF65FB84324F20C16DE9090B296C336E446CBA1
                                                                                                              Function 012ED01C Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730200249.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_12ed000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9355946344d71ca98c99299c34aeaea272b2185fd5499b9504399b1513a470b1
                                                                                                              • Instruction ID: 3a9f08e3826f203d95ffa832fbad2dd9b867f97d407eee1006072b9fcc05b446
                                                                                                              • Opcode Fuzzy Hash: 9355946344d71ca98c99299c34aeaea272b2185fd5499b9504399b1513a470b1
                                                                                                              • Instruction Fuzzy Hash: E1213170614208DFCB15DF68D9C8B26BFA1FB84314F68C56DE90A4B256C37BD84BCA61
                                                                                                              Function 012ED1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730200249.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_12ed000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2db15c745a232e06dbccbd395abb1dfc5f1e326e888b53553ca63e839106c3da
                                                                                                              • Instruction ID: 7e77d7a327e2fe3e1b7e3bf78cbca56ebf6057e920de5fd51ffcf7ae992aa16d
                                                                                                              • Opcode Fuzzy Hash: 2db15c745a232e06dbccbd395abb1dfc5f1e326e888b53553ca63e839106c3da
                                                                                                              • Instruction Fuzzy Hash: E3213774514208DFDB01DF98C5C8B26BBE1FB84324F60C56DD9094B257C376D446CA61
                                                                                                              Function 012DD4BF Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730126581.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_12dd000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 952b3ccc006bc9f411a70a8bad19eead37da78a68fb3728a3c322f8da7b5f944
                                                                                                              • Instruction ID: 0efec98e861f8fe7c7af407df26bb79780a3dbb6aacd634d338d837a045c86ad
                                                                                                              • Opcode Fuzzy Hash: 952b3ccc006bc9f411a70a8bad19eead37da78a68fb3728a3c322f8da7b5f944
                                                                                                              • Instruction Fuzzy Hash: 71110376404284CFCB12CF54D5C4B16BF71FB84318F24C6A9D9090B256C336D45ACBA1
                                                                                                              Function 012DD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730126581.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_12dd000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 952b3ccc006bc9f411a70a8bad19eead37da78a68fb3728a3c322f8da7b5f944
                                                                                                              • Instruction ID: 4d2745dc74e3340002d504c827fe7660feeb0d6789ffeadcd33a77f0fd9f3658
                                                                                                              • Opcode Fuzzy Hash: 952b3ccc006bc9f411a70a8bad19eead37da78a68fb3728a3c322f8da7b5f944
                                                                                                              • Instruction Fuzzy Hash: 93110076404684DFDB12CF44D9C4B56BF72FB94324F24C2A9DA090B257C33AE45ACBA2
                                                                                                              Function 012ED1CF Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730200249.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_12ed000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 871f7e18c1f6789342e62e19fe4dc660986b6e7c47d5d789a5192454c2bfcfc0
                                                                                                              • Instruction ID: 484994b5e4a96c65e178b94eed6f55af937e117a6fe037ac5e5a061eb36ef7db
                                                                                                              • Opcode Fuzzy Hash: 871f7e18c1f6789342e62e19fe4dc660986b6e7c47d5d789a5192454c2bfcfc0
                                                                                                              • Instruction Fuzzy Hash: 2811BB75504284DFDB02CF54C5C8B15BFA1FB84224F24C6AAD9494B297C33AD40ACB61
                                                                                                              Function 012ED017 Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730200249.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_12ed000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 871f7e18c1f6789342e62e19fe4dc660986b6e7c47d5d789a5192454c2bfcfc0
                                                                                                              • Instruction ID: bb87d1e935da6e98e5926e8a2ee8c07b4c7ca3cbb863ee1d778494034fe8e55e
                                                                                                              • Opcode Fuzzy Hash: 871f7e18c1f6789342e62e19fe4dc660986b6e7c47d5d789a5192454c2bfcfc0
                                                                                                              • Instruction Fuzzy Hash: 0211DD75504284CFDB12CF58D5C8B16FFA2FB84314F28C6AAD9094B656C33BD40ACBA2

                                                                                                              Non-executed Functions

                                                                                                              Function 0793E130 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: {#L
                                                                                                              • API String ID: 0-1361971085
                                                                                                              • Opcode ID: e3da3181ba2546dc09432d2a82d3e7cd179f4c5b0e4d87817c533c121dd98489
                                                                                                              • Instruction ID: 872c758aa824ad4c34066b49dcf93e3e3e3d69e90845a9c756035c6de7f1c2e7
                                                                                                              • Opcode Fuzzy Hash: e3da3181ba2546dc09432d2a82d3e7cd179f4c5b0e4d87817c533c121dd98489
                                                                                                              • Instruction Fuzzy Hash: E2D1F4B4E1521ADFCB18CFEAD98059EFBF2BF89340F14D52AD419AB264D73499028F50
                                                                                                              Function 0793E120 Relevance: 1.6, Strings: 1, Instructions: 323COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: {#L
                                                                                                              • API String ID: 0-1361971085
                                                                                                              • Opcode ID: 5fe7a0d71715786b06ef6cbc2deef13d13bdf46c8a726fc322cf4d8b84886d72
                                                                                                              • Instruction ID: 450fddde9f4081c3e53b0710e0e769c40e8970ec276c2ba05fa702f38a4b6c2b
                                                                                                              • Opcode Fuzzy Hash: 5fe7a0d71715786b06ef6cbc2deef13d13bdf46c8a726fc322cf4d8b84886d72
                                                                                                              • Instruction Fuzzy Hash: D2D105B4E1421ADFCB18CFEAD98059EFBF2BF89340F14D56AD419AB264D73499028F50
                                                                                                              Function 0793503B Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 98R
                                                                                                              • API String ID: 0-576591972
                                                                                                              • Opcode ID: a926d9d2ea0289585a44db33bb60fb965ae2f266070e323b9475e1165124b773
                                                                                                              • Instruction ID: 46d28f2e78d98c262a00cadab458785c2a9ac251966a1d0b91688aeeb93116d6
                                                                                                              • Opcode Fuzzy Hash: a926d9d2ea0289585a44db33bb60fb965ae2f266070e323b9475e1165124b773
                                                                                                              • Instruction Fuzzy Hash: 9B7139B5E1520ADFCB04CFA9D4819AEFBB2FF89310F15842AD414AB318D3759A51CF94
                                                                                                              Function 0793C250 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: iUfo
                                                                                                              • API String ID: 0-3820436262
                                                                                                              • Opcode ID: e3306d941e784690b90373189708032d55fa5c5e99a60af0f1df2926f0a14200
                                                                                                              • Instruction ID: b7083d21a61712cd7706e837bd03184d779555c7ee73e4f598a1db460af2b01f
                                                                                                              • Opcode Fuzzy Hash: e3306d941e784690b90373189708032d55fa5c5e99a60af0f1df2926f0a14200
                                                                                                              • Instruction Fuzzy Hash: A15104B5E106199FCB04CFEAD8455EEFBF2BF8A300F10942AE405B7254EB7499058F64
                                                                                                              Function 0793C241 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: iUfo
                                                                                                              • API String ID: 0-3820436262
                                                                                                              • Opcode ID: fd3f1852582f50c6a3a8f2d5a687f60c52526520f4dc471015167cfe09da2775
                                                                                                              • Instruction ID: 1c9548d9fafada8398c9ee0c9261c0fa0517fdba2ff5ded36744e693556b6e7d
                                                                                                              • Opcode Fuzzy Hash: fd3f1852582f50c6a3a8f2d5a687f60c52526520f4dc471015167cfe09da2775
                                                                                                              • Instruction Fuzzy Hash: 5C5116B5E116198FCB08CFE9D9455EEFBF2BF8A300F10942AE405B7254EB349A058B64
                                                                                                              Function 0793C820 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: w7e^
                                                                                                              • API String ID: 0-1657886525
                                                                                                              • Opcode ID: 3dac80f7b6bda6a931db9c358870c833bd2e04336bbba00ce0f1bbef587ba98e
                                                                                                              • Instruction ID: 01c69a4c244035e425689477a16513cb3878d3fc8c6d8bb4a0f2e8da24228d02
                                                                                                              • Opcode Fuzzy Hash: 3dac80f7b6bda6a931db9c358870c833bd2e04336bbba00ce0f1bbef587ba98e
                                                                                                              • Instruction Fuzzy Hash: 46515AB5D15A0ADFCF04CFA9C4415EEFBB2FB8A305F14A56AC406B7280D33886418F64
                                                                                                              Function 0793C638 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: w7e^
