Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5hD3Yjf7xD.exe

Overview

General Information

Sample name:5hD3Yjf7xD.exe
renamed because original name is a hash value
Original sample name:81313224ee12f9a06f36e6f47f95f01b1bc30e94bf9c576f3c476b3633a0302b.exe
Analysis ID:1588669
MD5:c63d82258f1ff64d0f21b6bc5c2be1e5
SHA1:1f270b930f58dacf5f18b2658191ca300283ada0
SHA256:81313224ee12f9a06f36e6f47f95f01b1bc30e94bf9c576f3c476b3633a0302b
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 5hD3Yjf7xD.exe (PID: 7504 cmdline: "C:\Users\user\Desktop\5hD3Yjf7xD.exe" MD5: C63D82258F1FF64D0F21B6BC5C2BE1E5)
    • powershell.exe (PID: 7696 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\5hD3Yjf7xD.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7728 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qIQACwuR.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8160 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7764 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp7052.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 5hD3Yjf7xD.exe (PID: 7952 cmdline: "C:\Users\user\Desktop\5hD3Yjf7xD.exe" MD5: C63D82258F1FF64D0F21B6BC5C2BE1E5)
  • qIQACwuR.exe (PID: 8120 cmdline: C:\Users\user\AppData\Roaming\qIQACwuR.exe MD5: C63D82258F1FF64D0F21B6BC5C2BE1E5)
    • schtasks.exe (PID: 2216 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp8745.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • qIQACwuR.exe (PID: 2168 cmdline: "C:\Users\user\AppData\Roaming\qIQACwuR.exe" MD5: C63D82258F1FF64D0F21B6BC5C2BE1E5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2591696944.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000009.00000002.2591696944.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000E.00000002.2592897583.00000000030B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000E.00000002.2592897583.00000000030B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000E.00000002.2592897583.00000000030DA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.5hD3Yjf7xD.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
            • 0x334ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
            • 0x33561:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
            • 0x335eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
            • 0x3367d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
            • 0x336e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
            • 0x33759:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
            • 0x337ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
            • 0x3387f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
            0.2.5hD3Yjf7xD.exe.37a5e38.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.5hD3Yjf7xD.exe.37a5e38.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.5hD3Yjf7xD.exe.37a5e38.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31761:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3187d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31959:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a7f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.5hD3Yjf7xD.exe.37e0858.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 10 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\5hD3Yjf7xD.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\5hD3Yjf7xD.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\5hD3Yjf7xD.exe", ParentImage: C:\Users\user\Desktop\5hD3Yjf7xD.exe, ParentProcessId: 7504, ParentProcessName: 5hD3Yjf7xD.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\5hD3Yjf7xD.exe", ProcessId: 7696, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\5hD3Yjf7xD.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\5hD3Yjf7xD.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\5hD3Yjf7xD.exe", ParentImage: C:\Users\user\Desktop\5hD3Yjf7xD.exe, ParentProcessId: 7504, ParentProcessName: 5hD3Yjf7xD.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\5hD3Yjf7xD.exe", ProcessId: 7696, ProcessName: powershell.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp8745.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp8745.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\qIQACwuR.exe, ParentImage: C:\Users\user\AppData\Roaming\qIQACwuR.exe, ParentProcessId: 8120, ParentProcessName: qIQACwuR.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp8745.tmp", ProcessId: 2216, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 46.175.148.58, DesusertionIsIpv6: false, DesusertionPort: 25, EventID: 3, Image: C:\Users\user\Desktop\5hD3Yjf7xD.exe, Initiated: true, ProcessId: 7952, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49752
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp7052.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp7052.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\5hD3Yjf7xD.exe", ParentImage: C:\Users\user\Desktop\5hD3Yjf7xD.exe, ParentProcessId: 7504, ParentProcessName: 5hD3Yjf7xD.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp7052.tmp", ProcessId: 7764, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\5hD3Yjf7xD.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\5hD3Yjf7xD.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\5hD3Yjf7xD.exe", ParentImage: C:\Users\user\Desktop\5hD3Yjf7xD.exe, ParentProcessId: 7504, ParentProcessName: 5hD3Yjf7xD.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\5hD3Yjf7xD.exe", ProcessId: 7696, ProcessName: powershell.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp7052.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp7052.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\5hD3Yjf7xD.exe", ParentImage: C:\Users\user\Desktop\5hD3Yjf7xD.exe, ParentProcessId: 7504, ParentProcessName: 5hD3Yjf7xD.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp7052.tmp", ProcessId: 7764, ProcessName: schtasks.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 0.2.5hD3Yjf7xD.exe.37e0858.5.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "web@iaa-airferight.com", "Password": "webmaster"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeReversingLabs: Detection: 83%
                  Multi AV Scanner detection for submitted file
                  Source: 5hD3Yjf7xD.exeVirustotal: Detection: 79%Perma Link
                  Source: 5hD3Yjf7xD.exeReversingLabs: Detection: 83%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: 5hD3Yjf7xD.exeJoe Sandbox ML: detected
                  Source: 5hD3Yjf7xD.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49741 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49775 version: TLS 1.2
                  Source: 5hD3Yjf7xD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: fjsSj.pdbSHA256 source: 5hD3Yjf7xD.exe, qIQACwuR.exe.0.dr
                  Source: Binary string: fjsSj.pdb source: 5hD3Yjf7xD.exe, qIQACwuR.exe.0.dr
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 4x nop then jmp 0BD80BECh10_2_0BD80249
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 4x nop then jmp 0BD80BECh10_2_0BD80406

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.5hD3Yjf7xD.exe.37e0858.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5hD3Yjf7xD.exe.37a5e38.3.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficTCP traffic: 192.168.2.9:49752 -> 46.175.148.58:25
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                  Source: 5hD3Yjf7xD.exe, qIQACwuR.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: 5hD3Yjf7xD.exe, qIQACwuR.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: 5hD3Yjf7xD.exe, qIQACwuR.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: 5hD3Yjf7xD.exe, qIQACwuR.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: 5hD3Yjf7xD.exe, qIQACwuR.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: 5hD3Yjf7xD.exe, qIQACwuR.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: 5hD3Yjf7xD.exe, qIQACwuR.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: qIQACwuR.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: 5hD3Yjf7xD.exe, qIQACwuR.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: 5hD3Yjf7xD.exe, 00000009.00000002.2591696944.0000000002CC9000.00000004.00000800.00020000.00000000.sdmp, qIQACwuR.exe, 0000000E.00000002.2592897583.00000000030DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                  Source: 5hD3Yjf7xD.exe, qIQACwuR.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: 5hD3Yjf7xD.exe, qIQACwuR.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: 5hD3Yjf7xD.exe, qIQACwuR.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: 5hD3Yjf7xD.exe, qIQACwuR.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: 5hD3Yjf7xD.exe, 00000000.00000002.1353644765.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, 5hD3Yjf7xD.exe, 00000009.00000002.2591696944.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, qIQACwuR.exe, 0000000A.00000002.1408097571.0000000003148000.00000004.00000800.00020000.00000000.sdmp, qIQACwuR.exe, 0000000E.00000002.2592897583.0000000003069000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: 5hD3Yjf7xD.exe, qIQACwuR.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: 5hD3Yjf7xD.exe, 00000000.00000002.1356446762.0000000003769000.00000004.00000800.00020000.00000000.sdmp, qIQACwuR.exe, 0000000E.00000002.2588513639.0000000000436000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: 5hD3Yjf7xD.exe, 00000000.00000002.1356446762.0000000003769000.00000004.00000800.00020000.00000000.sdmp, 5hD3Yjf7xD.exe, 00000009.00000002.2591696944.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, qIQACwuR.exe, 0000000E.00000002.2588513639.0000000000425000.00000040.00000400.00020000.00000000.sdmp, qIQACwuR.exe, 0000000E.00000002.2592897583.0000000003069000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: 5hD3Yjf7xD.exe, 00000009.00000002.2591696944.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, qIQACwuR.exe, 0000000E.00000002.2592897583.0000000003069000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: 5hD3Yjf7xD.exe, 00000009.00000002.2591696944.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, qIQACwuR.exe, 0000000E.00000002.2592897583.0000000003069000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49741 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49775 version: TLS 1.2

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 9.2.5hD3Yjf7xD.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.5hD3Yjf7xD.exe.37a5e38.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.5hD3Yjf7xD.exe.37e0858.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.5hD3Yjf7xD.exe.37e0858.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.5hD3Yjf7xD.exe.37a5e38.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_00C8D5840_2_00C8D584
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_04C875780_2_04C87578
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_04C801C80_2_04C801C8
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_04C801D80_2_04C801D8
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_04C875680_2_04C87568
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_06CF7EE00_2_06CF7EE0
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_06CFD4300_2_06CFD430
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_06CF7ED90_2_06CF7ED9
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_06CFBC980_2_06CFBC98
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_06CFCA800_2_06CFCA80
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_06CFAA080_2_06CFAA08
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_02BEE6A19_2_02BEE6A1
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_02BE4A989_2_02BE4A98
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_02BEAA1B9_2_02BEAA1B
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_02BE3E809_2_02BE3E80
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_02BE41C89_2_02BE41C8
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_067FA0349_2_067FA034
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_067FB8809_2_067FB880
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_068055889_2_06805588
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_068065E09_2_068065E0
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_0680B2139_2_0680B213
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_068030409_2_06803040
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_06807D689_2_06807D68
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_068076889_2_06807688
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_068002F89_2_068002F8
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_0680E3889_2_0680E388
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_0680003D9_2_0680003D
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_06805CD39_2_06805CD3
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 10_2_012ED58410_2_012ED584
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 10_2_0735ED6A10_2_0735ED6A
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 10_2_07377EE010_2_07377EE0
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 10_2_0737D43010_2_0737D430
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 10_2_0737B27810_2_0737B278
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 10_2_0737AE4010_2_0737AE40
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 10_2_07377ED910_2_07377ED9
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 10_2_0737BC9810_2_0737BC98
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 10_2_0737AA0810_2_0737AA08
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 10_2_0737CA8010_2_0737CA80
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_016BA19814_2_016BA198
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_016BE6A114_2_016BE6A1
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_016BA96014_2_016BA960
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_016B4A9814_2_016B4A98
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_016B3E8014_2_016B3E80
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_016B41C814_2_016B41C8
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_06C4768814_2_06C47688
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_06C465E014_2_06C465E0
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_06C4558814_2_06C45588
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_06C47D6814_2_06C47D68
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_06C4B20F14_2_06C4B20F
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_06C4235814_2_06C42358
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_06C45CE814_2_06C45CE8
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_06C4E38814_2_06C4E388
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_06C4004014_2_06C40040
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_06C4000614_2_06C40006
                  Source: 5hD3Yjf7xD.exeStatic PE information: invalid certificate
                  Source: 5hD3Yjf7xD.exe, 00000000.00000002.1376631466.0000000008B60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 5hD3Yjf7xD.exe
                  Source: 5hD3Yjf7xD.exe, 00000000.00000002.1353644765.00000000027BD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 5hD3Yjf7xD.exe
                  Source: 5hD3Yjf7xD.exe, 00000000.00000002.1356446762.0000000003769000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs 5hD3Yjf7xD.exe
                  Source: 5hD3Yjf7xD.exe, 00000000.00000002.1356446762.0000000003769000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 5hD3Yjf7xD.exe
                  Source: 5hD3Yjf7xD.exe, 00000000.00000002.1376525398.00000000078D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 5hD3Yjf7xD.exe
                  Source: 5hD3Yjf7xD.exe, 00000000.00000002.1352201832.00000000009BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 5hD3Yjf7xD.exe
                  Source: 5hD3Yjf7xD.exe, 00000000.00000002.1353644765.00000000027A8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec5ea4fda-43b2-4fc0-8a8b-07958574f042.exe4 vs 5hD3Yjf7xD.exe
                  Source: 5hD3Yjf7xD.exe, 00000000.00000000.1324979851.00000000003D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameChromeSetup.exe< vs 5hD3Yjf7xD.exe
                  Source: 5hD3Yjf7xD.exe, 00000000.00000002.1352201832.0000000000A78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerSQ vs 5hD3Yjf7xD.exe
                  Source: 5hD3Yjf7xD.exe, 00000000.00000002.1352201832.0000000000A78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowe: vs 5hD3Yjf7xD.exe
                  Source: 5hD3Yjf7xD.exe, 00000009.00000002.2589041143.0000000000CF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 5hD3Yjf7xD.exe
                  Source: 5hD3Yjf7xD.exeBinary or memory string: OriginalFilenameChromeSetup.exe< vs 5hD3Yjf7xD.exe
                  Source: 5hD3Yjf7xD.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 9.2.5hD3Yjf7xD.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.5hD3Yjf7xD.exe.37a5e38.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.5hD3Yjf7xD.exe.37e0858.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.5hD3Yjf7xD.exe.37e0858.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.5hD3Yjf7xD.exe.37a5e38.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 5hD3Yjf7xD.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: qIQACwuR.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/15@2/2
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeFile created: C:\Users\user\AppData\Roaming\qIQACwuR.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2656:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7052.tmpJump to behavior
                  Source: 5hD3Yjf7xD.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 5hD3Yjf7xD.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 5hD3Yjf7xD.exeVirustotal: Detection: 79%
                  Source: 5hD3Yjf7xD.exeReversingLabs: Detection: 83%
                  Source: 5hD3Yjf7xD.exeString found in binary or memory: appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={7845CB06-2203-CC75-ADD7-5EC2F08BF338}&lang=en&browser=2&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&brand=RXQR&installdataindex=empty
                  Source: 5hD3Yjf7xD.exeString found in binary or memory: appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={7845CB06-2203-CC75-ADD7-5EC2F08BF338}&lang=en&browser=2&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&brand=RXQR&installdataindex=empty0
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeFile read: C:\Users\user\Desktop\5hD3Yjf7xD.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\5hD3Yjf7xD.exe "C:\Users\user\Desktop\5hD3Yjf7xD.exe"
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\5hD3Yjf7xD.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qIQACwuR.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp7052.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess created: C:\Users\user\Desktop\5hD3Yjf7xD.exe "C:\Users\user\Desktop\5hD3Yjf7xD.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\qIQACwuR.exe C:\Users\user\AppData\Roaming\qIQACwuR.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp8745.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess created: C:\Users\user\AppData\Roaming\qIQACwuR.exe "C:\Users\user\AppData\Roaming\qIQACwuR.exe"
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\5hD3Yjf7xD.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qIQACwuR.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp7052.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess created: C:\Users\user\Desktop\5hD3Yjf7xD.exe "C:\Users\user\Desktop\5hD3Yjf7xD.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp8745.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess created: C:\Users\user\AppData\Roaming\qIQACwuR.exe "C:\Users\user\AppData\Roaming\qIQACwuR.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: rasapi32.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: rasman.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: rtutils.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: ncryptsslp.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: vaultcli.dll
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: 5hD3Yjf7xD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 5hD3Yjf7xD.exeStatic file information: File size 1111088 > 1048576
                  Source: 5hD3Yjf7xD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: 5hD3Yjf7xD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: fjsSj.pdbSHA256 source: 5hD3Yjf7xD.exe, qIQACwuR.exe.0.dr
                  Source: Binary string: fjsSj.pdb source: 5hD3Yjf7xD.exe, qIQACwuR.exe.0.dr
                  Source: 5hD3Yjf7xD.exeStatic PE information: 0x8E8E03F4 [Sun Oct 15 09:16:36 2045 UTC]
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_00C8F2A8 push ebx; retn 0004h0_2_00C8F2C2
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_00C8F340 push edi; retn 0004h0_2_00C8F34A
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_00C8F330 push esi; retn 0004h0_2_00C8F33A
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_06CF200F push ds; iretd 0_2_06CF2016
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_06CF2000 push ds; iretd 0_2_06CF2006
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_06CF202B push ds; iretd 0_2_06CF202E
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 0_2_06CF6F93 push 6DF206CFh; iretd 0_2_06CF6FA2
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_02BE0C6D push edi; retf 9_2_02BE0C7A
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_067F3A40 push FC068EDAh; retf 9_2_067F3A4D
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeCode function: 9_2_0680FFBF push es; ret 9_2_0680FFC0
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_016B0C6D push edi; retf 14_2_016B0C7A
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 14_2_06C4FFBF push es; ret 14_2_06C4FFC0
                  Source: 5hD3Yjf7xD.exeStatic PE information: section name: .text entropy: 7.201620048730543
                  Source: qIQACwuR.exe.0.drStatic PE information: section name: .text entropy: 7.201620048730543
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeFile created: C:\Users\user\AppData\Roaming\qIQACwuR.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp7052.tmp"

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: 5hD3Yjf7xD.exe PID: 7504, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: qIQACwuR.exe PID: 8120, type: MEMORYSTR
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeMemory allocated: C50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeMemory allocated: 2760000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeMemory allocated: 2650000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeMemory allocated: 8CE0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeMemory allocated: 9CE0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeMemory allocated: 9F00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeMemory allocated: AF00000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeMemory allocated: 2A90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeMemory allocated: 2C50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeMemory allocated: 4C50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeMemory allocated: 12E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeMemory allocated: 3100000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeMemory allocated: 14F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeMemory allocated: 9160000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeMemory allocated: A160000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeMemory allocated: A360000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeMemory allocated: B360000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeMemory allocated: 12C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeMemory allocated: 3060000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeMemory allocated: 1600000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeCode function: 10_2_0735BD19 sldt word ptr [eax]10_2_0735BD19
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6599Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 462Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6537Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeWindow / User API: threadDelayed 5688Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeWindow / User API: threadDelayed 4153Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeWindow / User API: threadDelayed 8062
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeWindow / User API: threadDelayed 1802
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 7524Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7884Thread sleep count: 6599 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8040Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7884Thread sleep count: 462 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7972Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8060Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8016Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep count: 37 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -100000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8140Thread sleep count: 5688 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -99828s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -99714s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -99609s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8140Thread sleep count: 4153 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -99500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -99372s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -99263s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -99134s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -99031s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -98922s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -98813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -98688s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -98578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -98467s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -98354s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -98250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -98073s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -97906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -97766s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -97656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -97540s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -97422s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -97313s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -97188s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -97063s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -96938s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -96828s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -96719s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -96594s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -96480s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -96372s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -96266s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -96156s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -96046s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -95937s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -95828s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -95716s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -95589s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -95482s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -95312s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -95203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -95092s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -94984s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -94875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -94766s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -94656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -94547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -94438s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -94328s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -94219s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exe TID: 8116Thread sleep time: -94094s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 7244Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep count: 32 > 30
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -29514790517935264s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -100000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -99890s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 6260Thread sleep count: 8062 > 30
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -99781s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 6260Thread sleep count: 1802 > 30
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -99671s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -99562s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -99452s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -99343s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -99234s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -99124s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -99015s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -98904s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -98796s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -98687s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -98578s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -98468s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -98359s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -98249s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -98140s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -98031s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -97919s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -97812s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -97703s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -97593s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -97484s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -97374s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -97265s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -97156s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -97046s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -96937s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -96828s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -96718s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -96609s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -96500s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -96390s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -96281s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -96171s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -96062s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -95953s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -95843s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -95734s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -95617s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -95515s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -95405s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -95296s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -95187s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -95078s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -94968s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -94855s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -94750s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exe TID: 1968Thread sleep time: -94640s >= -30000s
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 99828Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 99714Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 99609Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 99500Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 99372Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 99263Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 99134Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 99031Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 98922Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 98813Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 98688Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 98578Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 98467Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 98354Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 98250Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 98073Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 97906Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 97766Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 97656Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 97540Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 97422Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 97313Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 97188Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 97063Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 96938Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 96828Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 96719Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 96594Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 96480Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 96372Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 96266Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 96156Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 96046Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 95937Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 95828Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 95716Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 95589Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 95482Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 95312Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 95203Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 95092Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 94984Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 94875Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 94766Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 94656Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 94547Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 94438Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 94328Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 94219Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeThread delayed: delay time: 94094Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 100000
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 99890
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 99781
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 99671
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 99562
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 99452
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 99343
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 99234
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 99124
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 99015
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 98904
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 98796
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 98687
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 98578
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 98468
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 98359
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 98249
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 98140
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 98031
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 97919
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 97812
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 97703
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 97593
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 97484
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 97374
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 97265
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 97156
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 97046
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 96937
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 96828
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 96718
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 96609
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 96500
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 96390
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 96281
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 96171
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 96062
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 95953
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 95843
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 95734
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 95617
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 95515
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 95405
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 95296
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 95187
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 95078
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 94968
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 94855
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 94750
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeThread delayed: delay time: 94640
                  Source: qIQACwuR.exe, 0000000A.00000002.1405052597.00000000013AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: od_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: 5hD3Yjf7xD.exe, 00000009.00000002.2589996019.0000000000FAF000.00000004.00000020.00020000.00000000.sdmp, qIQACwuR.exe, 0000000E.00000002.2591112770.00000000013D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\5hD3Yjf7xD.exe"
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qIQACwuR.exe"
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\5hD3Yjf7xD.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qIQACwuR.exe"Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeMemory written: C:\Users\user\Desktop\5hD3Yjf7xD.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeMemory written: C:\Users\user\AppData\Roaming\qIQACwuR.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\5hD3Yjf7xD.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qIQACwuR.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp7052.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeProcess created: C:\Users\user\Desktop\5hD3Yjf7xD.exe "C:\Users\user\Desktop\5hD3Yjf7xD.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp8745.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeProcess created: C:\Users\user\AppData\Roaming\qIQACwuR.exe "C:\Users\user\AppData\Roaming\qIQACwuR.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeQueries volume information: C:\Users\user\Desktop\5hD3Yjf7xD.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeQueries volume information: C:\Users\user\Desktop\5hD3Yjf7xD.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeQueries volume information: C:\Users\user\AppData\Roaming\qIQACwuR.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeQueries volume information: C:\Users\user\AppData\Roaming\qIQACwuR.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.5hD3Yjf7xD.exe.37a5e38.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5hD3Yjf7xD.exe.37e0858.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5hD3Yjf7xD.exe.37e0858.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5hD3Yjf7xD.exe.37a5e38.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.2591696944.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.2592897583.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.2592897583.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1356446762.0000000003769000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2591696944.0000000002CC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 5hD3Yjf7xD.exe PID: 7504, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 5hD3Yjf7xD.exe PID: 7952, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: qIQACwuR.exe PID: 2168, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeFile opened: C:\FTP Navigator\Ftplist.txt
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\5hD3Yjf7xD.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                  Source: C:\Users\user\AppData\Roaming\qIQACwuR.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: Yara matchFile source: 0.2.5hD3Yjf7xD.exe.37a5e38.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5hD3Yjf7xD.exe.37e0858.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5hD3Yjf7xD.exe.37e0858.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5hD3Yjf7xD.exe.37a5e38.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.2591696944.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.2592897583.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1356446762.0000000003769000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 5hD3Yjf7xD.exe PID: 7504, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 5hD3Yjf7xD.exe PID: 7952, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: qIQACwuR.exe PID: 2168, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.5hD3Yjf7xD.exe.37a5e38.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5hD3Yjf7xD.exe.37e0858.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5hD3Yjf7xD.exe.37e0858.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.5hD3Yjf7xD.exe.37a5e38.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.2591696944.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.2592897583.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000E.00000002.2592897583.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1356446762.0000000003769000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.2591696944.0000000002CC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 5hD3Yjf7xD.exe PID: 7504, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 5hD3Yjf7xD.exe PID: 7952, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: qIQACwuR.exe PID: 2168, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts2
                  Command and Scripting Interpreter                  		1
                  Scheduled Task/Job                  		111
                  Process Injection                  		3
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Scheduled Task/Job                  		Logon Script (Windows)1
                  Scheduled Task/Job                  		2
                  Software Packing                  		Security Account Manager211
                  Security Software Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Timestomp                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput Capture23
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets151
                  Virtualization/Sandbox Evasion                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials1
                  Application Window Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                  Virtualization/Sandbox Evasion                  		DCSync1
                  System Network Configuration Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                  Process Injection                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588669 Sample: 5hD3Yjf7xD.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 46 mail.iaa-airferight.com 2->46 48 api.ipify.org 2->48 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 60 7 other signatures 2->60 8 5hD3Yjf7xD.exe 7 2->8         started        12 qIQACwuR.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\qIQACwuR.exe, PE32 8->38 dropped 40 C:\Users\...\qIQACwuR.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp7052.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\5hD3Yjf7xD.exe.log, ASCII 8->44 dropped 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 8->64 66 Adds a directory exclusion to Windows Defender 8->66 14 5hD3Yjf7xD.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 72 Injects a PE file into a foreign processes 12->72 24 qIQACwuR.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 50 api.ipify.org 172.67.74.152, 443, 49741, 49775 CLOUDFLARENETUS United States 14->50 52 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->52 74 Loading BitLocker PowerShell Module 18->74 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->76 78 Tries to steal Mail credentials (via file / registry access) 24->78 80 Tries to harvest and steal ftp login credentials 24->80 82 Tries to harvest and steal browser information (history, passwords, etc) 24->82 36 conhost.exe 26->36         started        signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  5hD3Yjf7xD.exe79%VirustotalBrowse
                  5hD3Yjf7xD.exe83%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                  5hD3Yjf7xD.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\qIQACwuR.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\qIQACwuR.exe83%ReversingLabsByteCode-MSIL.Backdoor.FormBook

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  mail.iaa-airferight.com
                  		46.175.148.58
                  		truefalse
                    		high
                    s-part-0017.t-0009.t-msedge.net
                    		13.107.246.45
                    		truefalse
                      		high
                      api.ipify.org
                      		172.67.74.152
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.org5hD3Yjf7xD.exe, 00000000.00000002.1356446762.0000000003769000.00000004.00000800.00020000.00000000.sdmp, 5hD3Yjf7xD.exe, 00000009.00000002.2591696944.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, qIQACwuR.exe, 0000000E.00000002.2588513639.0000000000425000.00000040.00000400.00020000.00000000.sdmp, qIQACwuR.exe, 0000000E.00000002.2592897583.0000000003069000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://account.dyn.com/5hD3Yjf7xD.exe, 00000000.00000002.1356446762.0000000003769000.00000004.00000800.00020000.00000000.sdmp, qIQACwuR.exe, 0000000E.00000002.2588513639.0000000000436000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              https://api.ipify.org/t5hD3Yjf7xD.exe, 00000009.00000002.2591696944.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, qIQACwuR.exe, 0000000E.00000002.2592897583.0000000003069000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name5hD3Yjf7xD.exe, 00000000.00000002.1353644765.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, 5hD3Yjf7xD.exe, 00000009.00000002.2591696944.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, qIQACwuR.exe, 0000000A.00000002.1408097571.0000000003148000.00000004.00000800.00020000.00000000.sdmp, qIQACwuR.exe, 0000000E.00000002.2592897583.0000000003069000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://mail.iaa-airferight.com5hD3Yjf7xD.exe, 00000009.00000002.2591696944.0000000002CC9000.00000004.00000800.00020000.00000000.sdmp, qIQACwuR.exe, 0000000E.00000002.2592897583.00000000030DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    46.175.148.58
                                    		mail.iaa-airferight.comUkraine
                                    		56394ASLAGIDKOM-NETUAfalse
                                    172.67.74.152
                                    		api.ipify.orgUnited States
                                    		13335CLOUDFLARENETUSfalse

                                    General Information

                                    Joe Sandbox version:42.0.0 Malachite
                                    Analysis ID:1588669
                                    Start date and time:2025-01-11 03:55:28 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 10s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:21
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:5hD3Yjf7xD.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:81313224ee12f9a06f36e6f47f95f01b1bc30e94bf9c576f3c476b3633a0302b.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@19/15@2/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 173
                                    • Number of non-executed functions: 10
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 13.107.246.45, 184.28.90.27, 20.12.23.50
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    02:56:23Task SchedulerRun new task: qIQACwuR path: C:\Users\user\AppData\Roaming\qIQACwuR.exe
                                    21:56:19API Interceptor175x Sleep call for process: 5hD3Yjf7xD.exe modified
                                    21:56:21API Interceptor42x Sleep call for process: powershell.exe modified
                                    21:56:25API Interceptor188x Sleep call for process: qIQACwuR.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    46.175.148.58xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                      jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                        HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                          0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                            kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                              OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                  Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                    proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                      Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                        172.67.74.152jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/?format=text
                                                        malware.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                        • api.ipify.org/
                                                        Simple1.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        Simple2.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        Zc9eO57fgF.elfGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        67065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                                                        • api.ipify.org/
                                                        Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        mail.iaa-airferight.comxJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        s-part-0017.t-0009.t-msedge.net02Eh1ah35H.exeGet hashmaliciousGuLoaderBrowse
                                                        • 13.107.246.45
                                                        AJ5zYYsisA.exeGet hashmaliciousUnknownBrowse
                                                        • 13.107.246.45
                                                        suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                        • 13.107.246.45
                                                        1297823757234143258.jsGet hashmaliciousStrela DownloaderBrowse
                                                        • 13.107.246.45
                                                        4N4nldx1wW.exeGet hashmaliciousFormBookBrowse
                                                        • 13.107.246.45
                                                        1487427797195518826.jsGet hashmaliciousStrela DownloaderBrowse
                                                        • 13.107.246.45
                                                        5by4QM3v89.exeGet hashmaliciousFormBookBrowse
                                                        • 13.107.246.45
                                                        uEuTtkxAqq.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 13.107.246.45
                                                        23754232101540928500.jsGet hashmaliciousStrela DownloaderBrowse
                                                        • 13.107.246.45
                                                        rwlPT9YJt0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 13.107.246.45
                                                        api.ipify.orgukBQ4ch2nE.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        ru52XOQ1p7.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.74.152
                                                        xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        https://glfbanks.com/Get hashmaliciousHTMLPhisherBrowse
                                                        • 104.26.12.205
                                                        s2Jg1MAahY.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        Y8Q1voljvb.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        IUqsn1SBGy.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        DpTbBYeE7J.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 104.26.12.205