                                                                                                              • API String ID: 0-1657886525
                                                                                                              • Opcode ID: adbcd94843b326a3dbc2a830cde736052dd85dfe1530ed17a4cb5d558eec2348
                                                                                                              • Instruction ID: 61c2a60ac1261c7d966e7d7385f7ae78cd4f1eb243332330a247a0d7efd08f16
                                                                                                              • Opcode Fuzzy Hash: adbcd94843b326a3dbc2a830cde736052dd85dfe1530ed17a4cb5d558eec2348
                                                                                                              • Instruction Fuzzy Hash: 0E4139B5D15A0ADFCF04CFA6C4405EEFBB2FB8A205F14A52AC416B7294D7384642CF65
                                                                                                              Function 0793C648 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: w7e^
                                                                                                              • API String ID: 0-1657886525
                                                                                                              • Opcode ID: b3f8a653f0feaf11811ba67f45d2f2033c4d4f647e32851260d6cbf31e963326
                                                                                                              • Instruction ID: 5c2fceb8a479f1bff5d4b1e49234b139f9f197f95dfa850c3e2fd87ef81a543d
                                                                                                              • Opcode Fuzzy Hash: b3f8a653f0feaf11811ba67f45d2f2033c4d4f647e32851260d6cbf31e963326
                                                                                                              • Instruction Fuzzy Hash: FB4139B5D15A1ADBCF04CFA6C4405EEFBB2FB8A205F14A52AC416B7284D7784642CF68
                                                                                                              Function 07938D29 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0ni
                                                                                                              • API String ID: 0-1488673370
                                                                                                              • Opcode ID: 2f9430f9892d6262460b001f85a40580e5270bb49f2b57454378cee219dc67db
                                                                                                              • Instruction ID: b635c16d7ff6718ebb947c4deff03332c8dcbca6ea85b103fa3fc4000c73fee7
                                                                                                              • Opcode Fuzzy Hash: 2f9430f9892d6262460b001f85a40580e5270bb49f2b57454378cee219dc67db
                                                                                                              • Instruction Fuzzy Hash: 8C516CB1E056588BDB58CF6B994479EFBF3BFC8300F14C1BA951DA6214DB341A868F11
                                                                                                              Function 0134D74C Relevance: .3, Instructions: 264COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1730638260.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1340000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f412a5b7569085d2aa066f7ab0ace22e769872b022c56a05c4693f19c5793e14
                                                                                                              • Instruction ID: 364d7b6398e5ace3862573e2fff0e6a0d4e9102b647b798d6ef5afb500be857b
                                                                                                              • Opcode Fuzzy Hash: f412a5b7569085d2aa066f7ab0ace22e769872b022c56a05c4693f19c5793e14
                                                                                                              • Instruction Fuzzy Hash: ABA19236E0020ACFCF15DFB8C84059EBBF6FF95308B15816AE905AB265DB35E955CB40
                                                                                                              Function 079374B8 Relevance: .2, Instructions: 196COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 55ffa913504d4bdbcd6bd8aed750fb7cea4f3a71ae2bfcc2d09e32469818e1cf
                                                                                                              • Instruction ID: 263ba08302b30511aa461d24de530124feded8ed3173e75f8709ed2877df4fee
                                                                                                              • Opcode Fuzzy Hash: 55ffa913504d4bdbcd6bd8aed750fb7cea4f3a71ae2bfcc2d09e32469818e1cf
                                                                                                              • Instruction Fuzzy Hash: EA91C3B4A1521ACFCB48CFA9C58499EFBF2FF89314F24995AD415AB320D370AA41CF51
                                                                                                              Function 079374A8 Relevance: .2, Instructions: 195COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b350da160712cd69f24d859834969ce18f0dcc743a0a72618e8ee9e59902702a
                                                                                                              • Instruction ID: 08ac3a10680c9b23a209aea3574788324ebd34a994c4101fa77b173569eb5530
                                                                                                              • Opcode Fuzzy Hash: b350da160712cd69f24d859834969ce18f0dcc743a0a72618e8ee9e59902702a
                                                                                                              • Instruction Fuzzy Hash: C281F5B4A1525ACFCB08CFA9C58499EFBF1FF89314F14995AD415AB310D370AA41CF51
                                                                                                              Function 0793C9F9 Relevance: .2, Instructions: 188COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 90bc2ae78d9f0fb09309c1cc6e69a88b1070ba9f935355dcb38458d77ad44e2d
                                                                                                              • Instruction ID: bbab75dda2e2385c1a5e0f64df0d1cc3ddf852b69afa170dee343f31670bc37c
                                                                                                              • Opcode Fuzzy Hash: 90bc2ae78d9f0fb09309c1cc6e69a88b1070ba9f935355dcb38458d77ad44e2d
                                                                                                              • Instruction Fuzzy Hash: FE812BB4E145198BCB14DFA9C5805AEFBB2FF89304F24C1A9D418B7256DB34AE41CF61
                                                                                                              Function 079388B9 Relevance: .2, Instructions: 176COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2233901ed284ebcd00ddd6722d203982ad54db28839342d699d6e0504a8b2479
                                                                                                              • Instruction ID: 1f6d10902c268b7dcd70113e4ca8be111308e86cb90697e22ed723a4c22a1300
                                                                                                              • Opcode Fuzzy Hash: 2233901ed284ebcd00ddd6722d203982ad54db28839342d699d6e0504a8b2479
                                                                                                              • Instruction Fuzzy Hash: EE711BB4E15609CFCB08CFAAC5809DEFBF2FF89210F24942AE415B7254D374AA418B65
                                                                                                              Function 079388C8 Relevance: .2, Instructions: 173COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 49d0c4c9d8619fc73f1bfaa182551e0b39e29f2dd80f02b96fdcd0dc484908ae
                                                                                                              • Instruction ID: 9d41ce37b9882434992ed0ff56c3af767b3663525c68eae8940b08c156ea3ffa
                                                                                                              • Opcode Fuzzy Hash: 49d0c4c9d8619fc73f1bfaa182551e0b39e29f2dd80f02b96fdcd0dc484908ae
                                                                                                              • Instruction Fuzzy Hash: EF7106B4E15609CFCB08CFAAD5809DEFBF2FF89314F24942AE415B7214D374AA418B65
                                                                                                              Function 07938B49 Relevance: .1, Instructions: 113COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 42f6ec109e068c2e81af0fd6874880fb2a87eaf08be3fe28ad8b7c2265562a25
                                                                                                              • Instruction ID: ece227b635f41305efdf8ba10a1aca9971f62b95681bf77ddd28d0988fdc9ffc
                                                                                                              • Opcode Fuzzy Hash: 42f6ec109e068c2e81af0fd6874880fb2a87eaf08be3fe28ad8b7c2265562a25
                                                                                                              • Instruction Fuzzy Hash: CC4117B0E1520ADFCB44CFA9C5819AEFBF2EF89300F24D56AD405F7214E7349A418BA5
                                                                                                              Function 07938B58 Relevance: .1, Instructions: 108COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 68f979b9f6a3275564937379728cdc698f56918c850e0222807c4b60fba715d3
                                                                                                              • Instruction ID: a09492c5a01cdddabe263695d3b51993728ce7925b939eee608998f8d2e28836
                                                                                                              • Opcode Fuzzy Hash: 68f979b9f6a3275564937379728cdc698f56918c850e0222807c4b60fba715d3
                                                                                                              • Instruction Fuzzy Hash: E641F7B0E1560ADFCB44CFAAC5819AEFBF2FF88300F24D56AD405B7214D7749A418BA5
                                                                                                              Function 0793BF00 Relevance: .1, Instructions: 107COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 611487f87b64534df177f2b2740fd348bc447905f5e61696483122ee5265830d
                                                                                                              • Instruction ID: 8f3169403e015a47932e8a139b235ca3454e6539612261852bbbe525b654e35b
                                                                                                              • Opcode Fuzzy Hash: 611487f87b64534df177f2b2740fd348bc447905f5e61696483122ee5265830d
                                                                                                              • Instruction Fuzzy Hash: 37417CB0E1560ADFCB04CFA5C5426AFFBF2AF89304F20D96AC018B7264D37887018B95
                                                                                                              Function 0793BF10 Relevance: .1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e33dace37b1c2a67ecb641d53967bcec66f0395c7dc4f575376d5178484213de
                                                                                                              • Instruction ID: 4ad333ea0b96c0daad71156436d9103352d81c1f30568f08a9c90eac0cd21dfd
                                                                                                              • Opcode Fuzzy Hash: e33dace37b1c2a67ecb641d53967bcec66f0395c7dc4f575376d5178484213de
                                                                                                              • Instruction Fuzzy Hash: EE411CB0E1560ADFCF44CFA6D5426AEFBF1AF89304F20996AC019B7264E37497418F94
                                                                                                              Function 079386B0 Relevance: .1, Instructions: 104COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 75579c62d81abf9041daccae3d2ba1ce94f28171aee6d0f4cc1e7d772f5f6a5f
                                                                                                              • Instruction ID: 5c99fef053d28ee0c107f0c515d7fa1b8bc6efebfe399f711efc241178bbb841
                                                                                                              • Opcode Fuzzy Hash: 75579c62d81abf9041daccae3d2ba1ce94f28171aee6d0f4cc1e7d772f5f6a5f
                                                                                                              • Instruction Fuzzy Hash: 0741F9B4D0560ADFCB44CFAAD481AAEFBF2BF89304F14C466D416A7354D7349A428FA4
                                                                                                              Function 079386C0 Relevance: .1, Instructions: 101COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b48617f7e3182ffe9b7de24a844ee73ccec3b2d7bbe66d80c1af4209691f5be8
                                                                                                              • Instruction ID: 10738ea57432f2def1b2a28ae5a42c225a193ec7d8271fecd40a629eed600787
                                                                                                              • Opcode Fuzzy Hash: b48617f7e3182ffe9b7de24a844ee73ccec3b2d7bbe66d80c1af4209691f5be8
                                                                                                              • Instruction Fuzzy Hash: 2341F7B0D1560ADFCB44CFAAD481AAEFBF2BF89304F14C42AD416B7204D7349A418FA4
                                                                                                              Function 07933793 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1754449544.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7930000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5423e6b1f6fae1b44ed65364b6232519e76dddb5be0733fe4b00ee87276c50f7
                                                                                                              • Instruction ID: 6df0cee8b83f12fc1b92deb158dce751a3c7552988e8cda54577f6433bc5d39f
                                                                                                              • Opcode Fuzzy Hash: 5423e6b1f6fae1b44ed65364b6232519e76dddb5be0733fe4b00ee87276c50f7
                                                                                                              • Instruction Fuzzy Hash: 16211FB1E046589BDB18CFAB9C406DEFBF7AFC9300F04C176D418A6224EB3406558F51

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:11.8%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:15%
                                                                                                              Total number of Nodes:20
                                                                                                              Total number of Limit Nodes:4
                                                                                                              execution_graph 23592 2c76ce8 23593 2c76d49 GetUserNameW 23592->23593 23595 2c76e35 23593->23595 23596 2c70848 23598 2c7084e 23596->23598 23597 2c7091b 23598->23597 23600 2c71380 23598->23600 23602 2c71396 23600->23602 23601 2c71480 23601->23598 23602->23601 23604 2c77eb0 23602->23604 23605 2c77eba 23604->23605 23606 2c77ed4 23605->23606 23609 6bafa0a 23605->23609 23613 6bafa18 23605->23613 23606->23602 23611 6bafa2d 23609->23611 23610 6bafc42 23610->23606 23611->23610 23612 6bafc58 GlobalMemoryStatusEx 23611->23612 23612->23611 23615 6bafa2d 23613->23615 23614 6bafc42 23614->23606 23615->23614 23616 6bafc58 GlobalMemoryStatusEx 23615->23616 23616->23615

                                                                                                              Executed Functions

                                                                                                              Function 06BA3040 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 127 6ba3040-6ba3061 128 6ba3063-6ba3066 127->128 129 6ba306c-6ba308b 128->129 130 6ba3807-6ba380a 128->130 139 6ba308d-6ba3090 129->139 140 6ba30a4-6ba30ae 129->140 131 6ba380c-6ba382b 130->131 132 6ba3830-6ba3832 130->132 131->132 134 6ba3839-6ba383c 132->134 135 6ba3834 132->135 134->128 136 6ba3842-6ba384b 134->136 135->134 139->140 142 6ba3092-6ba30a2 139->142 145 6ba30b4-6ba30c3 140->145 142->145 253 6ba30c5 call 6ba3859 145->253 254 6ba30c5 call 6ba3860 145->254 146 6ba30ca-6ba30cf 147 6ba30dc-6ba33b9 146->147 148 6ba30d1-6ba30d7 146->148 169 6ba37f9-6ba3806 147->169 170 6ba33bf-6ba346e 147->170 148->136 179 6ba3470-6ba3495 170->179 180 6ba3497 170->180 182 6ba34a0-6ba34b3 179->182 180->182 184 6ba34b9-6ba34db 182->184 185 6ba37e0-6ba37ec 182->185 184->185 188 6ba34e1-6ba34eb 184->188 185->170 186 6ba37f2 185->186 186->169 188->185 189 6ba34f1-6ba34fc 188->189 189->185 190 6ba3502-6ba35d8 189->190 202 6ba35da-6ba35dc 190->202 203 6ba35e6-6ba3616 190->203 202->203 207 6ba3618-6ba361a 203->207 208 6ba3624-6ba3630 203->208 207->208 209 6ba3632-6ba3636 208->209 210 6ba3690-6ba3694 208->210 209->210 211 6ba3638-6ba3662 209->211 212 6ba369a-6ba36d6 210->212 213 6ba37d1-6ba37da 210->213 220 6ba3670-6ba368d 211->220 221 6ba3664-6ba3666 211->221 223 6ba36d8-6ba36da 212->223 224 6ba36e4-6ba36f2 212->224 213->185 213->190 220->210 221->220 223->224 227 6ba3709-6ba3714 224->227 228 6ba36f4-6ba36ff 224->228 232 6ba372c-6ba373d 227->232 233 6ba3716-6ba371c 227->233 228->227 231 6ba3701 228->231 231->227 237 6ba373f-6ba3745 232->237 238 6ba3755-6ba3761 232->238 234 6ba371e 233->234 235 6ba3720-6ba3722 233->235 234->232 235->232 239 6ba3749-6ba374b 237->239 240 6ba3747 237->240 242 6ba3779-6ba37ca 238->242 243 6ba3763-6ba3769 238->243 239->238 240->238 242->213 244 6ba376b 243->244 245 6ba376d-6ba376f 243->245 244->242 245->242 253->146 254->146
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2392861976
                                                                                                              • Opcode ID: e91434772b2133c7fb1ae70e883b49c990ab4e73bb6b2921f03635b1ed192de4
                                                                                                              • Instruction ID: 92243d9a095e3ae4945918d2283b200627e0b7e721c06ad48d68cec4d3d0af46
                                                                                                              • Opcode Fuzzy Hash: e91434772b2133c7fb1ae70e883b49c990ab4e73bb6b2921f03635b1ed192de4
                                                                                                              • Instruction Fuzzy Hash: CE320F71E1071ACFCB14EF75C85459DF7B6FF89300F6096AAD409AB224EB30A985CB91
                                                                                                              Function 06BA7D68 Relevance: 3.0, Strings: 2, Instructions: 476COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 796 6ba7d68-6ba7d86 797 6ba7d88-6ba7d8b 796->797 798 6ba7d8d-6ba7d9b 797->798 799 6ba7da2-6ba7da5 797->799 808 6ba7e0e-6ba7e24 798->808 809 6ba7d9d 798->809 800 6ba7dc6-6ba7dc9 799->800 801 6ba7da7-6ba7dc1 799->801 802 6ba7dcb-6ba7dd5 800->802 803 6ba7dd6-6ba7dd9 800->803 801->800 806 6ba7ddb-6ba7df7 803->806 807 6ba7dfc-6ba7dfe 803->807 806->807 810 6ba7e00 807->810 811 6ba7e05-6ba7e08 807->811 815 6ba7e2a-6ba7e33 808->815 816 6ba803f-6ba8049 808->816 809->799 810->811 811->797 811->808 817 6ba804a-6ba807f 815->817 818 6ba7e39-6ba7e56 815->818 822 6ba8081-6ba8084 817->822 828 6ba802c-6ba8039 818->828 829 6ba7e5c-6ba7e84 818->829 824 6ba8086-6ba80a2 822->824 825 6ba80a7-6ba80aa 822->825 824->825 826 6ba82df-6ba82e2 825->826 827 6ba80b0-6ba80bf 825->827 831 6ba82e8-6ba82f4 826->831 832 6ba838d-6ba838f 826->832 838 6ba80de-6ba8122 827->838 839 6ba80c1-6ba80dc 827->839 828->815 828->816 829->828 851 6ba7e8a-6ba7e93 829->851 837 6ba82ff-6ba8301 831->837 834 6ba8391 832->834 835 6ba8396-6ba8399 832->835 834->835 835->822 840 6ba839f-6ba83a8 835->840 842 6ba8319-6ba831d 837->842 843 6ba8303-6ba8309 837->843 853 6ba8128-6ba8139 838->853 854 6ba82b3-6ba82c9 838->854 839->838 847 6ba832b 842->847 848 6ba831f-6ba8329 842->848 845 6ba830b 843->845 846 6ba830d-6ba830f 843->846 845->842 846->842 852 6ba8330-6ba8332 847->852 848->852 851->817 855 6ba7e99-6ba7eb5 851->855 856 6ba8343-6ba837c 852->856 857 6ba8334-6ba8337 852->857 866 6ba829e-6ba82ad 853->866 867 6ba813f-6ba815c 853->867 854->826 863 6ba801a-6ba8026 855->863 864 6ba7ebb-6ba7ee5 855->864 856->827 878 6ba8382-6ba838c 856->878 857->840 863->828 863->851 880 6ba7eeb-6ba7f13 864->880 881 6ba8010-6ba8015 864->881 866->853 866->854 867->866 875 6ba8162-6ba8258 call 6ba6590 867->875 929 6ba825a-6ba8264 875->929 930 6ba8266 875->930 880->881 887 6ba7f19-6ba7f47 880->887 881->863 887->881 892 6ba7f4d-6ba7f56 887->892 892->881 894 6ba7f5c-6ba7f8e 892->894 902 6ba7f99-6ba7fb5 894->902 903 6ba7f90-6ba7f94 894->903 902->863 905 6ba7fb7-6ba800e call 6ba6590 902->905 903->881 904 6ba7f96 903->904 904->902 905->863 931 6ba826b-6ba826d 929->931 930->931 931->866 932 6ba826f-6ba8274 931->932 933 6ba8282 932->933 934 6ba8276-6ba8280 932->934 935 6ba8287-6ba8289 933->935 934->935 935->866 936 6ba828b-6ba8297 935->936 936->866
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q
                                                                                                              • API String ID: 0-355816377
                                                                                                              • Opcode ID: 9cd513d57460b5d40806f6135c07d0010e4fae68720f8a4ea58e804fa2b02895
                                                                                                              • Instruction ID: 6a38bdb0c548c3a0330c7fef600236481ce7c69c8d976b810e4a3fe2790b9fee
                                                                                                              • Opcode Fuzzy Hash: 9cd513d57460b5d40806f6135c07d0010e4fae68720f8a4ea58e804fa2b02895
                                                                                                              • Instruction Fuzzy Hash: BB02BD70B042159FDB64DF78D990AAEB7E2EF84310F2485A9D409DB794DB71EC82CB81
                                                                                                              Function 02C76CE8 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1299 2c76ce8-2c76d47 1300 2c76db2-2c76db6 1299->1300 1301 2c76d49-2c76d74 1299->1301 1302 2c76de1-2c76dec 1300->1302 1303 2c76db8-2c76ddb 1300->1303 1310 2c76d76-2c76d78 1301->1310 1311 2c76da4 1301->1311 1304 2c76dee-2c76df6 1302->1304 1305 2c76df8-2c76e33 GetUserNameW 1302->1305 1303->1302 1304->1305 1308 2c76e35-2c76e3b 1305->1308 1309 2c76e3c-2c76e52 1305->1309 1308->1309 1312 2c76e54-2c76e60 1309->1312 1313 2c76e68-2c76e8f 1309->1313 1314 2c76d9a-2c76da2 1310->1314 1315 2c76d7a-2c76d84 1310->1315 1316 2c76da9-2c76dac 1311->1316 1312->1313 1324 2c76e91-2c76e95 1313->1324 1325 2c76e9f 1313->1325 1314->1316 1320 2c76d86 1315->1320 1321 2c76d88-2c76d96 1315->1321 1316->1300 1320->1321 1321->1321 1322 2c76d98 1321->1322 1322->1314 1324->1325 1326 2c76e97-2c76e9a call 2c70a00 1324->1326 1327 2c76ea0 1325->1327 1326->1325 1327->1327
                                                                                                              APIs
                                                                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 02C76E23
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2944614452.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2c70000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NameUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2645101109-0
                                                                                                              • Opcode ID: 42a78b7ae253fbdefe64f3a2aba71a2374007a5b7834a033081b0356e65cd54c
                                                                                                              • Instruction ID: 57e4e1c9354378cc3863aeccb974324cd2c35ef50e233b106f55f7b538ab93e9
                                                                                                              • Opcode Fuzzy Hash: 42a78b7ae253fbdefe64f3a2aba71a2374007a5b7834a033081b0356e65cd54c
                                                                                                              • Instruction Fuzzy Hash: B4513470D106188FDB14CFAAC888B9DBBB5BF48714F248029E819BB350DB74A944CF95
                                                                                                              Function 06BA2349 Relevance: 1.0, Instructions: 1007COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f6deb7f381f54480ac8eb4f05fa5b98c6936434699eda9ac12b7d1873fdf9110
                                                                                                              • Instruction ID: 181e6a898d6da63e051da9ef67c58902ab890fbfc94ddc74653358704ef4c8cb
                                                                                                              • Opcode Fuzzy Hash: f6deb7f381f54480ac8eb4f05fa5b98c6936434699eda9ac12b7d1873fdf9110
                                                                                                              • Instruction Fuzzy Hash: 46925474E043048FDB64CB68C584A5DBBF2EF44314F5894A9E44AEB365DB35EE86CB80
                                                                                                              Function 06BA65E0 Relevance: .8, Instructions: 809COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bbfbb9b916daed104756e7183e99ee4bfd8057b19156560382a7b50011c051a7