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        ASLAGIDKOM-NETUAxJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        CLOUDFLARENETUSMBOaS3GRtF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.64.1
                                                        https://freesourcecodes70738.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuW-242imNXGet hashmaliciousUnknownBrowse
                                                        • 104.17.205.31
                                                        https://youtube.com0x360x380x370x340x370x340x370x300x370x330x330x610x320x660x320x660x360x310x360x640x360x360x370x320x320x650x370x320x370x350x320x660x370x320x360x620x320x650x370x300x360x380x370x300x330x660x360x390x360x340x330x640x330x320x330x300x330x300x320x360x370x330x360x390x370x340x360x350x350x660x360x390x360x340x330x640x370x330x330x310x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x320x360x310x360x650x360x650x360x350x370x320x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x330x360x630x360x390x360x330x360x620x320x360x360x350x370x360x360x350x360x650x370x340x330x330x330x640x330x310x320x620x320x350x330x320x340x360x320x620x320x350x330x350x340x320x330x320x330x350x330x300x320x350x330x350x340x340x320x620x320x350x330x350x340x320x360x390x360x650x360x340x360x350x370x380x350x660x360x320x350x660x360x330x320x350x330x350x340x340x320x620x320x350x340x340x330x300x320x350x330x390x330x330x320x350x340x340x330x300x320x350x340x320x340x320x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x300x320x350x340x320x330x320x320x350x340x340x330x300x320x350x340x320x340x340x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x310x320x350x330x380x340x360x320x620x320x350x340x340x330x310x320x350x330x380x330x310x320x350x340x340x330x310x320x350x330x380x330x320x320x350x340x340x330x340x370x380x360x340x390x320x390x330x370x320x330x300x390x340x370x330x340x300x330x340x2d0x380x380x340x330x340x370x330x340x300x340x390x300x350x370x330x370x340x330x300x340x300x330x340x380x320x2d0x340x300x390x340x380x2d0x320x2d0x340x380x380x320x2d0x330x320x380x380x340x370x370x320x390x390x320x380x380x380x340x370x340x370x320x390x300x340x390x340x370x320x340x300x380x320x340x370x340x370x320x620x320x640x320x620x320x350x340x340x330x300x320x350x330x390x330x340x320x350x340x340x330x300x320x350x340x320x330x350x320x350x340x340x330x300x320x350x340x320x340x330x320x350x340x340x330x300x320x350x340x320x330x380x320x350x340x340x330x300x320x350x340x320x340x310x320x350x340x340x330Get hashmaliciousUnknownBrowse
                                                        • 172.64.41.3
                                                        fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.48.1
                                                        fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.48.1
                                                        AJ5zYYsisA.exeGet hashmaliciousUnknownBrowse
                                                        • 188.114.97.3
                                                        1SxKeB4u0c.exeGet hashmaliciousFormBookBrowse
                                                        • 104.21.95.160
                                                        SpCuEoekPa.exeGet hashmaliciousFormBookBrowse
                                                        • 104.21.64.1
                                                        AJ5zYYsisA.exeGet hashmaliciousUnknownBrowse
                                                        • 188.114.96.3
                                                        suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                        • 188.114.97.3

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        3b5074b1b5d032e5620f69f9f700ff0eAJ5zYYsisA.exeGet hashmaliciousUnknownBrowse
                                                        • 172.67.74.152
                                                        AJ5zYYsisA.exeGet hashmaliciousUnknownBrowse
                                                        • 172.67.74.152
                                                        4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                        • 172.67.74.152
                                                        n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                        • 172.67.74.152
                                                        njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                        • 172.67.74.152
                                                        KtPCqWWnqM.exeGet hashmaliciousUnknownBrowse
                                                        • 172.67.74.152
                                                        YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 172.67.74.152
                                                        KtPCqWWnqM.exeGet hashmaliciousUnknownBrowse
                                                        • 172.67.74.152
                                                        ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                        • 172.67.74.152
                                                        6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 172.67.74.152

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5hD3Yjf7xD.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\5hD3Yjf7xD.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                        Malicious:true
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qIQACwuR.exe.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\qIQACwuR.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                        Malicious:false
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):2232
                                                        Entropy (8bit):5.379071839957789
                                                        Encrypted:false
                                                        SSDEEP:48:bWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:bLHxvIIwLgZ2KRHWLOug8s
                                                        MD5:4135B00B11C8089FA64CF40DE44EDC1C
                                                        SHA1:3490E9A1BCB4FDEC9332379CD669FB69BB74A601
                                                        SHA-256:A5E4501942BD47C58D7C3934AB6443BC684A3AD54A5709CB62EC2B45504BDC63
                                                        SHA-512:DCB00F8E5764F5710DEEEAC6A810585B07570ECB2753FE83E8604E422FCC7C6B26C52518F385A3483480BCD93B1DC8016C103AC82E7AB823C6C49AB23D079871
                                                        Malicious:false
                                                        Preview:@...e.................................&..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0a0fckuw.g3y.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0whdddrv.k3o.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cbyszcau.c0o.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ex32iry2.v12.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5vlzoyx.0tl.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u2aqxl0m.zkt.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xv0cq5dy.nt2.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zo0gk4tj.tcw.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\tmp7052.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\5hD3Yjf7xD.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1567
                                                        Entropy (8bit):5.087655075329882
                                                        Encrypted:false
                                                        SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewGv:HeLwYrFdOFzOz6dKrsuqT
                                                        MD5:E2A51E3B59F487185BE9ADFE09C1A5C5
                                                        SHA1:A60D3FF3B031C2B6DC08573F405EEC9538014400
                                                        SHA-256:A705FBBEEC3475E61C29B567A9FBA68053BF096588F1BA92FE840609848ADED0
                                                        SHA-512:4F436860B9AB84B16BF7D19E7B623A51BC6D8622465315B20D5E5CD7F626C805CEB2BE0D7EED0A875BE58EFC11CEF9AFE723EFB9CE3B7498384B09E3D3EB44AD
                                                        Malicious:true
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                                        C:\Users\user\AppData\Local\Temp\tmp8745.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\qIQACwuR.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1567
                                                        Entropy (8bit):5.087655075329882
                                                        Encrypted:false
                                                        SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewGv:HeLwYrFdOFzOz6dKrsuqT
                                                        MD5:E2A51E3B59F487185BE9ADFE09C1A5C5
                                                        SHA1:A60D3FF3B031C2B6DC08573F405EEC9538014400
                                                        SHA-256:A705FBBEEC3475E61C29B567A9FBA68053BF096588F1BA92FE840609848ADED0
                                                        SHA-512:4F436860B9AB84B16BF7D19E7B623A51BC6D8622465315B20D5E5CD7F626C805CEB2BE0D7EED0A875BE58EFC11CEF9AFE723EFB9CE3B7498384B09E3D3EB44AD
                                                        Malicious:false
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                                        C:\Users\user\AppData\Roaming\qIQACwuR.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\5hD3Yjf7xD.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1111088
                                                        Entropy (8bit):7.080929619354295
                                                        Encrypted:false
                                                        SSDEEP:12288:9pZsSjq5o5LUdMyQHuvKp35UZ27TfqSPwYbQsrEOW0tF:9zsQM/vKIE7TCSj8Cr5F
                                                        MD5:C63D82258F1FF64D0F21B6BC5C2BE1E5
                                                        SHA1:1F270B930F58DACF5F18B2658191CA300283ADA0
                                                        SHA-256:81313224EE12F9A06F36E6F47F95F01B1BC30E94BF9C576F3C476B3633A0302B
                                                        SHA-512:DF1C4A894FDB4497AA62B9C0B06CA6ABD5C60C701C56A0E5CF36530BA5D746A9A9A757A1A9DA2767A91E846D7BDF4A17DB7B157F65333FD2DE960AAE7C722509
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 83%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................................@.................................h...O.... ..................0L..........`...p............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................H........x..l.......7....~..Ht...........................................0.............o.....8.....o....t.......u.........,@..t......o....r...po....-..o....r...po....+......,....o.......+&.u...........,...t........o....(........o....:t......u........,...o......*...................0...........#........}.....#........}.....#........}.....#.....L.@}......}......}.....s....}.....s....}.....sG...}.....sM...}......}......}.....(.......(.......{....(.......{!...(.......{....(.......

                                                        C:\Users\user\AppData\Roaming\qIQACwuR.exe:Zone.Identifier

                                                        Download File
                                                        Process:C:\Users\user\Desktop\5hD3Yjf7xD.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:true
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.080929619354295
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                        • Win32 Executable (generic) a (10002005/4) 49.97%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:5hD3Yjf7xD.exe
                                                        File size:1'111'088 bytes
                                                        MD5:c63d82258f1ff64d0f21b6bc5c2be1e5
                                                        SHA1:1f270b930f58dacf5f18b2658191ca300283ada0
                                                        SHA256:81313224ee12f9a06f36e6f47f95f01b1bc30e94bf9c576f3c476b3633a0302b
                                                        SHA512:df1c4a894fdb4497aa62b9c0b06ca6abd5c60c701c56a0e5cf36530ba5d746a9a9a757a1a9da2767a91e846d7bdf4a17db7b157f65333fd2de960aae7c722509
                                                        SSDEEP:12288:9pZsSjq5o5LUdMyQHuvKp35UZ27TfqSPwYbQsrEOW0tF:9zsQM/vKIE7TCSj8Cr5F
                                                        TLSH:1035942F287D1137E575C37F86D7A8A7A0B44C5E3084B86446E65B7C827E9123C8F62E
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................................@................................

                                                        File Icon

                                                        Icon Hash:2946e68e96b3ca4d

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4e0bba
                                                        Entrypoint Section:.text
                                                        Digitally signed:true
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x8E8E03F4 [Sun Oct 15 09:16:36 2045 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Authenticode Signature

                                                        Signature Valid:false
                                                        Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                        Signature Validation Error:The digital signature of the object did not verify
                                                        Error Number:-2146869232
                                                        Not Before, Not After
                                                        • 02/07/2021 01:00:00 11/07/2024 00:59:59
                                                        Subject Chain
                                                        • CN=Google LLC, O=Google LLC, L=Mountain View, S=California, C=US
                                                        Version:3
                                                        Thumbprint MD5:DC429A22AA63D23DB8E84F53D05D1D48
                                                        Thumbprint SHA-1:2673EA6CC23BEFFDA49AC715B121544098A1284C
                                                        Thumbprint SHA-256:7D3D117664F121E592EF897973EF9C159150E3D736326E9CD2755F71E0FEBC0C
                                                        Serial:0E4418E2DEDE36DD2974C3443AFB5CE5

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xe0b680x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xe20000x2b79a.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x10a8000x4c30
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x10e0000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xdf2600x70.text
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000xdebc00xdec008636caf4041ac26f84b09c5dd2732fdcFalse0.7520802644500562data7.201620048730543IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xe20000x2b79a0x2b8004573d0114b4b418e76ada64508df8bc0False0.20976450251436782data5.124995116922287IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x10e0000xc0x20019c92e260def07186bb4202005378badFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xe22b00x3751PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9929383518113127
                                                        RT_ICON0xe5a040x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.0891251626641429
                                                        RT_ICON0xf622c0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.13335610678999368
                                                        RT_ICON0xff6d40x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.16816081330868762
                                                        RT_ICON0x104b5c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.15594000944733113
                                                        RT_ICON0x108d840x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.23392116182572614
                                                        RT_ICON0x10b32c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.274624765478424
                                                        RT_ICON0x10c3d40x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.41885245901639345
                                                        RT_ICON0x10cd5c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5
                                                        RT_GROUP_ICON0x10d1c40x84data0.7045454545454546
                                                        RT_VERSION0x10d2480x368data0.40940366972477066
                                                        RT_MANIFEST0x10d5b00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 11, 2025 03:56:22.535558939 CET49741443192.168.2.9172.67.74.152
                                                        Jan 11, 2025 03:56:22.535590887 CET44349741172.67.74.152192.168.2.9
                                                        Jan 11, 2025 03:56:22.535762072 CET49741443192.168.2.9172.67.74.152
                                                        Jan 11, 2025 03:56:22.542766094 CET49741443192.168.2.9172.67.74.152
                                                        Jan 11, 2025 03:56:22.542776108 CET44349741172.67.74.152192.168.2.9
                                                        Jan 11, 2025 03:56:23.033978939 CET44349741172.67.74.152192.168.2.9
                                                        Jan 11, 2025 03:56:23.034523964 CET49741443192.168.2.9172.67.74.152
                                                        Jan 11, 2025 03:56:23.037302017 CET49741443192.168.2.9172.67.74.152
                                                        Jan 11, 2025 03:56:23.037308931 CET44349741172.67.74.152192.168.2.9
                                                        Jan 11, 2025 03:56:23.037600994 CET44349741172.67.74.152192.168.2.9
                                                        Jan 11, 2025 03:56:23.133363008 CET49741443192.168.2.9172.67.74.152
                                                        Jan 11, 2025 03:56:23.179331064 CET44349741172.67.74.152192.168.2.9
                                                        Jan 11, 2025 03:56:23.248158932 CET44349741172.67.74.152192.168.2.9
                                                        Jan 11, 2025 03:56:23.248331070 CET44349741172.67.74.152192.168.2.9
                                                        Jan 11, 2025 03:56:23.248405933 CET49741443192.168.2.9172.67.74.152
                                                        Jan 11, 2025 03:56:23.262785912 CET49741443192.168.2.9172.67.74.152
                                                        Jan 11, 2025 03:56:24.487871885 CET4975225192.168.2.946.175.148.58
                                                        Jan 11, 2025 03:56:25.531657934 CET4975225192.168.2.946.175.148.58
                                                        Jan 11, 2025 03:56:27.449692965 CET49775443192.168.2.9172.67.74.152
                                                        Jan 11, 2025 03:56:27.449743032 CET44349775172.67.74.152192.168.2.9
                                                        Jan 11, 2025 03:56:27.449817896 CET49775443192.168.2.9172.67.74.152
                                                        Jan 11, 2025 03:56:27.453176022 CET49775443192.168.2.9172.67.74.152
                                                        Jan 11, 2025 03:56:27.453193903 CET44349775172.67.74.152192.168.2.9
                                                        Jan 11, 2025 03:56:27.547163963 CET4975225192.168.2.946.175.148.58
                                                        Jan 11, 2025 03:56:27.909106016 CET44349775172.67.74.152192.168.2.9
                                                        Jan 11, 2025 03:56:27.909163952 CET49775443192.168.2.9172.67.74.152
                                                        Jan 11, 2025 03:56:27.911849976 CET49775443192.168.2.9172.67.74.152
                                                        Jan 11, 2025 03:56:27.911860943 CET44349775172.67.74.152192.168.2.9
                                                        Jan 11, 2025 03:56:27.912071943 CET44349775172.67.74.152192.168.2.9
                                                        Jan 11, 2025 03:56:28.048281908 CET49775443192.168.2.9172.67.74.152
                                                        Jan 11, 2025 03:56:28.099173069 CET49775443192.168.2.9172.67.74.152
                                                        Jan 11, 2025 03:56:28.139338017 CET44349775172.67.74.152192.168.2.9
                                                        Jan 11, 2025 03:56:28.213536978 CET44349775172.67.74.152192.168.2.9
                                                        Jan 11, 2025 03:56:28.213606119 CET44349775172.67.74.152192.168.2.9
                                                        Jan 11, 2025 03:56:28.213661909 CET49775443192.168.2.9172.67.74.152
                                                        Jan 11, 2025 03:56:28.216499090 CET49775443192.168.2.9172.67.74.152
                                                        Jan 11, 2025 03:56:29.366506100 CET4978625192.168.2.946.175.148.58
                                                        Jan 11, 2025 03:56:30.531550884 CET4978625192.168.2.946.175.148.58
                                                        Jan 11, 2025 03:56:31.562844038 CET4975225192.168.2.946.175.148.58
                                                        Jan 11, 2025 03:56:32.531567097 CET4978625192.168.2.946.175.148.58
                                                        Jan 11, 2025 03:56:36.531579971 CET4978625192.168.2.946.175.148.58
                                                        Jan 11, 2025 03:56:39.578449965 CET4975225192.168.2.946.175.148.58
                                                        Jan 11, 2025 03:56:44.547274113 CET4978625192.168.2.946.175.148.58