                                                                                                              • Instruction ID: cbea9afb873dacb07c354193be0e803fa8ec169c0708b7a9b0d3be87d42b38fc
                                                                                                              • Opcode Fuzzy Hash: bbfbb9b916daed104756e7183e99ee4bfd8057b19156560382a7b50011c051a7
                                                                                                              • Instruction Fuzzy Hash: 4962B0B4A04204DFDB54DF68D584AADB7F2EF88314F2485A9E40ADB354EB71EC46CB80
                                                                                                              Function 06BA5588 Relevance: .6, Instructions: 604COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 919c89d6eb94915c1648a71312d156f85964f80d3c78e544c1c173bef538a315
                                                                                                              • Instruction ID: ac41e5b612b31317f18dd7e3866a1c53196c7b97a06e9dd565c1a912e8568908
                                                                                                              • Opcode Fuzzy Hash: 919c89d6eb94915c1648a71312d156f85964f80d3c78e544c1c173bef538a315
                                                                                                              • Instruction Fuzzy Hash: FF22D0B2E043059FDF64DF68C5806AEBBB2EF85320F2084A9D445EB345DA35DE46CB91
                                                                                                              Function 06BAB20F Relevance: .6, Instructions: 570COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 59db8abb80ecbd22708bfed3df98190c7a1cf1ea2a3f9627663f61c73a61376e
                                                                                                              • Instruction ID: 1ba1f34d65fcb2872a9a00c2cde5e1990e7d2af8e426031fe4f414a6208e2170
                                                                                                              • Opcode Fuzzy Hash: 59db8abb80ecbd22708bfed3df98190c7a1cf1ea2a3f9627663f61c73a61376e
                                                                                                              • Instruction Fuzzy Hash: C42291B0E142098FDF64CF6CD5807AEB7E2EB45310F2099A6E429EB395DA35DC818B51
                                                                                                              Function 06BAACB8 Relevance: 10.4, Strings: 8, Instructions: 393COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 6baacb8-6baacd6 1 6baacd8-6baacdb 0->1 2 6baacdd-6baace2 1->2 3 6baace5-6baace8 1->3 2->3 4 6baacea-6baad06 3->4 5 6baad0b-6baad0e 3->5 4->5 6 6baad1f-6baad22 5->6 7 6baad10-6baad14 5->7 11 6baad3c-6baad3f 6->11 12 6baad24-6baad37 6->12 9 6baad1a 7->9 10 6baaee4-6baaeee 7->10 9->6 13 6baad4f-6baad52 11->13 14 6baad41-6baad4a 11->14 12->11 15 6baad58-6baad5b 13->15 16 6baaed5-6baaede 13->16 14->13 19 6baad5d-6baad66 15->19 20 6baad75-6baad78 15->20 16->10 16->19 21 6baaeef-6baaf01 19->21 22 6baad6c-6baad70 19->22 23 6baad7a-6baad87 20->23 24 6baad8c-6baad8e 20->24 30 6baaf03-6baaf26 21->30 31 6baaeb5-6baaecb 21->31 22->20 23->24 25 6baad90 24->25 26 6baad95-6baad98 24->26 25->26 26->1 29 6baad9e-6baadc2 26->29 41 6baadc8-6baadd7 29->41 42 6baaed2 29->42 32 6baaf28-6baaf2b 30->32 31->42 34 6baaf31-6baaf6c 32->34 35 6bab194-6bab197 32->35 50 6bab15f-6bab172 34->50 51 6baaf72-6baaf7e 34->51 37 6bab199 call 6bab20f 35->37 38 6bab1a6-6bab1a9 35->38 48 6bab19f-6bab1a1 37->48 43 6bab1ba-6bab1bd 38->43 44 6bab1ab-6bab1af 38->44 57 6baadd9-6baaddf 41->57 58 6baadef-6baae2a call 6ba6590 41->58 42->16 46 6bab1ca-6bab1cd 43->46 47 6bab1bf-6bab1c9 43->47 44->34 49 6bab1b5 44->49 54 6bab1cf-6bab1eb 46->54 55 6bab1f0-6bab1f2 46->55 48->38 49->43 56 6bab174 50->56 65 6baaf9e-6baafe2 51->65 66 6baaf80-6baaf99 51->66 54->55 60 6bab1f9-6bab1fc 55->60 61 6bab1f4 55->61 68 6bab175 56->68 62 6baade3-6baade5 57->62 63 6baade1 57->63 80 6baae2c-6baae32 58->80 81 6baae42-6baae59 58->81 60->32 67 6bab202-6bab20c 60->67 61->60 62->58 63->58 85 6baaffe-6bab03d 65->85 86 6baafe4-6baaff6 65->86 66->56 68->68 83 6baae36-6baae38 80->83 84 6baae34 80->84 95 6baae5b-6baae61 81->95 96 6baae71-6baae82 81->96 83->81 84->81 91 6bab043-6bab11e call 6ba6590 85->91 92 6bab124-6bab139 85->92 86->85 91->92 92->50 98 6baae63 95->98 99 6baae65-6baae67 95->99 102 6baae9a-6baaeae 96->102 103 6baae84-6baae8a 96->103 98->96 99->96 102->31 105 6baae8e-6baae90 103->105 106 6baae8c 103->106 105->102 106->102
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-3823777903
                                                                                                              • Opcode ID: a799cc3a71c682426c266d9fb439b0a686473c71a5c45e347b88b75c8ee67e8d
                                                                                                              • Instruction ID: f1afab74ee4839469432c0cc346a39db0ce0389beb20336653c2cbc4bd7a5c03
                                                                                                              • Opcode Fuzzy Hash: a799cc3a71c682426c266d9fb439b0a686473c71a5c45e347b88b75c8ee67e8d
                                                                                                              • Instruction Fuzzy Hash: 72E17D70E543198FDB69DF68D8806AEB7B2EF88300F208969D415DB354EB31DC46CB91
                                                                                                              Function 06BAB630 Relevance: 8.0, Strings: 6, Instructions: 473COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 255 6bab630-6bab650 256 6bab652-6bab655 255->256 257 6bab66f-6bab672 256->257 258 6bab657-6bab65e 256->258 259 6bab682-6bab685 257->259 260 6bab674-6bab67d 257->260 261 6bab9d3-6baba0e 258->261 262 6bab664-6bab66a 258->262 263 6bab68c-6bab68f 259->263 264 6bab687-6bab689 259->264 260->259 270 6baba10-6baba13 261->270 262->257 265 6bab69c-6bab69f 263->265 266 6bab691-6bab697 263->266 264->263 268 6bab770-6bab771 265->268 269 6bab6a5-6bab6a8 265->269 266->265 271 6bab776-6bab779 268->271 272 6bab6aa-6bab6b3 269->272 273 6bab6c5-6bab6c8 269->273 274 6baba19-6baba41 270->274 275 6babc7f-6babc82 270->275 276 6bab77b-6bab7c9 call 6ba6590 271->276 277 6bab7ce-6bab7d1 271->277 272->261 278 6bab6b9-6bab6c0 272->278 281 6bab6ca-6bab6d3 273->281 282 6bab6d8-6bab6db 273->282 321 6baba4b-6baba8f 274->321 322 6baba43-6baba46 274->322 279 6babc84-6babca0 275->279 280 6babca5-6babca7 275->280 276->277 283 6bab7d3-6bab7e8 277->283 284 6bab810-6bab813 277->284 278->273 279->280 288 6babca9 280->288 289 6babcae-6babcb1 280->289 281->282 286 6bab6eb-6bab6ee 282->286 287 6bab6dd-6bab6e6 282->287 283->261 309 6bab7ee-6bab80b 283->309 292 6bab852-6bab855 284->292 293 6bab815-6bab82a 284->293 295 6bab708-6bab70b 286->295 296 6bab6f0-6bab6f6 286->296 287->286 288->289 289->270 290 6babcb7-6babcc0 289->290 298 6bab87f-6bab882 292->298 299 6bab857-6bab85e 292->299 293->261 320 6bab830-6bab84d 293->320 300 6bab71a-6bab71d 295->300 301 6bab70d-6bab713 295->301 296->261 297 6bab6fc-6bab703 296->297 297->295 310 6bab884-6bab8a0 298->310 311 6bab8a5-6bab8a8 298->311 299->261 305 6bab864-6bab874 299->305 307 6bab72f-6bab732 300->307 308 6bab71f-6bab72a 300->308 301->296 306 6bab715 301->306 333 6bab87a 305->333 334 6bab947-6bab94e 305->334 306->300 316 6bab749-6bab74c 307->316 317 6bab734-6bab73b 307->317 308->307 309->284 310->311 318 6bab8ca-6bab8cd 311->318 319 6bab8aa-6bab8c5 311->319 331 6bab74e-6bab753 316->331 332 6bab756-6bab759 316->332 317->261 330 6bab741-6bab744 317->330 323 6bab8cf-6bab8d2 318->323 324 6bab8d7-6bab8da 318->324 319->318 320->292 368 6babc74-6babc7e 321->368 369 6baba95-6baba9e 321->369 322->290 323->324 336 6bab92e-6bab937 324->336 337 6bab8dc-6bab8df 324->337 330->316 331->332 338 6bab75b-6bab761 332->338 339 6bab766-6bab769 332->339 333->298 334->261 343 6bab954-6bab964 334->343 336->272 341 6bab93d 336->341 345 6bab8f0-6bab8f3 337->345 346 6bab8e1-6bab8e5 337->346 338->339 339->301 342 6bab76b-6bab76e 339->342 349 6bab942-6bab945 341->349 342->268 342->271 343->268 359 6bab96a 343->359 352 6bab903-6bab906 345->352 353 6bab8f5-6bab8fe 345->353 346->287 351 6bab8eb 346->351 349->334 354 6bab96f-6bab972 349->354 351->345 352->268 357 6bab90c-6bab90f 352->357 353->352 360 6bab984-6bab987 354->360 361 6bab974 354->361 362 6bab929-6bab92c 357->362 363 6bab911-6bab918 357->363 359->354 360->268 365 6bab98d-6bab990 360->365 370 6bab97c-6bab97f 361->370 362->336 362->349 363->261 366 6bab91e-6bab924 363->366 371 6bab992-6bab999 365->371 372 6bab9b6-6bab9b8 365->372 366->362 376 6babc6a-6babc6f 369->376 377 6babaa4-6babb10 call 6ba6590 369->377 370->360 371->261 378 6bab99b-6bab9ab 371->378 374 6bab9ba 372->374 375 6bab9bf-6bab9c2 372->375 374->375 375->256 379 6bab9c8-6bab9d2 375->379 376->368 389 6babc0a-6babc1f 377->389 390 6babb16-6babb1b 377->390 378->299 383 6bab9b1 378->383 383->372 389->376 392 6babb1d-6babb23 390->392 393 6babb37 390->393 394 6babb29-6babb2b 392->394 395 6babb25-6babb27 392->395 396 6babb39-6babb3f 393->396 397 6babb35 394->397 395->397 398 6babb41-6babb47 396->398 399 6babb54-6babb61 396->399 397->396 400 6babb4d 398->400 401 6babbf5-6babc04 398->401 405 6babb79-6babb86 399->405 406 6babb63-6babb69 399->406 400->399 403 6babb88-6babb95 400->403 404 6babbbc-6babbc9 400->404 401->389 401->390 413 6babbad-6babbba 403->413 414 6babb97-6babb9d 403->414 415 6babbcb-6babbd1 404->415 416 6babbe1-6babbee 404->416 405->401 408 6babb6b 406->408 409 6babb6d-6babb6f 406->409 408->405 409->405 413->401 419 6babb9f 414->419 420 6babba1-6babba3 414->420 417 6babbd3 415->417 418 6babbd5-6babbd7 415->418 416->401 417->416 418->416 419->413 420->413
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2392861976
                                                                                                              • Opcode ID: 77d50f19e43a29b9f84ad6b7c99219c80477663064b141c9b3c2e74c170d11c9
                                                                                                              • Instruction ID: feae76c74cf5d24d3293cba248332f482252a67c7f900adc1226886bc8ce77ed
                                                                                                              • Opcode Fuzzy Hash: 77d50f19e43a29b9f84ad6b7c99219c80477663064b141c9b3c2e74c170d11c9
                                                                                                              • Instruction Fuzzy Hash: 18028EB0E082098FDBA4CF68D584AADB7F2FB85310F2495AAD425DB355DB70DC85CB81
                                                                                                              Function 06BA9138 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 423 6ba9138-6ba915d 424 6ba915f-6ba9162 423->424 425 6ba9168-6ba917d 424->425 426 6ba9a20-6ba9a23 424->426 432 6ba917f-6ba9185 425->432 433 6ba9195-6ba91ab 425->433 427 6ba9a49-6ba9a4b 426->427 428 6ba9a25-6ba9a44 426->428 430 6ba9a4d 427->430 431 6ba9a52-6ba9a55 427->431 428->427 430->431 431->424 435 6ba9a5b-6ba9a65 431->435 436 6ba9189-6ba918b 432->436 437 6ba9187 432->437 440 6ba91b6-6ba91b8 433->440 436->433 437->433 441 6ba91ba-6ba91c0 440->441 442 6ba91d0-6ba9241 440->442 443 6ba91c2 441->443 444 6ba91c4-6ba91c6 441->444 453 6ba926d-6ba9289 442->453 454 6ba9243-6ba9266 442->454 443->442 444->442 459 6ba928b-6ba92ae 453->459 460 6ba92b5-6ba92d0 453->460 454->453 459->460 465 6ba92fb-6ba9316 460->465 466 6ba92d2-6ba92f4 460->466 471 6ba933b-6ba9349 465->471 472 6ba9318-6ba9334 465->472 466->465 473 6ba934b-6ba9354 471->473 474 6ba9359-6ba93d3 471->474 472->471 473->435 480 6ba9420-6ba9435 474->480 481 6ba93d5-6ba93f3 474->481 480->426 485 6ba940f-6ba941e 481->485 486 6ba93f5-6ba9404 481->486 485->480 485->481 486->485
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2125118731
                                                                                                              • Opcode ID: 2317cb79b1b379431eb79e312abb444113b82344d5d6d0c01a782f8126068b02
                                                                                                              • Instruction ID: c3d1666bb7b2b8fff2a5cf4fc8a722bb520a4bdd53e40a19b48109ee5630e2c2
                                                                                                              • Opcode Fuzzy Hash: 2317cb79b1b379431eb79e312abb444113b82344d5d6d0c01a782f8126068b02
                                                                                                              • Instruction Fuzzy Hash: 5D915F70F1021A9FDB54EF65D9907AEB3F6EBC9204F1085A9C40DEB344EE70AC468B91
                                                                                                              Function 06BACF28 Relevance: 4.5, Strings: 3, Instructions: 798COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 489 6bacf28-6bacf43 490 6bacf45-6bacf48 489->490 491 6bacf4a-6bacf8c 490->491 492 6bacf91-6bacf94 490->492 491->492 493 6bacf9a-6bacf9d 492->493 494 6bad414-6bad420 492->494 498 6bacf9f-6bacfae 493->498 499 6bacfe6-6bacfe9 493->499 496 6bad122-6bad131 494->496 497 6bad426-6bad713 494->497 502 6bad133-6bad138 496->502 503 6bad140-6bad14c 496->503 702 6bad93a-6bad944 497->702 703 6bad719-6bad71f 497->703 504 6bacfbd-6bacfc9 498->504 505 6bacfb0-6bacfb5 498->505 500 6bacfeb-6bad02d 499->500 501 6bad032-6bad035 499->501 500->501 510 6bad07e-6bad081 501->510 511 6bad037-6bad079 501->511 502->503 507 6bad152-6bad164 503->507 508 6bad945-6bad97e 503->508 504->508 512 6bacfcf-6bacfe1 504->512 505->504 526 6bad169-6bad16c 507->526 525 6bad980-6bad983 508->525 514 6bad083-6bad09f 510->514 515 6bad0a4-6bad0a7 510->515 511->510 512->499 514->515 518 6bad0a9-6bad0eb 515->518 519 6bad0f0-6bad0f3 515->519 518->519 527 6bad0fd-6bad100 519->527 528 6bad0f5-6bad0fa 519->528 534 6bad9a6-6bad9a9 525->534 535 6bad985-6bad9a1 525->535 536 6bad17b-6bad17e 526->536 537 6bad16e-6bad170 526->537 538 6bad11d-6bad120 527->538 539 6bad102-6bad118 527->539 528->527 542 6bad9ab call 6bada9d 534->542 543 6bad9b8-6bad9bb 534->543 535->534 540 6bad180-6bad1c2 536->540 541 6bad1c7-6bad1ca 536->541 545 6bad411 537->545 546 6bad176 537->546 538->496 538->526 539->538 540->541 549 6bad1cc-6bad20e 541->549 550 6bad213-6bad216 541->550 560 6bad9b1-6bad9b3 542->560 554 6bad9ee-6bad9f0 543->554 555 6bad9bd-6bad9e9 543->555 545->494 546->536 549->550 563 6bad218-6bad21a 550->563 564 6bad225-6bad228 550->564 561 6bad9f2 554->561 562 6bad9f7-6bad9fa 554->562 555->554 560->543 561->562 562->525 571 6bad9fc-6bada0b 562->571 572 6bad2cf-6bad2d8 563->572 573 6bad220 563->573 574 6bad22a-6bad26c 564->574 575 6bad271-6bad274 564->575 594 6bada0d-6bada70 call 6ba6590 571->594 595 6bada72-6bada87 571->595 580 6bad2da-6bad2df 572->580 581 6bad2e7-6bad2f3 572->581 573->564 574->575 577 6bad2bd-6bad2bf 575->577 578 6bad276-6bad2b8 575->578 584 6bad2c1 577->584 585 6bad2c6-6bad2c9 577->585 578->577 580->581 587 6bad2f9-6bad30d 581->587 588 6bad404-6bad409 581->588 584->585 585->490 585->572 587->545 605 6bad313-6bad325 587->605 588->545 594->595 608 6bada88 595->608 619 6bad349-6bad34b 605->619 620 6bad327-6bad32d 605->620 608->608 627 6bad355-6bad361 619->627 621 6bad32f 620->621 622 6bad331-6bad33d 620->622 625 6bad33f-6bad347 621->625 622->625 625->627 636 6bad36f 627->636 637 6bad363-6bad36d 627->637 639 6bad374-6bad376 636->639 637->639 639->545 641 6bad37c-6bad398 call 6ba6590 639->641 650 6bad39a-6bad39f 641->650 651 6bad3a7-6bad3b3 641->651 650->651 651->588 652 6bad3b5-6bad402 651->652 652->545 704 6bad72e-6bad737 703->704 705 6bad721-6bad726 703->705 704->508 706 6bad73d-6bad750 704->706 705->704 708 6bad92a-6bad934 706->708 709 6bad756-6bad75c 706->709 708->702 708->703 710 6bad76b-6bad774 709->710 711 6bad75e-6bad763 709->711 710->508 712 6bad77a-6bad79b 710->712 711->710 715 6bad7aa-6bad7b3 712->715 716 6bad79d-6bad7a2 712->716 715->508 717 6bad7b9-6bad7d6 715->717 716->715 717->708 720 6bad7dc-6bad7e2 717->720 720->508 721 6bad7e8-6bad801 720->721 723 6bad91d-6bad924 721->723 724 6bad807-6bad82e 721->724 723->708 723->720 724->508 727 6bad834-6bad83e 724->727 727->508 728 6bad844-6bad85b 727->728 730 6bad86a-6bad885 728->730 731 6bad85d-6bad868 728->731 730->723 736 6bad88b-6bad8a4 call 6ba6590 730->736 731->730 740 6bad8b3-6bad8bc 736->740 741 6bad8a6-6bad8ab 736->741 740->508 742 6bad8c2-6bad916 740->742 741->740 742->723
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q
                                                                                                              • API String ID: 0-831282457
                                                                                                              • Opcode ID: 737e2b50b230c03c0cffa9701e6306693b6369d7a427e2e5918484e4718fe542
                                                                                                              • Instruction ID: 74f81fbc2af3bfb69e80b8a3fcb6889f300a0403bc2be6a1a9d8fe04128373f2
                                                                                                              • Opcode Fuzzy Hash: 737e2b50b230c03c0cffa9701e6306693b6369d7a427e2e5918484e4718fe542
                                                                                                              • Instruction Fuzzy Hash: 7C624F71A40205CFCB55EF68D590A5DB7F2FF84314B208A69D0099F769EB71ED8ACB80
                                                                                                              Function 06BA4B50 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 750 6ba4b50-6ba4b74 751 6ba4b76-6ba4b79 750->751 752 6ba5258-6ba525b 751->752 753 6ba4b7f-6ba4c77 751->753 754 6ba527c-6ba527e 752->754 755 6ba525d-6ba5277 752->755 773 6ba4cfa-6ba4d01 753->773 774 6ba4c7d-6ba4cca call 6ba53f8 753->774 757 6ba5280 754->757 758 6ba5285-6ba5288 754->758 755->754 757->758 758->751 760 6ba528e-6ba529b 758->760 775 6ba4d07-6ba4d77 773->775 776 6ba4d85-6ba4d8e 773->776 787 6ba4cd0-6ba4cec 774->787 793 6ba4d79 775->793 794 6ba4d82 775->794 776->760 790 6ba4cee 787->790 791 6ba4cf7 787->791 790->791 791->773 793->794 794->776
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: fcq$XPcq$\Ocq
                                                                                                              • API String ID: 0-3575482020
                                                                                                              • Opcode ID: b8122ce15af68fe06e251a33878172b7f984839a2b5c53ae3cb71fba966b8037
                                                                                                              • Instruction ID: 288f8ad41a2e31fac280db2805a6ef8f95e6d5e54562b34b8f6244ce012577e0
                                                                                                              • Opcode Fuzzy Hash: b8122ce15af68fe06e251a33878172b7f984839a2b5c53ae3cb71fba966b8037
                                                                                                              • Instruction Fuzzy Hash: 97619E71E402189FEF549FA8C8547AEBAF6EB88310F208469D105EB394DF758D45CB91
                                                                                                              Function 06BA9127 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1171 6ba9127-6ba915d 1172 6ba915f-6ba9162 1171->1172 1173 6ba9168-6ba917d 1172->1173 1174 6ba9a20-6ba9a23 1172->1174 1180 6ba917f-6ba9185 1173->1180 1181 6ba9195-6ba91ab 1173->1181 1175 6ba9a49-6ba9a4b 1174->1175 1176 6ba9a25-6ba9a44 1174->1176 1178 6ba9a4d 1175->1178 1179 6ba9a52-6ba9a55 1175->1179 1176->1175 1178->1179 1179->1172 1183 6ba9a5b-6ba9a65 1179->1183 1184 6ba9189-6ba918b 1180->1184 1185 6ba9187 1180->1185 1188 6ba91b6-6ba91b8 1181->1188 1184->1181 1185->1181 1189 6ba91ba-6ba91c0 1188->1189 1190 6ba91d0-6ba9241 1188->1190 1191 6ba91c2 1189->1191 1192 6ba91c4-6ba91c6 1189->1192 1201 6ba926d-6ba9289 1190->1201 1202 6ba9243-6ba9266 1190->1202 1191->1190 1192->1190 1207 6ba928b-6ba92ae 1201->1207 1208 6ba92b5-6ba92d0 1201->1208 1202->1201 1207->1208 1213 6ba92fb-6ba9316 1208->1213 1214 6ba92d2-6ba92f4 1208->1214 1219 6ba933b-6ba9349 1213->1219 1220 6ba9318-6ba9334 1213->1220 1214->1213 1221 6ba934b-6ba9354 1219->1221 1222 6ba9359-6ba93d3 1219->1222 1220->1219 1221->1183 1228 6ba9420-6ba9435 1222->1228 1229 6ba93d5-6ba93f3 1222->1229 1228->1174 1233 6ba940f-6ba941e 1229->1233 1234 6ba93f5-6ba9404 1229->1234 1233->1228 1233->1229 1234->1233
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q
                                                                                                              • API String ID: 0-355816377
                                                                                                              • Opcode ID: 3818a9d33c8343d3294b44066cf220a72099f6cb088d15eb9bb20e3a10120228
                                                                                                              • Instruction ID: 3774d812beb6e064f74e479b11f0a3478fc1c81cbd695348233106d4e29748c5
                                                                                                              • Opcode Fuzzy Hash: 3818a9d33c8343d3294b44066cf220a72099f6cb088d15eb9bb20e3a10120228
                                                                                                              • Instruction Fuzzy Hash: 0A516330B102159FDB54EF75D990BAE73F6EBC8604F148569C40EEB384EA70EC428B91
                                                                                                              Function 02C7EB38 Relevance: 1.7, APIs: 1, Instructions: 155COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1237 2c7eb38-2c7eb40 1238 2c7eb42-2c7eb53 1237->1238 1239 2c7eaff-2c7eb18 call 2c7eb38 1237->1239 1241 2c7eb55-2c7eb7c 1238->1241 1242 2c7eb7d-2c7eb9c call 2c7e2b0 1238->1242 1244 2c7eb1e-2c7eb22 1239->1244 1251 2c7eba2-2c7ec01 1242->1251 1252 2c7eb9e-2c7eba1 1242->1252 1246 2c7eb24-2c7eb29 1244->1246 1247 2c7eb2b-2c7eb2e 1244->1247 1249 2c7eb31-2c7eb33 1246->1249 1247->1249 1259 2c7ec07-2c7ec94 GlobalMemoryStatusEx 1251->1259 1260 2c7ec03-2c7ec06 1251->1260 1264 2c7ec96-2c7ec9c 1259->1264 1265 2c7ec9d-2c7ecc5 1259->1265 1264->1265
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2944614452.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2c70000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 940b6682156738658a60f1e5faf576a3fa6f5b4ab2cebe35a3f7cdb8332df4c5
                                                                                                              • Instruction ID: 06cc10d73ee8537b0ab44513728d3ec1539aeb53764f2991170b1dd42dd32295
                                                                                                              • Opcode Fuzzy Hash: 940b6682156738658a60f1e5faf576a3fa6f5b4ab2cebe35a3f7cdb8332df4c5
                                                                                                              • Instruction Fuzzy Hash: BD516572E047959FCB14DF79D8042EABFF5AF8A310F0485AAD409AB341DB349845CBD1
                                                                                                              Function 02C76CDC Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1269 2c76cdc-2c76d47 1270 2c76db2-2c76db6 1269->1270 1271 2c76d49-2c76d74 1269->1271 1272 2c76de1-2c76dec 1270->1272 1273 2c76db8-2c76ddb 1270->1273 1280 2c76d76-2c76d78 1271->1280 1281 2c76da4 1271->1281 1274 2c76dee-2c76df6 1272->1274 1275 2c76df8-2c76e33 GetUserNameW 1272->1275 1273->1272 1274->1275 1278 2c76e35-2c76e3b 1275->1278 1279 2c76e3c-2c76e52 1275->1279 1278->1279 1282 2c76e54-2c76e60 1279->1282 1283 2c76e68-2c76e8f 1279->1283 1284 2c76d9a-2c76da2 1280->1284 1285 2c76d7a-2c76d84 1280->1285 1286 2c76da9-2c76dac 1281->1286 1282->1283 1294 2c76e91-2c76e95 1283->1294 1295 2c76e9f 1283->1295 1284->1286 1290 2c76d86 1285->1290 1291 2c76d88-2c76d96 1285->1291 1286->1270 1290->1291 1291->1291 1292 2c76d98 1291->1292 1292->1284 1294->1295 1296 2c76e97-2c76e9a call 2c70a00 1294->1296 1297 2c76ea0 1295->1297 1296->1295 1297->1297
                                                                                                              APIs
                                                                                                              • GetUserNameW.ADVAPI32(00000000,00000000), ref: 02C76E23
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2944614452.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2c70000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: NameUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2645101109-0
                                                                                                              • Opcode ID: 800e9edbc753f2e42510d3ee1818fdf2610065fd5759c5ee414f7c06df0b72dd
                                                                                                              • Instruction ID: 10ca45832652b971162ed902358c8e2e1b988c5dceed87db278a3814ce183dba
                                                                                                              • Opcode Fuzzy Hash: 800e9edbc753f2e42510d3ee1818fdf2610065fd5759c5ee414f7c06df0b72dd
                                                                                                              • Instruction Fuzzy Hash: DC5124B4D106188FDB14CFAAC888BDDBBB5BF48714F248029E819BB350D774A944CF95
                                                                                                              Function 02C7EC20 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1329 2c7ec20-2c7ec5e 1330 2c7ec66-2c7ec94 GlobalMemoryStatusEx 1329->1330 1331 2c7ec96-2c7ec9c 1330->1331 1332 2c7ec9d-2c7ecc5 1330->1332 1331->1332