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 11, 2025 03:56:22.488641977 CET5209453192.168.2.91.1.1.1
                                                        Jan 11, 2025 03:56:22.495667934 CET53520941.1.1.1192.168.2.9
                                                        Jan 11, 2025 03:56:24.465615034 CET6095653192.168.2.91.1.1.1
                                                        Jan 11, 2025 03:56:24.478210926 CET53609561.1.1.1192.168.2.9

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Jan 11, 2025 03:56:22.488641977 CET192.168.2.91.1.1.10xddd4Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                        Jan 11, 2025 03:56:24.465615034 CET192.168.2.91.1.1.10xc996Standard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Jan 11, 2025 03:56:16.692831993 CET1.1.1.1192.168.2.90x959dNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                        Jan 11, 2025 03:56:16.692831993 CET1.1.1.1192.168.2.90x959dNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 03:56:22.495667934 CET1.1.1.1192.168.2.90xddd4No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 03:56:22.495667934 CET1.1.1.1192.168.2.90xddd4No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 03:56:22.495667934 CET1.1.1.1192.168.2.90xddd4No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 03:56:24.478210926 CET1.1.1.1192.168.2.90xc996No error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • api.ipify.org

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.949741172.67.74.1524437952C:\Users\user\Desktop\5hD3Yjf7xD.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 02:56:23 UTC155OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                        Host: api.ipify.org
                                                        Connection: Keep-Alive
                                                        2025-01-11 02:56:23 UTC425INHTTP/1.1 200 OK
                                                        Date: Sat, 11 Jan 2025 02:56:23 GMT
                                                        Content-Type: text/plain
                                                        Content-Length: 12
                                                        Connection: close
                                                        Vary: Origin
                                                        CF-Cache-Status: DYNAMIC
                                                        Server: cloudflare
                                                        CF-RAY: 9001a220eff743af-EWR
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=5189&min_rtt=1675&rtt_var=2882&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1743283&cwnd=230&unsent_bytes=0&cid=2aedb0e25848fe5c&ts=218&x=0"
                                                        2025-01-11 02:56:23 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                        Data Ascii: 8.46.123.189


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.949775172.67.74.1524432168C:\Users\user\AppData\Roaming\qIQACwuR.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 02:56:28 UTC155OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                        Host: api.ipify.org
                                                        Connection: Keep-Alive
                                                        2025-01-11 02:56:28 UTC424INHTTP/1.1 200 OK
                                                        Date: Sat, 11 Jan 2025 02:56:28 GMT
                                                        Content-Type: text/plain
                                                        Content-Length: 12
                                                        Connection: close
                                                        Vary: Origin
                                                        CF-Cache-Status: DYNAMIC
                                                        Server: cloudflare
                                                        CF-RAY: 9001a23fed6c43a1-EWR
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1690&min_rtt=1676&rtt_var=639&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1742243&cwnd=233&unsent_bytes=0&cid=fa3db049575bb729&ts=309&x=0"
                                                        2025-01-11 02:56:28 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                        Data Ascii: 8.46.123.189


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:21:56:18
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\Desktop\5hD3Yjf7xD.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\5hD3Yjf7xD.exe"
                                                        Imagebase:0x2f0000
                                                        File size:1'111'088 bytes
                                                        MD5 hash:C63D82258F1FF64D0F21B6BC5C2BE1E5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1356446762.0000000003769000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1356446762.0000000003769000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:21:56:19
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\5hD3Yjf7xD.exe"
                                                        Imagebase:0x920000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:21:56:20
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff70f010000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:21:56:20
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\qIQACwuR.exe"
                                                        Imagebase:0x920000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:21:56:20
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff70f010000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:7
                                                        Start time:21:56:20
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp7052.tmp"
                                                        Imagebase:0x8b0000
                                                        File size:187'904 bytes
                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:8
                                                        Start time:21:56:20
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff70f010000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:21:56:21
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\Desktop\5hD3Yjf7xD.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\5hD3Yjf7xD.exe"
                                                        Imagebase:0x850000
                                                        File size:1'111'088 bytes
                                                        MD5 hash:C63D82258F1FF64D0F21B6BC5C2BE1E5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2591696944.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2591696944.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2591696944.0000000002CC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:10
                                                        Start time:21:56:23
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\AppData\Roaming\qIQACwuR.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\AppData\Roaming\qIQACwuR.exe
                                                        Imagebase:0xb70000
                                                        File size:1'111'088 bytes
                                                        MD5 hash:C63D82258F1FF64D0F21B6BC5C2BE1E5
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 83%, ReversingLabs
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:21:56:24
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                        Imagebase:0x7ff72d8c0000
                                                        File size:496'640 bytes
                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:12
                                                        Start time:21:56:26
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qIQACwuR" /XML "C:\Users\user\AppData\Local\Temp\tmp8745.tmp"
                                                        Imagebase:0x8b0000
                                                        File size:187'904 bytes
                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:13
                                                        Start time:21:56:26
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff70f010000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:14
                                                        Start time:21:56:26
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\AppData\Roaming\qIQACwuR.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Roaming\qIQACwuR.exe"
                                                        Imagebase:0xb50000
                                                        File size:1'111'088 bytes
                                                        MD5 hash:C63D82258F1FF64D0F21B6BC5C2BE1E5
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2592897583.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2592897583.00000000030B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2592897583.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:11.2%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:55
                                                          Total number of Limit Nodes:2
                                                          execution_graph 45991 c8d5c8 45992 c8d60e 45991->45992 45996 c8d7a8 45992->45996 45999 c8d797 45992->45999 45993 c8d6fb 45997 c8d7d6 45996->45997 46002 c8bca0 45996->46002 45997->45993 46000 c8bca0 DuplicateHandle 45999->46000 46001 c8d7d6 46000->46001 46001->45993 46003 c8d810 DuplicateHandle 46002->46003 46004 c8d8a6 46003->46004 46004->45997 46013 c84668 46014 c8467a 46013->46014 46015 c84686 46014->46015 46017 c84779 46014->46017 46018 c8479d 46017->46018 46022 c84888 46018->46022 46026 c84878 46018->46026 46023 c848af 46022->46023 46025 c8498c 46023->46025 46030 c8449c 46023->46030 46028 c848af 46026->46028 46027 c8498c 46027->46027 46028->46027 46029 c8449c CreateActCtxA 46028->46029 46029->46027 46031 c85918 CreateActCtxA 46030->46031 46033 c859db 46031->46033 46042 c8b118 46043 c8b15a 46042->46043 46044 c8b160 GetModuleHandleW 46042->46044 46043->46044 46045 c8b18d 46044->46045 46005 6cd5d58 46006 6cd5da6 DrawTextExW 46005->46006 46008 6cd5dfe 46006->46008 46009 6cfd358 46010 6cfd39d Wow64SetThreadContext 46009->46010 46012 6cfd3e5 46010->46012 46034 6cfd868 46035 6cfd8a8 VirtualAllocEx 46034->46035 46037 6cfd8e5 46035->46037 46046 6cfda18 46047 6cfda63 ReadProcessMemory 46046->46047 46049 6cfdaa7 46047->46049 46050 6cfd2a8 46051 6cfd2e8 ResumeThread 46050->46051 46053 6cfd319 46051->46053 46054 6cfd928 46055 6cfd970 WriteProcessMemory 46054->46055 46057 6cfd9c7 46055->46057 46038 4c841e0 46039 4c84222 46038->46039 46041 4c84229 46038->46041 46040 4c8427a CallWindowProcW 46039->46040 46039->46041 46040->46041 46058 6cfdfb0 46059 6cfe039 CreateProcessA 46058->46059 46061 6cfe1fb 46059->46061 46061->46061