                                                                                                              APIs
                                                                                                              • GlobalMemoryStatusEx.KERNEL32(00000006), ref: 02C7EC87
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2944614452.0000000002C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C70000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2c70000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: GlobalMemoryStatus
                                                                                                              • String ID:
                                                                                                              • API String ID: 1890195054-0
                                                                                                              • Opcode ID: 396644c2ece1870f554b5d7a2de32e7165ba71abae50427e23e44769e977267a
                                                                                                              • Instruction ID: 11c83471cb04b23ce56e618757d14897471cd618fbe3a7698037f95aa01d8b43
                                                                                                              • Opcode Fuzzy Hash: 396644c2ece1870f554b5d7a2de32e7165ba71abae50427e23e44769e977267a
                                                                                                              • Instruction Fuzzy Hash: 3911EFB6C006699BCB10CF9AC544BDEFBB4BB48324F14816AD818A7250D778A944CFA5
                                                                                                              Function 06BA4B40 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: XPcq
                                                                                                              • API String ID: 0-714321711
                                                                                                              • Opcode ID: d4f423144472df44a1d55eeb223680d1915a89d1273f8c0f09ac2a8a3c199d20
                                                                                                              • Instruction ID: 940f1ee9ee768bfdcc14df32a79181afccc513ccb28920f320a7c87ae14f313b
                                                                                                              • Opcode Fuzzy Hash: d4f423144472df44a1d55eeb223680d1915a89d1273f8c0f09ac2a8a3c199d20
                                                                                                              • Instruction Fuzzy Hash: BE417C71A002199FDB459FA8C854BAEBBF7EF88700F20856AD105AB395EB758C05CB91
                                                                                                              Function 06BADA9D Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PH^q
                                                                                                              • API String ID: 0-2549759414
                                                                                                              • Opcode ID: 3c7299f4217694eced20a95ad0e1c44af220c98217c5c3c4cbd89362ca8382b2
                                                                                                              • Instruction ID: 671a8de902eab30ca730eb58ba77429029ce37c7e892a7a57036061748a78dce
                                                                                                              • Opcode Fuzzy Hash: 3c7299f4217694eced20a95ad0e1c44af220c98217c5c3c4cbd89362ca8382b2
                                                                                                              • Instruction Fuzzy Hash: 8C41BFB0E04309DFDB51DF65C98469EBBB2EF85300F504969E406EB740EB71D946CB91
                                                                                                              Function 06BA21D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PH^q
                                                                                                              • API String ID: 0-2549759414
                                                                                                              • Opcode ID: a7b231ffc935456ba23c62687fdf824927ea74e870dc7caefbd49b21f5b5df95
                                                                                                              • Instruction ID: 771c0095e3fd1e6f0e1f7825e7606e37ad5d5f22b244f699db679f5cedf4b427
                                                                                                              • Opcode Fuzzy Hash: a7b231ffc935456ba23c62687fdf824927ea74e870dc7caefbd49b21f5b5df95
                                                                                                              • Instruction Fuzzy Hash: 9D31FE70B183058FDB59AF74C91466E7BE3EB8A710F2444A8D406DB384EE35DE46CBA1
                                                                                                              Function 06BA82DE Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q
                                                                                                              • API String ID: 0-388095546
                                                                                                              • Opcode ID: 6be857b97570a2c9de6859ec9e74182deec7f79a6885f5c7115f7c3913b45b0d
                                                                                                              • Instruction ID: e09dc8716747eb5e91a8078c5a462e392e8eae696600560c4c6e8766fb16d5bf
                                                                                                              • Opcode Fuzzy Hash: 6be857b97570a2c9de6859ec9e74182deec7f79a6885f5c7115f7c3913b45b0d
                                                                                                              • Instruction Fuzzy Hash: 4DF0EDB6F1C310DFEFB85E46E9802A873E4EB40250F1845F6ED85CBA44D770DA01C6A1
                                                                                                              Function 06BAC170 Relevance: .6, Instructions: 641COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 173628a1a45d5eed160d691ca408634550bc5268bdc99714ac4e5aaef755ecb6
                                                                                                              • Instruction ID: ec5015e08f2730ac002e3edfcad5d49d0779848e94ad3fa8c9ab23583f62c6c4
                                                                                                              • Opcode Fuzzy Hash: 173628a1a45d5eed160d691ca408634550bc5268bdc99714ac4e5aaef755ecb6
                                                                                                              • Instruction Fuzzy Hash: C132BF74B002199FDF54DF68D980BAEBBF2EB88310F209569D509EB354DB31EC428B91
                                                                                                              Function 06BA61E0 Relevance: .2, Instructions: 229COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 357fa5e6e06c087c20fbaf1e76ec428dab8958ec8fb477c37a699712f6ab3efb
                                                                                                              • Instruction ID: db1bd0a199aa826bc3c30185bc9da1e780f1716ec522dd837e7c53d89ae746ff
                                                                                                              • Opcode Fuzzy Hash: 357fa5e6e06c087c20fbaf1e76ec428dab8958ec8fb477c37a699712f6ab3efb
                                                                                                              • Instruction Fuzzy Hash: A4619FB1F002114FDB549A79C88466FABD7EFC4620B19447AD80EDB364EEA5DD0287D2
                                                                                                              Function 06BA4280 Relevance: .2, Instructions: 222COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c75e71b54126fcd4f160e32033e2a0ff1229f4a59cb691636834411bf092f86a
                                                                                                              • Instruction ID: 7f230068f2c009a56971f95c23d75fd8bb3f89cf7bde97d339a668dcdebbff42
                                                                                                              • Opcode Fuzzy Hash: c75e71b54126fcd4f160e32033e2a0ff1229f4a59cb691636834411bf092f86a
                                                                                                              • Instruction Fuzzy Hash: 28816B70B102059FDF54DFA9D4506AEB7F2EF89304F209569D40ADB384EB70EC428B91
                                                                                                              Function 06BA45A0 Relevance: .2, Instructions: 221COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 19a1f834bc4a971018f957640036235e00f9dd9071f34ad6119dd69ce8f2ce13
                                                                                                              • Instruction ID: 8a491c98ea856bdc54ff4b48d03f260c37a1963c440d5f292b291d4e9ff8bc19
                                                                                                              • Opcode Fuzzy Hash: 19a1f834bc4a971018f957640036235e00f9dd9071f34ad6119dd69ce8f2ce13
                                                                                                              • Instruction Fuzzy Hash: 53916D70E003598FDF60DF68C880B9DB7B1FF89310F208699D449AB255EB70AA85CF91
                                                                                                              Function 06BA45B8 Relevance: .2, Instructions: 210COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 83887fbcb77516922ac351f5ff6d389111d80cf289871a3d60466de37a549947
                                                                                                              • Instruction ID: fd57e54c4aaf6a4e33ead737cc07f079dff60477c1937edbe92eab61736522c7
                                                                                                              • Opcode Fuzzy Hash: 83887fbcb77516922ac351f5ff6d389111d80cf289871a3d60466de37a549947
                                                                                                              • Instruction Fuzzy Hash: CB914E74E102198BDF60DF68C980B9DB7B2FF89310F208695D549BB354EB70AA85CF91
                                                                                                              Function 06BAEAE8 Relevance: .2, Instructions: 207COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 025d768d392e2649c968afc9f0d82e68c61145cf1dac46cd77dbd2838cd4c86b
                                                                                                              • Instruction ID: 13b2c2814d9016877a40beb028dfef1e6e0e853eb98f218bd29d5c7bd7d98325
                                                                                                              • Opcode Fuzzy Hash: 025d768d392e2649c968afc9f0d82e68c61145cf1dac46cd77dbd2838cd4c86b
                                                                                                              • Instruction Fuzzy Hash: 43712A71A042089FDB54DFA9D990A9DBBF6FF88310F2485A9D019EB354EB30ED46CB50
                                                                                                              Function 06BAEAF8 Relevance: .2, Instructions: 201COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 22110418b27bb82cf23f2f31190cda83be68cb0bc82de99252cafb0043183296
                                                                                                              • Instruction ID: a0ee0380323f9522f2f41a8a3266ff18d32c0016022e3dde51dc39962562f959
                                                                                                              • Opcode Fuzzy Hash: 22110418b27bb82cf23f2f31190cda83be68cb0bc82de99252cafb0043183296
                                                                                                              • Instruction Fuzzy Hash: DF713B71A042089FDB54DFA9D990A9DBBF6FF88310F2485A9D019EB354EB30ED46CB50
                                                                                                              Function 06BAFC58 Relevance: .2, Instructions: 179COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9d72bf469e730c9172b9b0eec7659240614ba55076e6d2a45b59106554acfd50
                                                                                                              • Instruction ID: 1196c61cbf80207d44c8e2bb48974419ba1a99b12bc8c11aac3e69f591aa2319
                                                                                                              • Opcode Fuzzy Hash: 9d72bf469e730c9172b9b0eec7659240614ba55076e6d2a45b59106554acfd50