                                                          Executed Functions

                                                          Function 04C87578 Relevance: 3.4, Strings: 1, Instructions: 2103COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 4c87578-4c875a3 1 4c875aa-4c87c05 call 4c86b98 * 2 call 4c86ba8 call 4c86bb8 call 4c870f8 call 4c86bb8 call 4c870f8 call 4c86bb8 call 4c87108 * 5 call 4c86bb8 call 4c87108 * 2 call 4c87118 call 4c87128 call 4c87138 call 4c87148 call 4c87168 0->1 2 4c875a5 0->2 107 4c87c0c-4c8874b call 4c87178 call 4c87188 call 4c87198 call 4c87128 call 4c87138 call 4c87148 call 4c87168 call 4c87178 call 4c87118 call 4c87128 call 4c87138 call 4c87148 call 4c87168 call 4c87178 call 4c87118 call 4c87128 call 4c87138 call 4c87148 call 4c87168 call 4c871a8 call 4c87128 call 4c87138 call 4c871b8 call 4c87148 call 4c87168 call 4c871c8 call 4c87118 call 4c87128 call 4c87138 call 4c87148 call 4c87168 call 4c87128 call 4c87138 call 4c87148 call 4c87168 call 4c871c8 call 4c87118 call 4c87128 call 4c87138 call 4c87148 call 4c87168 1->107 108 4c87c07 1->108 2->1 241 4c8874d-4c88759 107->241 242 4c88775 107->242 108->107 244 4c8875b-4c88761 241->244 245 4c88763-4c88769 241->245 243 4c8877b-4c8890e call 4c871d8 call 4c87128 call 4c87138 call 4c87148 call 4c871e8 call 4c871f8 call 4c87208 242->243 266 4c88938 243->266 267 4c88910-4c8891c 243->267 246 4c88773 244->246 245->246 246->243 268 4c8893e-4c88ad1 call 4c871d8 call 4c87128 call 4c87138 call 4c87148 call 4c871e8 call 4c871f8 call 4c87208 266->268 269 4c8891e-4c88924 267->269 270 4c88926-4c8892c 267->270 291 4c88afb 268->291 292 4c88ad3-4c88adf 268->292 271 4c88936 269->271 270->271 271->268 295 4c88b01-4c88c94 call 4c871d8 call 4c87128 call 4c87138 call 4c87148 call 4c871e8 call 4c871f8 call 4c87208 291->295 293 4c88ae9-4c88aef 292->293 294 4c88ae1-4c88ae7 292->294 296 4c88af9 293->296 294->296 316 4c88cbe 295->316 317 4c88c96-4c88ca2 295->317 296->295 320 4c88cc4-4c88e16 call 4c871d8 call 4c87128 call 4c87138 call 4c87148 call 4c871e8 call 4c871f8 call 4c87208 316->320 318 4c88cac-4c88cb2 317->318 319 4c88ca4-4c88caa 317->319 321 4c88cbc 318->321 319->321 339 4c88e18-4c88e24 320->339 340 4c88e40 320->340 321->320 341 4c88e2e-4c88e34 339->341 342 4c88e26-4c88e2c 339->342 343 4c88e46-4c891b1 call 4c871d8 call 4c87128 call 4c87138 call 4c87148 call 4c871e8 call 4c871f8 call 4c87208 call 4c87218 call 4c87118 call 4c87128 call 4c87138 call 4c87148 call 4c87168 340->343 344 4c88e3e 341->344 342->344 385 4c891db 343->385 386 4c891b3-4c891bf 343->386 344->343 387 4c891e1-4c89383 call 4c871d8 call 4c87128 call 4c87138 call 4c87148 call 4c871e8 call 4c871f8 call 4c87208 call 4c87188 385->387 388 4c891c9-4c891cf 386->388 389 4c891c1-4c891c7 386->389 412 4c893ad 387->412 413 4c89385-4c89391 387->413 390 4c891d9 388->390 389->390 390->387 414 4c893b3-4c8961f call 4c871d8 call 4c87128 call 4c87138 call 4c87148 call 4c871e8 call 4c871f8 call 4c87208 call 4c87188 call 4c87228 call 4c87238 call 4c87248 call 4c87258 412->414 415 4c8939b-4c893a1 413->415 416 4c89393-4c89399 413->416 512 4c89622 call 6cd0dd0 414->512 513 4c89622 call 6cd0de0 414->513 417 4c893ab 415->417 416->417 417->414 450 4c89625-4c89677 call 4c87258 * 2 514 4c8967a call 6cd0dd0 450->514 515 4c8967a call 6cd0de0 450->515 456 4c8967d-4c8977f call 4c87258 * 6 510 4c89782 call 6cd0dd0 456->510 511 4c89782 call 6cd0de0 456->511 474 4c89785-4c8998a call 4c87258 * 7 call 4c87138 call 4c87268 509 4c8998f-4c89997 474->509 510->474 511->474 512->450 513->450 514->456 515->456
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1362779530.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4c80000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $%q
                                                          • API String ID: 0-3689577991
                                                          • Opcode ID: eb64f6d7ad5a9dd0e768162511fe64058e1a3dfed69ccc00469a2849de030a68
                                                          • Instruction ID: a9d571a524c2aaba382836d5f9ee2b8a793d2ee3a125123b58fdda7abf44413d
                                                          • Opcode Fuzzy Hash: eb64f6d7ad5a9dd0e768162511fe64058e1a3dfed69ccc00469a2849de030a68
                                                          • Instruction Fuzzy Hash: 7C33E734A11218CFDB25EF64C894EA9B7B6FF89304F5141E9E409AB361DB71AE85CF40
                                                          Function 04C87568 Relevance: 3.3, Strings: 1, Instructions: 2082COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 516 4c87568-4c875a3 517 4c875aa-4c875f7 516->517 518 4c875a5 516->518 523 4c87601-4c8760d call 4c86b98 517->523 518->517 525 4c87612-4c8765b call 4c86b98 523->525 531 4c87665-4c87671 call 4c86ba8 525->531 533 4c87676-4c8768d 531->533 535 4c87697-4c876a3 call 4c86bb8 533->535 537 4c876a8-4c876bf 535->537 539 4c876c9-4c876d5 call 4c870f8 537->539 541 4c876da-4c87876 call 4c86bb8 call 4c870f8 call 4c86bb8 call 4c87108 * 5 539->541 574 4c87881-4c87899 541->574 575 4c878a0-4c879c4 call 4c86bb8 call 4c87108 * 2 574->575 595 4c879cf-4c87a22 575->595 599 4c87a28-4c87a66 call 4c87118 595->599 602 4c87a6b-4c87a76 599->602 603 4c87a7c-4c87a9e 602->603 604 4c87aa9-4c87abd call 4c87128 603->604 606 4c87ac2-4c87b19 call 4c87138 call 4c87148 604->606 611 4c87b1e-4c87b32 call 4c87168 606->611 613 4c87b37-4c87b8b 611->613 617 4c87b95-4c87ba0 613->617 618 4c87ba9-4c87bb5 617->618 619 4c87bbd-4c87bcf 618->619 620 4c87bd7-4c87bdd 619->620 621 4c87be7-4c87bef 620->621 622 4c87bf5-4c87c05 621->622 623 4c87c0c-4c880dc call 4c87178 call 4c87188 call 4c87198 call 4c87128 call 4c87138 call 4c87148 call 4c87168 call 4c87178 call 4c87118 call 4c87128 call 4c87138 call 4c87148 call 4c87168 call 4c87178 call 4c87118 622->623 624 4c87c07 622->624 680 4c880e7-4c88101 call 4c87128 623->680 624->623 682 4c88106-4c8819f call 4c87138 call 4c87148 call 4c87168 680->682 690 4c881a4-4c881b5 call 4c871a8 682->690 692 4c881ba-4c8874b call 4c87128 call 4c87138 call 4c871b8 call 4c87148 call 4c87168 call 4c871c8 call 4c87118 call 4c87128 call 4c87138 call 4c87148 call 4c87168 call 4c87128 call 4c87138 call 4c87148 call 4c87168 call 4c871c8 call 4c87118 call 4c87128 call 4c87138 call 4c87148 call 4c87168 690->692 757 4c8874d-4c88759 692->757 758 4c88775 692->758 760 4c8875b-4c88761 757->760 761 4c88763-4c88769 757->761 759 4c8877b-4c8890e call 4c871d8 call 4c87128 call 4c87138 call 4c87148 call 4c871e8 call 4c871f8 call 4c87208 758->759 782 4c88938 759->782 783 4c88910-4c8891c 759->783 762 4c88773 760->762 761->762 762->759 784 4c8893e-4c88ad1 call 4c871d8 call 4c87128 call 4c87138 call 4c87148 call 4c871e8 call 4c871f8 call 4c87208 782->784 785 4c8891e-4c88924 783->785 786 4c88926-4c8892c 783->786 807 4c88afb 784->807 808 4c88ad3-4c88adf 784->808 787 4c88936 785->787 786->787 787->784 811 4c88b01-4c88c94 call 4c871d8 call 4c87128 call 4c87138 call 4c87148 call 4c871e8 call 4c871f8 call 4c87208 807->811 809 4c88ae9-4c88aef 808->809 810 4c88ae1-4c88ae7 808->810 812 4c88af9 809->812 810->812 832 4c88cbe 811->832 833 4c88c96-4c88ca2 811->833 812->811 836 4c88cc4-4c88e16 call 4c871d8 call 4c87128 call 4c87138 call 4c87148 call 4c871e8 call 4c871f8 call 4c87208 832->836 834 4c88cac-4c88cb2 833->834 835 4c88ca4-4c88caa 833->835 837 4c88cbc 834->837 835->837 855 4c88e18-4c88e24 836->855 856 4c88e40 836->856 837->836 857 4c88e2e-4c88e34 855->857 858 4c88e26-4c88e2c 855->858 859 4c88e46-4c88ff6 call 4c871d8 call 4c87128 call 4c87138 call 4c87148 call 4c871e8 call 4c871f8 call 4c87208 call 4c87218 856->859 860 4c88e3e 857->860 858->860 883 4c89000-4c89036 call 4c87118 859->883 860->859 885 4c8903b-4c891b1 call 4c87128 call 4c87138 call 4c87148 call 4c87168 883->885 901 4c891db 885->901 902 4c891b3-4c891bf 885->902 903 4c891e1-4c89383 call 4c871d8 call 4c87128 call 4c87138 call 4c87148 call 4c871e8 call 4c871f8 call 4c87208 call 4c87188 901->903 904 4c891c9-4c891cf 902->904 905 4c891c1-4c891c7 902->905 928 4c893ad 903->928 929 4c89385-4c89391 903->929 906 4c891d9 904->906 905->906 906->903 930 4c893b3-4c89600 call 4c871d8 call 4c87128 call 4c87138 call 4c87148 call 4c871e8 call 4c871f8 call 4c87208 call 4c87188 call 4c87228 call 4c87238 call 4c87248 call 4c87258 928->930 931 4c8939b-4c893a1 929->931 932 4c89393-4c89399 929->932 965 4c89605-4c8961f 930->965 933 4c893ab 931->933 932->933 933->930 1028 4c89622 call 6cd0dd0 965->1028 1029 4c89622 call 6cd0de0 965->1029 966 4c89625-4c89658 call 4c87258 * 2 971 4c8965d-4c89677 966->971 1030 4c8967a call 6cd0dd0 971->1030 1031 4c8967a call 6cd0de0 971->1031 972 4c8967d-4c89760 call 4c87258 * 6 989 4c89765-4c8977f 972->989 1026 4c89782 call 6cd0dd0 989->1026 1027 4c89782 call 6cd0de0 989->1027 990 4c89785-4c89969 call 4c87258 * 7 call 4c87138 1022 4c89975-4c8998a call 4c87268 990->1022 1025 4c8998f-4c89997 1022->1025 1026->990 1027->990 1028->966 1029->966 1030->972 1031->972
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1362779530.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4c80000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $%q
                                                          • API String ID: 0-3689577991
                                                          • Opcode ID: b8bc3accd6090efa5effb24ae84bd49f6c2421504e86adfed0213c3012c6a1bc
                                                          • Instruction ID: 0e8cb440576cddc7f0ca67c4216b82412a49f7f29d5555cf605d043e70d216c1
                                                          • Opcode Fuzzy Hash: b8bc3accd6090efa5effb24ae84bd49f6c2421504e86adfed0213c3012c6a1bc
                                                          • Instruction Fuzzy Hash: 1133E734A11218CFDB25EF64C894AE9B7B6FF8A304F5141E9E4096B361DB71AE85CF40
                                                          Function 06CF7ED9 Relevance: .1, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: de9e583eab32bc98efd2b6cc600ba46c26c539395296ffa72567a94b08fb52c6
                                                          • Instruction ID: 2762c859e823572f7c3de6cd42df128108be3918ec24ed5955c1177115f4480e
                                                          • Opcode Fuzzy Hash: de9e583eab32bc98efd2b6cc600ba46c26c539395296ffa72567a94b08fb52c6
                                                          • Instruction Fuzzy Hash: EB21F3B1D116188BEB58CFABC8447DEFAF7AF89300F14C06AD508A62A4DB740945CFA0
                                                          Function 06CF7EE0 Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ac01de02bd431cf304fecb37fb91babc661c76dee87997ec8acad297db47da0a
                                                          • Instruction ID: 3a7ba00ce6fb7a17b2645df81a0ebebd14cd23549876e90755da91bc9081dd71
                                                          • Opcode Fuzzy Hash: ac01de02bd431cf304fecb37fb91babc661c76dee87997ec8acad297db47da0a
                                                          • Instruction Fuzzy Hash: 1A21C3B1D156188BEB58CFABC8447DEFAF7AFC9310F14C06AD509A6264DB7409458FA0
                                                          Function 06CFDFA4 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1032 6cfdfa4-6cfe045 1035 6cfe07e-6cfe09e 1032->1035 1036 6cfe047-6cfe051 1032->1036 1041 6cfe0d7-6cfe106 1035->1041 1042 6cfe0a0-6cfe0aa 1035->1042 1036->1035 1037 6cfe053-6cfe055 1036->1037 1039 6cfe078-6cfe07b 1037->1039 1040 6cfe057-6cfe061 1037->1040 1039->1035 1043 6cfe065-6cfe074 1040->1043 1044 6cfe063 1040->1044 1052 6cfe13f-6cfe1f9 CreateProcessA 1041->1052 1053 6cfe108-6cfe112 1041->1053 1042->1041 1045 6cfe0ac-6cfe0ae 1042->1045 1043->1043 1046 6cfe076 1043->1046 1044->1043 1047 6cfe0d1-6cfe0d4 1045->1047 1048 6cfe0b0-6cfe0ba 1045->1048 1046->1039 1047->1041 1050 6cfe0be-6cfe0cd 1048->1050 1051 6cfe0bc 1048->1051 1050->1050 1054 6cfe0cf 1050->1054 1051->1050 1064 6cfe1fb-6cfe201 1052->1064 1065 6cfe202-6cfe288 1052->1065 1053->1052 1055 6cfe114-6cfe116 1053->1055 1054->1047 1057 6cfe139-6cfe13c 1055->1057 1058 6cfe118-6cfe122 1055->1058 1057->1052 1059 6cfe126-6cfe135 1058->1059 1060 6cfe124 1058->1060 1059->1059 1061 6cfe137 1059->1061 1060->1059 1061->1057 1064->1065 1075 6cfe28a-6cfe28e 1065->1075 1076 6cfe298-6cfe29c 1065->1076 1075->1076 1079 6cfe290 1075->1079 1077 6cfe29e-6cfe2a2 1076->1077 1078 6cfe2ac-6cfe2b0 1076->1078 1077->1078 1080 6cfe2a4 1077->1080 1081 6cfe2b2-6cfe2b6 1078->1081 1082 6cfe2c0-6cfe2c4 1078->1082 1079->1076 1080->1078 1081->1082 1083 6cfe2b8 1081->1083 1084 6cfe2d6-6cfe2dd 1082->1084 1085 6cfe2c6-6cfe2cc 1082->1085 1083->1082 1086 6cfe2df-6cfe2ee 1084->1086 1087 6cfe2f4 1084->1087 1085->1084 1086->1087 1088 6cfe2f5 1087->1088 1088->1088
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CFE1E6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 9dd364674c2f4674301021b9228e0db435136f059fc545450aaf0d3947bf5deb
                                                          • Instruction ID: ae41c4a248e1ae5f15bf8c6a3e71082c8ba95b14f9b819f0170017ddd4747021
                                                          • Opcode Fuzzy Hash: 9dd364674c2f4674301021b9228e0db435136f059fc545450aaf0d3947bf5deb
                                                          • Instruction Fuzzy Hash: DAA1AD70D10259DFEBA0CFA9CC40BDDBBB2BF48300F048569E904A7290DB759A85CF91
                                                          Function 06CFDFB0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1090 6cfdfb0-6cfe045 1092 6cfe07e-6cfe09e 1090->1092 1093 6cfe047-6cfe051 1090->1093 1098 6cfe0d7-6cfe106 1092->1098 1099 6cfe0a0-6cfe0aa 1092->1099 1093->1092 1094 6cfe053-6cfe055 1093->1094 1096 6cfe078-6cfe07b 1094->1096 1097 6cfe057-6cfe061 1094->1097 1096->1092 1100 6cfe065-6cfe074 1097->1100 1101 6cfe063 1097->1101 1109 6cfe13f-6cfe1f9 CreateProcessA 1098->1109 1110 6cfe108-6cfe112 1098->1110 1099->1098 1102 6cfe0ac-6cfe0ae 1099->1102 1100->1100 1103 6cfe076 1100->1103 1101->1100 1104 6cfe0d1-6cfe0d4 1102->1104 1105 6cfe0b0-6cfe0ba 1102->1105 1103->1096 1104->1098 1107 6cfe0be-6cfe0cd 1105->1107 1108 6cfe0bc 1105->1108 1107->1107 1111 6cfe0cf 1107->1111 1108->1107 1121 6cfe1fb-6cfe201 1109->1121 1122 6cfe202-6cfe288 1109->1122 1110->1109 1112 6cfe114-6cfe116 1110->1112 1111->1104 1114 6cfe139-6cfe13c 1112->1114 1115 6cfe118-6cfe122 1112->1115 1114->1109 1116 6cfe126-6cfe135 1115->1116 1117 6cfe124 1115->1117 1116->1116 1118 6cfe137 1116->1118 1117->1116 1118->1114 1121->1122 1132 6cfe28a-6cfe28e 1122->1132 1133 6cfe298-6cfe29c 1122->1133 1132->1133 1136 6cfe290 1132->1136 1134 6cfe29e-6cfe2a2 1133->1134 1135 6cfe2ac-6cfe2b0 1133->1135 1134->1135 1137 6cfe2a4 1134->1137 1138 6cfe2b2-6cfe2b6 1135->1138 1139 6cfe2c0-6cfe2c4 1135->1139 1136->1133 1137->1135 1138->1139 1140 6cfe2b8 1138->1140 1141 6cfe2d6-6cfe2dd 1139->1141 1142 6cfe2c6-6cfe2cc 1139->1142 1140->1139 1143 6cfe2df-6cfe2ee 1141->1143 1144 6cfe2f4 1141->1144 1142->1141 1143->1144 1145 6cfe2f5 1144->1145 1145->1145
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CFE1E6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 0167920d3b6680029e7ea2b287ccf35abbcaeac7c5d349bee8fdfbc74b1aa4ef
                                                          • Instruction ID: cea8e81a8f4734998220ae271c3ca2b7557e13d4bc7afacca4eeb01cdf1f998f
                                                          • Opcode Fuzzy Hash: 0167920d3b6680029e7ea2b287ccf35abbcaeac7c5d349bee8fdfbc74b1aa4ef
                                                          • Instruction Fuzzy Hash: BE918D70D102599FEBA0CFA9CC417DDBBB2BF48310F048569E908A7290DB759A85CF91
                                                          Function 00C8449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1147 c8449c-c859d9 CreateActCtxA 1150 c859db-c859e1 1147->1150 1151 c859e2-c85a3c 1147->1151 1150->1151 1158 c85a4b-c85a4f 1151->1158 1159 c85a3e-c85a41 1151->1159 1160 c85a60 1158->1160 1161 c85a51-c85a5d 1158->1161 1159->1158 1163 c85a61 1160->1163 1161->1160 1163->1163
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 00C859C9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1352987444.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_c80000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 11084ad2646f6b3c96ff5aa562879c3b839fb7f625f9dd216a14ec5462b18f9f
                                                          • Instruction ID: de216b55572efc15dde6b91fb64bb5994e546dabc80f58278e12f111fb51345b
                                                          • Opcode Fuzzy Hash: 11084ad2646f6b3c96ff5aa562879c3b839fb7f625f9dd216a14ec5462b18f9f
                                                          • Instruction Fuzzy Hash: D541B2B0D04719CBDB24DFA9C884BDEBBB5BF48704F20816AD418AB251DBB56946CF50
                                                          Function 00C8590C Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1164 c8590c-c859d9 CreateActCtxA 1166 c859db-c859e1 1164->1166 1167 c859e2-c85a3c 1164->1167 1166->1167 1174 c85a4b-c85a4f 1167->1174 1175 c85a3e-c85a41 1167->1175 1176 c85a60 1174->1176 1177 c85a51-c85a5d 1174->1177 1175->1174 1179 c85a61 1176->1179 1177->1176 1179->1179
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 00C859C9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1352987444.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_c80000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: a9661df78db2a1922c781ea665c5b3f2fa66cd240b54d1e187b99d01d1b5aa61
                                                          • Instruction ID: 4f883ba443904d73c1d9b29bcca6edc41a5ada3face7e919eac763e72eaca2e2
                                                          • Opcode Fuzzy Hash: a9661df78db2a1922c781ea665c5b3f2fa66cd240b54d1e187b99d01d1b5aa61
                                                          • Instruction Fuzzy Hash: 5E41C2B1D00719CBEB24DFA9C8847DDBBF2BF48704F20816AD418AB251DBB56986CF50
                                                          Function 04C841E0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1180 4c841e0-4c8421c 1181 4c842cc-4c842ec 1180->1181 1182 4c84222-4c84227 1180->1182 1188 4c842ef-4c842fc 1181->1188 1183 4c84229-4c84260 1182->1183 1184 4c8427a-4c842b2 CallWindowProcW 1182->1184 1191 4c84269-4c84278 1183->1191 1192 4c84262-4c84268 1183->1192 1185 4c842bb-4c842ca 1184->1185 1186 4c842b4-4c842ba 1184->1186 1185->1188 1186->1185 1191->1188 1192->1191
                                                          APIs
                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 04C842A1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1362779530.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4c80000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: CallProcWindow
                                                          • String ID:
                                                          • API String ID: 2714655100-0
                                                          • Opcode ID: 1beaf9b1aac188e16717a1805767d45ae558c7338c5b5001e8e223dc6c990a64
                                                          • Instruction ID: e953e2245e09a2341115483e9d3fa1928b721aadf84aee9196262cc9fde88c51
                                                          • Opcode Fuzzy Hash: 1beaf9b1aac188e16717a1805767d45ae558c7338c5b5001e8e223dc6c990a64
                                                          • Instruction Fuzzy Hash: A7413AB8904305DFDB14DF89C448BAABBF6FB88314F25C459D518AB321D374A841CFA4