                                                                                                              • Instruction Fuzzy Hash: EE51F3B1E04205DFCF64ABB8E8546FEBBB6FB85315F1088AAE106D7250DF319955CB80
                                                                                                              Function 06BAFA0A Relevance: .2, Instructions: 168COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3ebc3cc91b3a2d3dccf001f8b851ca9021dd98c4a7aa3874efe1fda42b6a741c
                                                                                                              • Instruction ID: dc7cbbdeecf9d6f1b594e3ace64c4b1ffe671e661f7d7f43adf2fb9182f4f9de
                                                                                                              • Opcode Fuzzy Hash: 3ebc3cc91b3a2d3dccf001f8b851ca9021dd98c4a7aa3874efe1fda42b6a741c
                                                                                                              • Instruction Fuzzy Hash: 5951F5B1B10304DFEF64666CD9647BE266FD789310F20496AE50AD7398DA39CC468392
                                                                                                              Function 06BAFA18 Relevance: .2, Instructions: 163COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2fd729e3ea2828dd82201e73ccbf11a52af471788c397e09d342e80448405341
                                                                                                              • Instruction ID: 2375cadc21d67ab145b52736fb0c7cd4bfb27a54b3d68efa3845023556614063
                                                                                                              • Opcode Fuzzy Hash: 2fd729e3ea2828dd82201e73ccbf11a52af471788c397e09d342e80448405341
                                                                                                              • Instruction Fuzzy Hash: 0B51E570F10304DFEF64666CD964BBF266FD789310F20496AE50AD7398DA39CC4643A2
                                                                                                              Function 06BA53F8 Relevance: .1, Instructions: 132COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 828a68c2298a3d3baabb04651659deffc846dda88628b4c522d99d9256fa4b62
                                                                                                              • Instruction ID: 47b60fecb08502bf4e24a869ec909312c364e8ca07c272c0d45f3468deb39d81
                                                                                                              • Opcode Fuzzy Hash: 828a68c2298a3d3baabb04651659deffc846dda88628b4c522d99d9256fa4b62
                                                                                                              • Instruction Fuzzy Hash: E5415EB2E047099BDF70CEA9D880AAFFBF2FB44310F10496AD216D7654D730EA558B90
                                                                                                              Function 06BAD950 Relevance: .1, Instructions: 98COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7df11b1587ecd2a2cff37888c1cfcdfa53dbe41f2fab5e926d4fb4421e978d01
                                                                                                              • Instruction ID: 6d154ddf2993b0bc3e37a44fc727f9b735048333ae1ca6cff19646725676006f
                                                                                                              • Opcode Fuzzy Hash: 7df11b1587ecd2a2cff37888c1cfcdfa53dbe41f2fab5e926d4fb4421e978d01
                                                                                                              • Instruction Fuzzy Hash: BD31DC71E1430A8FCF65DFA8C99069EBBB2FF85300F148969D505EB715EB70E9468B80
                                                                                                              Function 06BA208B Relevance: .1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 060727d246b20ee2e4c90a2afdbb29961ef3fa046ebbb1b02a5b99ed276f9382
                                                                                                              • Instruction ID: e8a8705ca4a821a5536ffdfd1306d871d07289581d8ba4f3672ab279926990b9
                                                                                                              • Opcode Fuzzy Hash: 060727d246b20ee2e4c90a2afdbb29961ef3fa046ebbb1b02a5b99ed276f9382
                                                                                                              • Instruction Fuzzy Hash: 5131A175E04315ABCB59CF64D8946AEB7B2FF89300F548469E906EB340DB71EE82CB50
                                                                                                              Function 06BA2090 Relevance: .1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ef1926d5d5e73bc7f7afd812f35632ba59f638a42737df74943fd424434195d1
                                                                                                              • Instruction ID: ef75ded745f7243236e533eba48fbc5f0ab6305dfc2038216457cca9493a481f
                                                                                                              • Opcode Fuzzy Hash: ef1926d5d5e73bc7f7afd812f35632ba59f638a42737df74943fd424434195d1
                                                                                                              • Instruction Fuzzy Hash: FD31A171E042159BCB59CF64D8546AEB7B2FF89300F548469E906EB340DB71AE82CB40
                                                                                                              Function 06BA3A80 Relevance: .1, Instructions: 84COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4a7fd16465baaf6faf426ada315e0f78bb0566db4273727a9cd95b1694324de8
                                                                                                              • Instruction ID: 823a39fd79e828e563462a5aa442fef943074041170823567dc1df48beccc4ba
                                                                                                              • Opcode Fuzzy Hash: 4a7fd16465baaf6faf426ada315e0f78bb0566db4273727a9cd95b1694324de8
                                                                                                              • Instruction Fuzzy Hash: DB218EB6F002159FDB50DF79D880AEEBBF6EB48710F108169E909E7380E770D8418BA5
                                                                                                              Function 06BA3A90 Relevance: .1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b2987b96d12c971a706e4ec0dff0502e2c9d1eaccaf45da38d4ef2857409f0dc
                                                                                                              • Instruction ID: c56a6cfa30974a13508519ad5d3d839a895e49e755b1ee6044a0c90d66cd8758
                                                                                                              • Opcode Fuzzy Hash: b2987b96d12c971a706e4ec0dff0502e2c9d1eaccaf45da38d4ef2857409f0dc
                                                                                                              • Instruction Fuzzy Hash: EE218EB6F006159FDB40DF79D880AAEBBF2EB48710F108169E909E7384E770D9018B95
                                                                                                              Function 02A2D030 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2944084790.0000000002A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A2D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2a2d000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 68cb1dbd49fc87a6f5589d9c2f05cd3d8f77c8b4b2fe9e68a041cdc00d8ba2bf
                                                                                                              • Instruction ID: c3a474f6c761d2a9448e235af21506af51d97386f0c0dbb65ac6f641eb18f14d
                                                                                                              • Opcode Fuzzy Hash: 68cb1dbd49fc87a6f5589d9c2f05cd3d8f77c8b4b2fe9e68a041cdc00d8ba2bf
                                                                                                              • Instruction Fuzzy Hash: 00210471508604DFDB14DF18D9C0B26BBA5FB84318F24C66DD94A4B267CB3AD84BCA62
                                                                                                              Function 02A2D007 Relevance: .1, Instructions: 71COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2944084790.0000000002A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A2D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_2a2d000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 810cea76327b60ed1df2dc048121857d9e53e65e68161926d57d7d809f1b29bd
                                                                                                              • Instruction ID: b2c77ddf222ca4f32df9a98f77eabe816eead7e049b0c08586c81677b3255b12
                                                                                                              • Opcode Fuzzy Hash: 810cea76327b60ed1df2dc048121857d9e53e65e68161926d57d7d809f1b29bd
                                                                                                              • Instruction Fuzzy Hash: 7E21377110D7C09FCB038B24D994711BF71AB46214F29C5DBD8898F2A7C73A984ACB62
                                                                                                              Function 06BA6D00 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9c8b8745104b60cc186cd03226ecaf8420a3e4b9a2a89b7707f4dff30662ccb5
                                                                                                              • Instruction ID: 277fb63590bb920974a6a25dd2c88ac8a0d243af1bf5be214fd1654573f5e629
                                                                                                              • Opcode Fuzzy Hash: 9c8b8745104b60cc186cd03226ecaf8420a3e4b9a2a89b7707f4dff30662ccb5
                                                                                                              • Instruction Fuzzy Hash: 3A21E1B1B142189FDF54DB69E8506AEB7B7EB84350F2884B9D409EB340EB31EC41CB85
                                                                                                              Function 06BA3BA0 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8a9374a514b9137ec47d1a9041697deca88ff2261149b95932ce81371821ef90
                                                                                                              • Instruction ID: dd2afb2f1008588c5119abe68475b33f9a91b6e9e37bce1075db03f41f9f320e
                                                                                                              • Opcode Fuzzy Hash: 8a9374a514b9137ec47d1a9041697deca88ff2261149b95932ce81371821ef90
                                                                                                              • Instruction Fuzzy Hash: 63118E72B042255FDF949A68CC14AAE73EAEBC8210F00457AD50AE7344EE64DC428B95
                                                                                                              Function 06BA41E2 Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f970681aee1827b85eb5e577669fd9605bd045f600b7250685132bbf69694606
                                                                                                              • Instruction ID: 88dc5bfa4ae63e573c91ed1a29f2b4690a70cdbe602c9413233c81ee33960eda
                                                                                                              • Opcode Fuzzy Hash: f970681aee1827b85eb5e577669fd9605bd045f600b7250685132bbf69694606
                                                                                                              • Instruction Fuzzy Hash: BC012871B182101FDB959ABCA44031EA7D7DBCA320F1094BAD10ACB351DD91CC424391
                                                                                                              Function 06BA3B8F Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fd69e4b030cbc2c165a065acef58320df619001c196dbece3887430db444ad4b
                                                                                                              • Instruction ID: 40104e7baaee2803212413586738135ff71c1326cedf45fa72ade11c36b28d9c
                                                                                                              • Opcode Fuzzy Hash: fd69e4b030cbc2c165a065acef58320df619001c196dbece3887430db444ad4b
                                                                                                              • Instruction Fuzzy Hash: D301F572B082251BDBD49A799C106EB77EBDBC8610F04417AD50AD7380EE61980687D5
                                                                                                              Function 06BA3859 Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 31a081197714cf6bd91e3d67f64a31d0e28e420435c689d4a7d2ce7c275ccefc