                                                          Function 06CD5D50 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1194 6cd5d50-6cd5da4 1196 6cd5daf-6cd5dbe 1194->1196 1197 6cd5da6-6cd5dac 1194->1197 1198 6cd5dc0 1196->1198 1199 6cd5dc3-6cd5dfc DrawTextExW 1196->1199 1197->1196 1198->1199 1200 6cd5dfe-6cd5e04 1199->1200 1201 6cd5e05-6cd5e22 1199->1201 1200->1201
                                                          APIs
                                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 06CD5DEF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367387951.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cd0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: DrawText
                                                          • String ID:
                                                          • API String ID: 2175133113-0
                                                          • Opcode ID: aa807db35dbfe07a60e64a1683f298dd4b5cc4dddeeed7a927eabbb4dfc58f1e
                                                          • Instruction ID: ca4c5477c238285e02cbf4eb0add6cd204c512cd716465de99bdaa4eadc52b53
                                                          • Opcode Fuzzy Hash: aa807db35dbfe07a60e64a1683f298dd4b5cc4dddeeed7a927eabbb4dfc58f1e
                                                          • Instruction Fuzzy Hash: 173102B5D003499FCB10CF9AD884AEEBBF4EB48320F54842EE919A7210D774A944CFA1
                                                          Function 06CFD920 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1204 6cfd920-6cfd976 1207 6cfd978-6cfd984 1204->1207 1208 6cfd986-6cfd9c5 WriteProcessMemory 1204->1208 1207->1208 1210 6cfd9ce-6cfd9fe 1208->1210 1211 6cfd9c7-6cfd9cd 1208->1211 1211->1210
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CFD9B8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: e75f8d797c2ac1286640dcee6d00dd70e7703f81b3b097f58d91f5a5ae13b058
                                                          • Instruction ID: cf2e36d14e0edce5cf7a7d027033bf21066648b5bb6beb783c98c4d65bd6a0f3
                                                          • Opcode Fuzzy Hash: e75f8d797c2ac1286640dcee6d00dd70e7703f81b3b097f58d91f5a5ae13b058
                                                          • Instruction Fuzzy Hash: F7216BB19003099FDF40CFA9C841BDEBBF5FF48310F108429E959A7240DB74AA54CBA1
                                                          Function 06CD5D58 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1215 6cd5d58-6cd5da4 1216 6cd5daf-6cd5dbe 1215->1216 1217 6cd5da6-6cd5dac 1215->1217 1218 6cd5dc0 1216->1218 1219 6cd5dc3-6cd5dfc DrawTextExW 1216->1219 1217->1216 1218->1219 1220 6cd5dfe-6cd5e04 1219->1220 1221 6cd5e05-6cd5e22 1219->1221 1220->1221
                                                          APIs
                                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 06CD5DEF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367387951.0000000006CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cd0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: DrawText
                                                          • String ID:
                                                          • API String ID: 2175133113-0
                                                          • Opcode ID: dd1370578aeac750d74e4d52515d2eb9e17ba235a9b987b29f5160b9060e41f3
                                                          • Instruction ID: c170b9697bffc05972ff7313806d59d94dd6dd66a8558c1140f0fe1d09a62a63
                                                          • Opcode Fuzzy Hash: dd1370578aeac750d74e4d52515d2eb9e17ba235a9b987b29f5160b9060e41f3
                                                          • Instruction Fuzzy Hash: 3021C0B5D003499FDB10CF9AD884A9EFBF5FB58310F54842AE919A7210D775A944CFA0
                                                          Function 06CFD928 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1224 6cfd928-6cfd976 1226 6cfd978-6cfd984 1224->1226 1227 6cfd986-6cfd9c5 WriteProcessMemory 1224->1227 1226->1227 1229 6cfd9ce-6cfd9fe 1227->1229 1230 6cfd9c7-6cfd9cd 1227->1230 1230->1229
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CFD9B8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 5557d196398db19012141d905ebe1315433953a66f353d656bb5a2333969dc9c
                                                          • Instruction ID: 07cb8e8486faef7c65615b44fa143d1bee336acfb92bcd6fd2798c0f4d137a1b
                                                          • Opcode Fuzzy Hash: 5557d196398db19012141d905ebe1315433953a66f353d656bb5a2333969dc9c
                                                          • Instruction Fuzzy Hash: DE215AB19003499FDF40CFA9C8417DEBBF5FF48310F108429E959A7240CB749A40CBA0
                                                          Function 06CFD351 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1234 6cfd351-6cfd3a3 1237 6cfd3a5-6cfd3b1 1234->1237 1238 6cfd3b3-6cfd3b6 1234->1238 1237->1238 1239 6cfd3bd-6cfd3e3 Wow64SetThreadContext 1238->1239 1240 6cfd3ec-6cfd41c 1239->1240 1241 6cfd3e5-6cfd3eb 1239->1241 1241->1240
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CFD3D6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 552e8b67d833c3fcd68c530fe599b93d8123984a4c63d9cecf1378619d15456b
                                                          • Instruction ID: c515d9a627c139705b4746ef8aff28f388de214ddf7739009e29aa32ccd0569c
                                                          • Opcode Fuzzy Hash: 552e8b67d833c3fcd68c530fe599b93d8123984a4c63d9cecf1378619d15456b
                                                          • Instruction Fuzzy Hash: 242125B19003099FDB50DFAAC4857EEBBF4AF48210F548429D559A7241C778A944CFA4
                                                          Function 06CFDA10 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1245 6cfda10-6cfdaa5 ReadProcessMemory 1249 6cfdaae-6cfdade 1245->1249 1250 6cfdaa7-6cfdaad 1245->1250 1250->1249
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CFDA98
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 5e08c8b6f74668e755c7e7306f2cd41bde5d8369a3c1e9b44e6b21ad746d081d
                                                          • Instruction ID: 3abf595ae8baa7bc736ceb79e90b252aaa7251232009b83c66a7c55540afea4a
                                                          • Opcode Fuzzy Hash: 5e08c8b6f74668e755c7e7306f2cd41bde5d8369a3c1e9b44e6b21ad746d081d
                                                          • Instruction Fuzzy Hash: E42136B1D003499FDB10DFAAC841BEEBBF5FF48310F50842AE919A7240DB75A941CBA5
                                                          Function 00C8BCA0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1254 c8bca0-c8d8a4 DuplicateHandle 1256 c8d8ad-c8d8ca 1254->1256 1257 c8d8a6-c8d8ac 1254->1257 1257->1256
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C8D7D6,?,?,?,?,?), ref: 00C8D897
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1352987444.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_c80000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 043f5c8059d38c0942df78166a2c3b90593e5153bdd6d223b818dff0fcdd10f4
                                                          • Instruction ID: 5b5844e510acf54ed351f253937dd62b64ab4558110c3cb1529a0895c4d4d9c2
                                                          • Opcode Fuzzy Hash: 043f5c8059d38c0942df78166a2c3b90593e5153bdd6d223b818dff0fcdd10f4
                                                          • Instruction Fuzzy Hash: 382103B5D00248AFDB10DF9AD884BEEBBF4EB48310F14842AE958A7351D374A954CFA5
                                                          Function 00C8D808 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1260 c8d808-c8d8a4 DuplicateHandle 1261 c8d8ad-c8d8ca 1260->1261 1262 c8d8a6-c8d8ac 1260->1262 1262->1261
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C8D7D6,?,?,?,?,?), ref: 00C8D897
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1352987444.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_c80000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 246b3dceb0b581ea5d24e86239a3e4b7c04aca4a7dd63ff416ab826b4438ba4b
                                                          • Instruction ID: c751cdf88608126773847ea859cebe7279ccf664fe165a16c483c90eb766e45c
                                                          • Opcode Fuzzy Hash: 246b3dceb0b581ea5d24e86239a3e4b7c04aca4a7dd63ff416ab826b4438ba4b
                                                          • Instruction Fuzzy Hash: 5621E2B5D00248AFDB10CFAAD484BDEBBF4EB48320F14842AE958A7350D374A955CFA5
                                                          Function 06CFD358 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CFD3D6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 886d0e0bbadaf9f373344544406034719a0f4da80c10e6850698db72fdb34b91
                                                          • Instruction ID: 07455aefce5db1af6f5e0481aebcfb0fd23af745595ac5a7fce1e93c1769235c
                                                          • Opcode Fuzzy Hash: 886d0e0bbadaf9f373344544406034719a0f4da80c10e6850698db72fdb34b91
                                                          • Instruction Fuzzy Hash: AD2135B1D003098FDB50DFAAC4857EEBBF4EF48310F54842AD559A7241CBB8A944CFA4
                                                          Function 06CFDA18 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CFDA98
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 1598f9b4267304bcd75ed5397f9df0c67e84ad192886ba4e68c113c78b0bfd6f
                                                          • Instruction ID: 4bd14573acbe833ac5411b5a1e240552da973a7f984ff8538cad62efb0ff56ea
                                                          • Opcode Fuzzy Hash: 1598f9b4267304bcd75ed5397f9df0c67e84ad192886ba4e68c113c78b0bfd6f
                                                          • Instruction Fuzzy Hash: 122116B19003499FDB10DFAAC841BEEBBF5FF48310F50842AE959A7240D7759940CBA5
                                                          Function 06CFD860 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CFD8D6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 8617d3fef48f02367c2a2a1f5ff7bf2a26a348de1bf42bd73d978bb5e59ad2ba
                                                          • Instruction ID: 7aac5bcf897b95766843cf59e6908647d15073fbbc0e17c0ed105f2e99c3f64b
                                                          • Opcode Fuzzy Hash: 8617d3fef48f02367c2a2a1f5ff7bf2a26a348de1bf42bd73d978bb5e59ad2ba
                                                          • Instruction Fuzzy Hash: 331144B18003499FDB10DFAAC845BEEBBF5EF48310F14842AE959A7250C775A950CFA0
                                                          Function 06CFD2A0 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 2238223429cc72505a8bee64bd51e710c5732f545e41028931de31813db5bf5d
                                                          • Instruction ID: a38762a5fa2dbee22968b95db7dcdacd2e5e6c71f8afe69ce0fdf488da11a9f4
                                                          • Opcode Fuzzy Hash: 2238223429cc72505a8bee64bd51e710c5732f545e41028931de31813db5bf5d
                                                          • Instruction Fuzzy Hash: 821146B1C003488FDB10DFAAC8457EFBBF4EF88324F248429D519A7240CB79A944CBA4
                                                          Function 06CFD868 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CFD8D6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 2c340387beefe32a01fe47e07480ebae32a65456af4142b2dcad805fb7c3b0cc
                                                          • Instruction ID: dddd641b517d0c38290344156b78c839db8042282f55e241fc78b57197cf9f90
                                                          • Opcode Fuzzy Hash: 2c340387beefe32a01fe47e07480ebae32a65456af4142b2dcad805fb7c3b0cc
                                                          • Instruction Fuzzy Hash: C41126718003499FDF10DFAAC845BEEBBF5EF48310F14842AE555A7250C775A950CFA0
                                                          Function 06CFD2A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: f2d7f7efe163bc9a8945d0a17730e990b0d1f826f721b9b514e4b224e3480339
                                                          • Instruction ID: f396728452fdb67172d0cd875adc150d5f4274801623710b4f952f2418384a8f
                                                          • Opcode Fuzzy Hash: f2d7f7efe163bc9a8945d0a17730e990b0d1f826f721b9b514e4b224e3480339
                                                          • Instruction Fuzzy Hash: 9F1125B1D003488FDB10DFAAC4457AEFBF4EF88324F248429D559A7240CB75A944CBA4
                                                          Function 00C8B118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00C8B17E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1352987444.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_c80000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 1d92ad26ec51c1794ac5589692157720c04dae8640e42db04d04bdb67cbabd13
                                                          • Instruction ID: 22a05252e6601409720b79c1257f977d899ed4213aa701568c4ae26755450d92
                                                          • Opcode Fuzzy Hash: 1d92ad26ec51c1794ac5589692157720c04dae8640e42db04d04bdb67cbabd13
                                                          • Instruction Fuzzy Hash: BD11E3B5C007498FDB10DF9AC448BDEFBF4EB48714F10842AD469A7210D375A945CFA5
                                                          Function 00BBD3D8 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1352628403.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bbd000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9f74d428182a1d9df87b474529e1f3de82745f2a30a2a50eea0cf59cc5f9b7fe
                                                          • Instruction ID: c0a469072733986538cdc673068beccd5a1c702ed51c5fe95d47f5e309d11778
                                                          • Opcode Fuzzy Hash: 9f74d428182a1d9df87b474529e1f3de82745f2a30a2a50eea0cf59cc5f9b7fe
                                                          • Instruction Fuzzy Hash: 9F21F871504204DFDB05DF10D9C0B66BBA5FB98314F24C5A9D9090B356D3BAE856CBA2
                                                          Function 00BCD01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1352701275.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bcd000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8c0fbf290b90410b86f2d49f168b3419bad25071520975475fdc020a20ef2387
                                                          • Instruction ID: 716271222369da2a635521b055ed7fe5fd44b026db293f3420fdda1cdb405fa0
                                                          • Opcode Fuzzy Hash: 8c0fbf290b90410b86f2d49f168b3419bad25071520975475fdc020a20ef2387
                                                          • Instruction Fuzzy Hash: 1921D079604200DFDB14DF18D9D4F26BBA5EB88314F20C5BDD84A4B296C336D857CA62
                                                          Function 00BCD1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1352701275.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bcd000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 67cd174d2968657c0cee7bd4c6cf606d201d58da7d25461e25a1a8f24df3a1ff
                                                          • Instruction ID: 749c69ff4c407fe9597267ce1d881196e815263b3990dee157c0251e8f59151f
                                                          • Opcode Fuzzy Hash: 67cd174d2968657c0cee7bd4c6cf606d201d58da7d25461e25a1a8f24df3a1ff
                                                          • Instruction Fuzzy Hash: B621FFB9604200EFDB05DF50D9C0F26BBA5FB88314F24C6BDE8494F292C336D856CA62
                                                          Function 00BCD006 Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1352701275.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bcd000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2a51a03373238d44513673225a44ed9b0913de34314da0e45797fae6883765ad
                                                          • Instruction ID: 76be472ee11eb08ff47e680b3cfb57b1010b9b33343a3c51d5f3e770b28d6dcd
                                                          • Opcode Fuzzy Hash: 2a51a03373238d44513673225a44ed9b0913de34314da0e45797fae6883765ad
                                                          • Instruction Fuzzy Hash: DF21A4795093808FCB12CF24D594B15BFB1EB45314F28C5EED8498B697C33AD80ACB62
                                                          Function 00BBD3D3 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1352628403.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bbd000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                          • Instruction ID: 621dcdd8019afed2d6be7d488c0183e310273702c9966280ce068a3ac6070074
                                                          • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                          • Instruction Fuzzy Hash: 3311D376504240DFCB15CF10D5C4B66BFB1FB94324F24C6A9D8490B756C37AE85ACBA2
                                                          Function 00BCD1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1352701275.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bcd000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                          • Instruction ID: 64659b2cb015f9815e510b3a4fd40e04c21c55c236135c19a00e9f7cdc37c3a8
                                                          • Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                          • Instruction Fuzzy Hash: EE118B7A604280DFCB15CF10D9C4B15BBA1FB84314F24C6AED8494F696C33AD84ACB61
                                                          Function 00BBD731 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1352628403.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bbd000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8ef2e95870b0c44ccc3d0b0ccd077e0bcfe75ec435476ac8b4c0a49b45a09232
                                                          • Instruction ID: c80b620aa5b2c4e1c112161a1537d350d76f962c60e554175257b784356da34b
                                                          • Opcode Fuzzy Hash: 8ef2e95870b0c44ccc3d0b0ccd077e0bcfe75ec435476ac8b4c0a49b45a09232
                                                          • Instruction Fuzzy Hash: 9E01A7315083449BE7148A67CDC47F6FBD8DF51325F14C4A9ED494A182EABD9C44CBB2
                                                          Function 00BBD730 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1352628403.0000000000BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BBD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_bbd000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: df53165c29947f590c53e97eb99c40dc647f33f4cc32b40475cd63d7e3506f04
                                                          • Instruction ID: 5ef8d3a8121fa8736b5e22ffc80f4d515698881163115abbd74d04216dcf7fb8
                                                          • Opcode Fuzzy Hash: df53165c29947f590c53e97eb99c40dc647f33f4cc32b40475cd63d7e3506f04
                                                          • Instruction Fuzzy Hash: AFF0CD32408344AFE7108A16C884BB2FFD8EB90734F18C49AED480E282D6B99C44CBB1