                                                                                                              • Instruction ID: 70d16b4d62baf425f31ffbbbd7566886a16cd65efd2905e7c05789bda5f4c5d9
                                                                                                              • Opcode Fuzzy Hash: 31a081197714cf6bd91e3d67f64a31d0e28e420435c689d4a7d2ce7c275ccefc
                                                                                                              • Instruction Fuzzy Hash: A821C0B5D01219AFCB00CF9AD984ADEFBB4FB49320F10816AE918A7200C375A954CFA5
                                                                                                              Function 06BAA2F0 Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 75113aff732e32dcbd453f9a15c96a0b3ca0681f4d6909afc591f5276fff58ef
                                                                                                              • Instruction ID: 4942a6b8e493c31a5d14afe41d59acd6f318e29f019d0ff494f745c4b041b40f
                                                                                                              • Opcode Fuzzy Hash: 75113aff732e32dcbd453f9a15c96a0b3ca0681f4d6909afc591f5276fff58ef
                                                                                                              • Instruction Fuzzy Hash: 280120B0B142104FD7A5DA7CE8A076E77E6DB8A714F1098BAD14ECB354DE21DC01C791
                                                                                                              Function 06BA3860 Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1f6b803663dea2acbec78a89440696dc1b6172b73dc01c68b315bf36d7f0195a
                                                                                                              • Instruction ID: 0285d8e533c72bea8571dc5da8196566941b39e2f197f92420a73f962bbffb23
                                                                                                              • Opcode Fuzzy Hash: 1f6b803663dea2acbec78a89440696dc1b6172b73dc01c68b315bf36d7f0195a
                                                                                                              • Instruction Fuzzy Hash: 8B11AFB5D01259AFCB00DF9AD984ADEFBB4FB49320F10816AE918A7200D375A954CBA5
                                                                                                              Function 06BA41F0 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1fff3d72fffb6ab975ae762f1d4ab22b47d2573018a7d329a553d4d6cefb0c79
                                                                                                              • Instruction ID: bbee5590c604252de436dad7d47c334eff9b77224a564a75673dcf17d0baf5c3
                                                                                                              • Opcode Fuzzy Hash: 1fff3d72fffb6ab975ae762f1d4ab22b47d2573018a7d329a553d4d6cefb0c79
                                                                                                              • Instruction Fuzzy Hash: 4301D171B142205BDB64AAADA44072FF2DBDBC9720F109479E10EC7350EEA1DC420395
                                                                                                              Function 06BAED69 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 634a88fa0e8254cc0fab5a8572614bbcc5bd3012c3bf0c52ab627e99488bd58c
                                                                                                              • Instruction ID: 8ba7b546b8d26e26852cac44833c22d4a7837ca1e48dac0eb5fc04c94c236188
                                                                                                              • Opcode Fuzzy Hash: 634a88fa0e8254cc0fab5a8572614bbcc5bd3012c3bf0c52ab627e99488bd58c
                                                                                                              • Instruction Fuzzy Hash: 3701F275B141108FDF64DAACA8A072E67E6DBC9310F1498BAE50ECB340DE20DC0383C1
                                                                                                              Function 06BAED78 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ffb691a8725cc1fa3e034c06a3b90d267cf6c9525b3d8fff4051604fc39296bf
                                                                                                              • Instruction ID: 038b22ee014b4ec0748ece52b6f4cc3f3c899f05d6cbeffb090d768c636b9bd6
                                                                                                              • Opcode Fuzzy Hash: ffb691a8725cc1fa3e034c06a3b90d267cf6c9525b3d8fff4051604fc39296bf
                                                                                                              • Instruction Fuzzy Hash: D301AF75B541105BDB65D57DA86472E67DADBCA720F109879E10ECB340EE61DC0383C5
                                                                                                              Function 06BAA300 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d74963545effaeda570735038e6bf9f6f3afca25cab825b44294c71c746b94fb
                                                                                                              • Instruction ID: 14a0fe7ae52fab4822c8bdf451ceba9dfd913b5d00c8cd93209e972006f65ea4
                                                                                                              • Opcode Fuzzy Hash: d74963545effaeda570735038e6bf9f6f3afca25cab825b44294c71c746b94fb
                                                                                                              • Instruction Fuzzy Hash: A301A470B142145FDB64EA6DE89072EB7EAEB8A714F109879E54EC7344DE21EC02C791
                                                                                                              Function 06BA6461 Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c5a365fd0e5eff4bcd8704ddbddea12f5d1273530fe605da78471eacce75a0c6
                                                                                                              • Instruction ID: 3db700d408b2b69a8b11da4f5e4bbe06d1834cf2f0e9cf0c1f104d31dc55c7cb
                                                                                                              • Opcode Fuzzy Hash: c5a365fd0e5eff4bcd8704ddbddea12f5d1273530fe605da78471eacce75a0c6
                                                                                                              • Instruction Fuzzy Hash: 1DE092F2D283096BDBE0CE70896425A77AAD742204F2458E1D405CB241FA36D9018390

                                                                                                              Non-executed Functions

                                                                                                              Function 06BA7688 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2222239885
                                                                                                              • Opcode ID: 4e3e04d0558bde272030e4aa5564e2a32bd8b08215cc7ddf3524fdf37d53dcaf
                                                                                                              • Instruction ID: 383e826dfb92c8e14b1c2d1ab3983d7175625ed270b9ebf38e873b2cafc8884f
                                                                                                              • Opcode Fuzzy Hash: 4e3e04d0558bde272030e4aa5564e2a32bd8b08215cc7ddf3524fdf37d53dcaf
                                                                                                              • Instruction Fuzzy Hash: B7121974E042198FDB64DF79C954A9EB7B2EF88300F2095A9D009AB354EF309D86CF81
                                                                                                              Function 06BAA920 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-3823777903
                                                                                                              • Opcode ID: 234e193fa05d2ab3464fe016ab1a0b54a70aef9cdf2dac08d828bd15aca20e7b
                                                                                                              • Instruction ID: 58ef18400e3575a21963487c3588187dcfb695c236fd80c2a5aceae19f981875
                                                                                                              • Opcode Fuzzy Hash: 234e193fa05d2ab3464fe016ab1a0b54a70aef9cdf2dac08d828bd15aca20e7b
                                                                                                              • Instruction Fuzzy Hash: 0F916EB0E04309DFEB68DF65DA54B6EBBF2EF84300F108569D4029B354DB759945CBA0
                                                                                                              Function 06BA7088 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-390881366
                                                                                                              • Opcode ID: a9c87bc9c220ea41ff948257ba31be3584f395e4c21c2ad928e40e6a5075d9e8
                                                                                                              • Instruction ID: 77edbc54cc37cd5d72fa86991145164dd408ca95ca4af2b24b8669d76303c946
                                                                                                              • Opcode Fuzzy Hash: a9c87bc9c220ea41ff948257ba31be3584f395e4c21c2ad928e40e6a5075d9e8
                                                                                                              • Instruction Fuzzy Hash: BEF12875A44209CFDB59EF69D594A6EB7B2FF84300F2085A8D4059B398DF71EC86CB80
                                                                                                              Function 06BA83C0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2125118731
                                                                                                              • Opcode ID: 58be7053d872dede526510e7b67cc1d5baebae56603f05dc3035c30ace1a9673
                                                                                                              • Instruction ID: 042299fbfd8653cc5087ac8703e6982338933b950a818252dd7c9564cf39a254
                                                                                                              • Opcode Fuzzy Hash: 58be7053d872dede526510e7b67cc1d5baebae56603f05dc3035c30ace1a9673
                                                                                                              • Instruction Fuzzy Hash: 83B12970A102088FDB54EF69D9946AEB7B2EF84300F2489A9D406DB754DF75DC86CB80
                                                                                                              Function 06BA87D8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LR^q$LR^q$$^q$$^q
                                                                                                              • API String ID: 0-2454687669
                                                                                                              • Opcode ID: d34aafc62d4f60377885f19afd927a67d9aa24324135d929c29013ea199a3800
                                                                                                              • Instruction ID: 67bae70cebf20f86c85942a26205496f2574545054f65ad009858e2960cc8048
                                                                                                              • Opcode Fuzzy Hash: d34aafc62d4f60377885f19afd927a67d9aa24324135d929c29013ea199a3800
                                                                                                              • Instruction Fuzzy Hash: DD51A071B042018FDB58EF29D980A6AB7E2FF88700B1496A9D405DB759DE30EC45CB91
                                                                                                              Function 06BAACA8 Relevance: 5.2, Strings: 4, Instructions: 162COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2952089759.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_6ba0000_jG8N6WDJOx.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                                                              • API String ID: 0-2125118731
                                                                                                              • Opcode ID: a610097bb3e10a01cf49e1f1b6d094f02ed2ee96c67d70091fb931f15d463976
                                                                                                              • Instruction ID: b5c6bb3a1add30f68c4e790d4a82125fbd5cf27db0b7ef0678853c934f062f8d
                                                                                                              • Opcode Fuzzy Hash: a610097bb3e10a01cf49e1f1b6d094f02ed2ee96c67d70091fb931f15d463976
                                                                                                              • Instruction Fuzzy Hash: DA51C170E14304DFDF65EB64D9806AEB7B2EB88310F2095AAD845DB354EB31DC42CBA1