                                                          Non-executed Functions

                                                          Function 06CFBC98 Relevance: .4, Instructions: 443COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c65bc7536b5c62ae7a9133e45bf91f401056d1a44632c469a6e9e195d8c770af
                                                          • Instruction ID: 3dc40b5088bc3c97d786f3af2002c244d12451c707513215ea0d3eaa58c02725
                                                          • Opcode Fuzzy Hash: c65bc7536b5c62ae7a9133e45bf91f401056d1a44632c469a6e9e195d8c770af
                                                          • Instruction Fuzzy Hash: EDF18034A04308EFDB46DBB5D850BAE7BB2EF89310F1080A9E445A7395CB359E55CF91
                                                          Function 04C801D8 Relevance: .3, Instructions: 315COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1362779530.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4c80000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b9c767fe096f37035c27af18ca770831df8d84dae194cf4b42b9446349edc3d7
                                                          • Instruction ID: d789fe7d52de8e51f3d485d4ed8a248c18d0a251caa3b34ee61f77b7a20354c8
                                                          • Opcode Fuzzy Hash: b9c767fe096f37035c27af18ca770831df8d84dae194cf4b42b9446349edc3d7
                                                          • Instruction Fuzzy Hash: 6E1277B8C827468BE710CF66E98C1893BF1BB65718FD0CA1AD2611F2E1D7B4156ACF44
                                                          Function 06CFD430 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f4946abc198992d6e4b31185b4ab1b625e4fe3a018f8e99ba2abe62a4d0d782f
                                                          • Instruction ID: 2747addbce69daa379e17878f28c0c5efc8242dc90454705fa65d85e80dd418e
                                                          • Opcode Fuzzy Hash: f4946abc198992d6e4b31185b4ab1b625e4fe3a018f8e99ba2abe62a4d0d782f
                                                          • Instruction Fuzzy Hash: 6EE148B4E102598FDB54DFA8C580AAEFBB2FF89305F248169D515AB315C730AD41CFA0
                                                          Function 06CFCA80 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f94739cbe937bebde4ef4e7ce7a58d0c770d8ddb5c5a56b56b142d328b728cfb
                                                          • Instruction ID: 9366f53be3ee56b98646d38d17fd8fab851240dee958d47cd080f8ef93db01be
                                                          • Opcode Fuzzy Hash: f94739cbe937bebde4ef4e7ce7a58d0c770d8ddb5c5a56b56b142d328b728cfb
                                                          • Instruction Fuzzy Hash: 74E12674E102598FDB58DFA9C580AAEFBB2FF88305F248169D514AB356C730AD41CFA0
                                                          Function 06CFAA08 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1367616585.0000000006CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CF0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6cf0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a689c657cc938a0deab7d3008a24cc0e2bb5ec2cc61c17e0960aad40bed7552d
                                                          • Instruction ID: c217b17fc764fbf2409b621f51a44642af296c3259bcddf6d6ecb951e66784a4
                                                          • Opcode Fuzzy Hash: a689c657cc938a0deab7d3008a24cc0e2bb5ec2cc61c17e0960aad40bed7552d
                                                          • Instruction Fuzzy Hash: 62E11574E102598FDB54DFA9C580AAEFBF2BF88305F248169D918AB355C731AD41CFA0
                                                          Function 00C8D584 Relevance: .3, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1352987444.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_c80000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 904f0a0bc63c58c1433e8f6cc572eb7a27c8360c64c0959ad229b7069cb7dced
                                                          • Instruction ID: 50f03c6f1f4e53c090cf33fa294eee736efb4fd001f1e71ec446da885b6c55b6
                                                          • Opcode Fuzzy Hash: 904f0a0bc63c58c1433e8f6cc572eb7a27c8360c64c0959ad229b7069cb7dced
                                                          • Instruction Fuzzy Hash: EBA14936E002098FCF05EFA4C84459EB7B2FF85308B25857EE815AB265DB71EA56CB40
                                                          Function 04C801C8 Relevance: .2, Instructions: 220COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1362779530.0000000004C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_4c80000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5c255006e40a22dc7045491a66d6d6c66c993e82ea52e59c8d0bb669d28ba599
                                                          • Instruction ID: 9955f0f0ceb75c513ff3e8c7c6a9ed409668711899917fb9268c8d97155bd951
                                                          • Opcode Fuzzy Hash: 5c255006e40a22dc7045491a66d6d6c66c993e82ea52e59c8d0bb669d28ba599
                                                          • Instruction Fuzzy Hash: EFC1FAB8C817468BD714CF66E8882897BF1BFA5314F91CB1AD1612F2D0DBB415AACF44

                                                          Execution Graph

                                                          Execution Coverage:11.3%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:97
                                                          Total number of Limit Nodes:12
                                                          execution_graph 40295 67ffafe 40296 67ffb12 40295->40296 40298 67ffb19 40295->40298 40297 67ffb6a CallWindowProcW 40296->40297 40296->40298 40297->40298 40306 2be0848 40308 2be084e 40306->40308 40307 2be091b 40308->40307 40314 67f1c02 40308->40314 40320 67f1b70 40308->40320 40324 67f1b80 40308->40324 40328 2be138b 40308->40328 40333 2be1488 40308->40333 40315 67f1b6e 40314->40315 40319 67f1c0a 40314->40319 40316 67f1bd7 40315->40316 40339 67f1578 40315->40339 40316->40308 40319->40308 40321 67f1b8f 40320->40321 40322 67f1578 GetModuleHandleW 40321->40322 40323 67f1bb0 40322->40323 40323->40308 40325 67f1b8f 40324->40325 40326 67f1578 GetModuleHandleW 40325->40326 40327 67f1bb0 40326->40327 40327->40308 40330 2be1396 40328->40330 40329 2be1480 40329->40308 40330->40329 40332 2be1488 2 API calls 40330->40332 40392 2be7eb0 40330->40392 40332->40330 40334 2be1493 40333->40334 40335 2be1396 40333->40335 40334->40308 40336 2be1480 40335->40336 40337 2be1488 2 API calls 40335->40337 40338 2be7eb0 2 API calls 40335->40338 40336->40308 40337->40335 40338->40335 40340 67f1583 40339->40340 40343 67f2a24 40340->40343 40342 67f3536 40342->40342 40344 67f2a2f 40343->40344 40345 67f3c5c 40344->40345 40347 67f54e0 40344->40347 40345->40342 40348 67f5501 40347->40348 40349 67f5525 40348->40349 40351 67f5a98 40348->40351 40349->40345 40352 67f5aa5 40351->40352 40354 67f5ade 40352->40354 40355 67f5684 40352->40355 40354->40349 40356 67f568f 40355->40356 40358 67f5b50 40356->40358 40359 67f56b8 40356->40359 40358->40358 40360 67f56c3 40359->40360 40366 67f56c8 40360->40366 40362 67f5bbf 40370 67faee0 40362->40370 40375 67faec8 40362->40375 40363 67f5bf9 40363->40358 40369 67f56d3 40366->40369 40367 67f6e48 40367->40362 40368 67f54e0 GetModuleHandleW 40368->40367 40369->40367 40369->40368 40371 67faee6 40370->40371 40372 67faf1d 40371->40372 40380 67fb158 40371->40380 40383 67fb148 40371->40383 40372->40363 40376 67faee0 40375->40376 40377 67faf1d 40376->40377 40378 67fb158 GetModuleHandleW 40376->40378 40379 67fb148 GetModuleHandleW 40376->40379 40377->40363 40378->40377 40379->40377 40387 67fb198 40380->40387 40381 67fb162 40381->40372 40384 67fb158 40383->40384 40386 67fb198 GetModuleHandleW 40384->40386 40385 67fb162 40385->40372 40386->40385 40389 67fb19d 40387->40389 40388 67fb1dc 40388->40381 40389->40388 40390 67fb3e0 GetModuleHandleW 40389->40390 40391 67fb40d 40390->40391 40391->40381 40393 2be7eba 40392->40393 40394 2be7ed4 40393->40394 40397 680fa18 40393->40397 40401 680fa0b 40393->40401 40394->40330 40399 680fa2d 40397->40399 40398 680fc42 40398->40394 40399->40398 40400 680fc58 GlobalMemoryStatusEx GlobalMemoryStatusEx 40399->40400 40400->40399 40403 680fa14 40401->40403 40402 680fc42 40402->40394 40403->40402 40404 680fc58 GlobalMemoryStatusEx GlobalMemoryStatusEx 40403->40404 40404->40403 40405 67f2c88 40406 67f2c8e GetCurrentProcess 40405->40406 40408 67f2d19 40406->40408 40409 67f2d20 GetCurrentThread 40406->40409 40408->40409 40410 67f2d5d GetCurrentProcess 40409->40410 40411 67f2d56 40409->40411 40412 67f2d93 40410->40412 40411->40410 40413 67f2dbb GetCurrentThreadId 40412->40413 40414 67f2dec 40413->40414 40299 67f2ed0 40300 67f2ed6 DuplicateHandle 40299->40300 40301 67f2f66 40300->40301 40302 67fd390 40303 67fd3f8 CreateWindowExW 40302->40303 40305 67fd4b4 40303->40305

                                                          Executed Functions

                                                          Function 068065E0 Relevance: .8, Instructions: 816COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5ca04a46defbd74e34ea32977f8c336172ab10c0aa6e826c72fbb34732c24f23
                                                          • Instruction ID: d53a52cb59aa4fc16977dcb9bffee8808211ee524e568ba86fa3f700b0f93db8
                                                          • Opcode Fuzzy Hash: 5ca04a46defbd74e34ea32977f8c336172ab10c0aa6e826c72fbb34732c24f23
                                                          • Instruction Fuzzy Hash: ED629F34B002048FEB94DB68D954BADB7B2FF84310F148969E516EB394EB35ED91CB90
                                                          Function 06805588 Relevance: .6, Instructions: 609COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 05d30d75200e26b424fbf1f71c192d58ce2957ac7cb5a25e899e4a5e4f15c4a4
                                                          • Instruction ID: e12e745d9c64cacb2e7cef029686245d7e683ad23fef7b958fdbdef09ab6275b
                                                          • Opcode Fuzzy Hash: 05d30d75200e26b424fbf1f71c192d58ce2957ac7cb5a25e899e4a5e4f15c4a4
                                                          • Instruction Fuzzy Hash: FF22B635E102148FEFA4DBA4C9806AEBBB2EF85310F148869D515EB395DB31DD41CFA2
                                                          Function 0680B213 Relevance: .6, Instructions: 569COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b1e378c257edb890d545ed9944c9817abf4bfb23ab62d6799e5568d95fdefc93
                                                          • Instruction ID: 4742ac4a5f41fd269bdb962816b8e1f8092fca5ab42e0a6679b71408b2830613
                                                          • Opcode Fuzzy Hash: b1e378c257edb890d545ed9944c9817abf4bfb23ab62d6799e5568d95fdefc93
                                                          • Instruction Fuzzy Hash: 0E227134E102099FFFA4CB99D890BAEB7B1EB49310F248926E505DB3D1DB36DC818B51
                                                          Function 06803040 Relevance: .5, Instructions: 545COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b60f25163cbb732e8c166fc355052bbd2b8464ae42e39c8b7304cc6c26ff4fdb
                                                          • Instruction ID: 0be712ba17c6889e07cbb002eafbeab7380c75c707a04f4f429f415df94675db
                                                          • Opcode Fuzzy Hash: b60f25163cbb732e8c166fc355052bbd2b8464ae42e39c8b7304cc6c26ff4fdb
                                                          • Instruction Fuzzy Hash: C9322130E10619CFDB55EB79C8906ADB7B6BFC9300F50CAA9D446A7254EF30AD85CB90
                                                          Function 06807D68 Relevance: .5, Instructions: 476COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bcc68d5e6f5d1ac0edbd969b52cc4a9291b3150eba1a9ef4096994aaf9c67f32
                                                          • Instruction ID: e1d5b02242d5971386e22b7735fcfc26bce7dcc989bfe624f0509de0d64bfc7a
                                                          • Opcode Fuzzy Hash: bcc68d5e6f5d1ac0edbd969b52cc4a9291b3150eba1a9ef4096994aaf9c67f32
                                                          • Instruction Fuzzy Hash: 2A027C70B006158FEF94EBA8D8507AEB7A2FF88710F148929D505DB395DB71EC86CB90
                                                          Function 067F2C82 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 067F2D06
                                                          • GetCurrentThread.KERNEL32 ref: 067F2D43
                                                          • GetCurrentProcess.KERNEL32 ref: 067F2D80
                                                          • GetCurrentThreadId.KERNEL32 ref: 067F2DD9
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603111976.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_67f0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: 6019c9fd375f37fe448d4a0a75a0c4e4a97197bcb24decf972ab3ee170b9c668
                                                          • Instruction ID: 922cdd23abc32302cdc8f069483084df846db9f08b29160287aa8ff363edbae4
                                                          • Opcode Fuzzy Hash: 6019c9fd375f37fe448d4a0a75a0c4e4a97197bcb24decf972ab3ee170b9c668
                                                          • Instruction Fuzzy Hash: 485169B0900609CFDB54CFA9D948BEEBBF1FF48314F208029E159A7361D7745948CB66
                                                          Function 067F2C88 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 067F2D06
                                                          • GetCurrentThread.KERNEL32 ref: 067F2D43
                                                          • GetCurrentProcess.KERNEL32 ref: 067F2D80
                                                          • GetCurrentThreadId.KERNEL32 ref: 067F2DD9
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603111976.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_67f0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: fccab4bb306338bb52bcb5264f86f08c86ce50efeb50a6517a4ad7ed97f858c3
                                                          • Instruction ID: 42a00a68719296dd176ddfefc0c330a16cf45a451161a80fb5221fa3adcacd5e
                                                          • Opcode Fuzzy Hash: fccab4bb306338bb52bcb5264f86f08c86ce50efeb50a6517a4ad7ed97f858c3
                                                          • Instruction Fuzzy Hash: 055158B0900609CFDB54DFAAD948BEEBBF1BF48314F208029D159A7361D7745948CB65
                                                          Function 067FB198 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 506 67fb198-67fb1b7 508 67fb1b9-67fb1c6 call 67fa148 506->508 509 67fb1e3-67fb1e7 506->509 514 67fb1dc 508->514 515 67fb1c8 508->515 510 67fb1fb-67fb23c 509->510 511 67fb1e9-67fb1f3 509->511 518 67fb23e-67fb246 510->518 519 67fb249-67fb257 510->519 511->510 514->509 563 67fb1ce call 67fb433 515->563 564 67fb1ce call 67fb440 515->564 518->519 521 67fb27b-67fb27d 519->521 522 67fb259-67fb25e 519->522 520 67fb1d4-67fb1d6 520->514 523 67fb318-67fb3d8 520->523 524 67fb280-67fb287 521->524 525 67fb269 522->525 526 67fb260-67fb267 call 67fa154 522->526 558 67fb3da-67fb3dd 523->558 559 67fb3e0-67fb40b GetModuleHandleW 523->559 529 67fb289-67fb291 524->529 530 67fb294-67fb29b 524->530 528 67fb26b-67fb279 525->528 526->528 528->524 529->530 532 67fb29d-67fb2a5 530->532 533 67fb2a8-67fb2b1 call 67f3794 530->533 532->533 538 67fb2be-67fb2c3 533->538 539 67fb2b3-67fb2bb 533->539 540 67fb2c5-67fb2cc 538->540 541 67fb2e1-67fb2ee 538->541 539->538 540->541 543 67fb2ce-67fb2de call 67f8968 call 67fa164 540->543 548 67fb311-67fb317 541->548 549 67fb2f0-67fb30e 541->549 543->541 549->548 558->559 560 67fb40d-67fb413 559->560 561 67fb414-67fb428 559->561 560->561 563->520 564->520
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 067FB3FE
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603111976.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_67f0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 723c7f37db2c58ef82095d7386cbc8ef1f3d6418be7394bfbb8f9a57c39f2470
                                                          • Instruction ID: 62ac6912e2f587a1f6e7c047917f58c7d2445d9c1a9555cb7320b3bc589f82da
                                                          • Opcode Fuzzy Hash: 723c7f37db2c58ef82095d7386cbc8ef1f3d6418be7394bfbb8f9a57c39f2470
                                                          • Instruction Fuzzy Hash: AA815370A10B058FD7A4CF6AD445B6ABBF1FF88600F008A29D59AD7B40DB75E849CB91
                                                          Function 02BEEB38 Relevance: 1.7, APIs: 1, Instructions: 161COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 565 2beeb38-2beeb40 566 2beeaff-2beeb0e 565->566 567 2beeb42 565->567 573 2beeb16-2beeb18 call 2beeb38 566->573 574 2beeb10-2beeb14 566->574 568 2beeb4a-2beeb53 567->568 569 2beeb44 567->569 571 2beeb7d-2beeb93 568->571 572 2beeb55-2beeb7c 568->572 569->568 606 2beeb95 call 2beeb38 571->606 607 2beeb95 call 2beec20 571->607 575 2beeb1e-2beeb22 573->575 574->573 578 2beeb2b-2beeb2e 575->578 579 2beeb24-2beeb29 575->579 581 2beeb31-2beeb33 578->581 579->581 580 2beeb9a-2beeb9c 582 2beeb9e-2beeba1 580->582 583 2beeba2-2beebe2 580->583 588 2beebea-2beebeb 583->588 589 2beebe4-2beebe6 583->589 590 2beebee 588->590 589->590 591 2beebe8-2beebe9 589->591 592 2beebf6-2beec01 590->592 593 2beebf0-2beebf5 590->593 591->588 596 2beec07-2beec1e 592->596 597 2beec03-2beec06 592->597 593->592 599 2beec26-2beec94 GlobalMemoryStatusEx 596->599 600 2beec20-2beec25 596->600 602 2beec9d-2beecc5 599->602 603 2beec96-2beec9c 599->603 600->599 603->602 606->580 607->580
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2591272586.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_2be0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 01b208e04094e5f850d98f281ca42692e321d39c230cc589f890f990c9dbcad2
                                                          • Instruction ID: df8664d75eee3a4c0a7d4dac2906b9992f2fb0c1514ae3b5151866866f598708
                                                          • Opcode Fuzzy Hash: 01b208e04094e5f850d98f281ca42692e321d39c230cc589f890f990c9dbcad2
                                                          • Instruction Fuzzy Hash: 85516671E043899FDF15CF79D8443AEBBF5EF8A220F0485AAD446E7241DB74A841C7A1
                                                          Function 067FD384 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 741 67fd384-67fd3f6 743 67fd3f8-67fd3fe 741->743 744 67fd401-67fd408 741->744 743->744 745 67fd40a-67fd410 744->745 746 67fd413-67fd44b 744->746 745->746 747 67fd453-67fd4b2 CreateWindowExW 746->747 748 67fd4bb-67fd4f3 747->748 749 67fd4b4-67fd4ba 747->749 753 67fd4f5-67fd4f8 748->753 754 67fd500 748->754 749->748 753->754 755 67fd501 754->755 755->755
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 067FD4A2
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603111976.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_67f0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 466199785fea566815458e1a59727cbd7dc4c1c5cbfd84279815ade040fdde23
                                                          • Instruction ID: 2a75e63c99f48d605c12f22a4ea843ea4884a87578b012f28487e4dcb77b153f
                                                          • Opcode Fuzzy Hash: 466199785fea566815458e1a59727cbd7dc4c1c5cbfd84279815ade040fdde23
                                                          • Instruction Fuzzy Hash: 9951C1B1D103489FDB24CF9AC984ADEBBB5BF48310F24812AE918AB210D775A845CF90
                                                          Function 067FD390 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 756 67fd390-67fd3f6 757 67fd3f8-67fd3fe 756->757 758 67fd401-67fd408 756->758 757->758 759 67fd40a-67fd410 758->759 760 67fd413-67fd4b2 CreateWindowExW 758->760 759->760 762 67fd4bb-67fd4f3 760->762 763 67fd4b4-67fd4ba 760->763 767 67fd4f5-67fd4f8 762->767 768 67fd500 762->768 763->762 767->768 769 67fd501 768->769 769->769
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 067FD4A2
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603111976.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_67f0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 674195b89d377bb7aa0acdd26eee75c919acae9f71b774508da4ffa614c8a89f
                                                          • Instruction ID: 0b7b209394264b57579aae583e4d1081652a27ab0b995ad90c6388296c533ca9
                                                          • Opcode Fuzzy Hash: 674195b89d377bb7aa0acdd26eee75c919acae9f71b774508da4ffa614c8a89f
                                                          • Instruction Fuzzy Hash: BA41B0B1D103099FDB14CF9AC984AEEBBB5FF48314F24812AE918AB250D775A845CF90
                                                          Function 067FFAFE Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 770 67ffafe-67ffb0c 771 67ffbbc-67ffbdc call 67fa32c 770->771 772 67ffb12-67ffb17 770->772 779 67ffbdf-67ffbec 771->779 774 67ffb6a-67ffba2 CallWindowProcW 772->774 775 67ffb19-67ffb50 772->775 777 67ffbab-67ffbba 774->777 778 67ffba4-67ffbaa 774->778 782 67ffb59-67ffb68 775->782 783 67ffb52-67ffb58 775->783 777->779 778->777 782->779 783->782
                                                          APIs
                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 067FFB91
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603111976.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_67f0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: CallProcWindow
                                                          • String ID:
                                                          • API String ID: 2714655100-0
                                                          • Opcode ID: da68f1adc90cd719958ffd90c54456bce71242a6670608de5472e825f46db791
                                                          • Instruction ID: f710cee8d35923a64d0aba87ce6510762c927221707f8edff4fe94f774eb7fdc
                                                          • Opcode Fuzzy Hash: da68f1adc90cd719958ffd90c54456bce71242a6670608de5472e825f46db791
                                                          • Instruction Fuzzy Hash: 7D3115B5A10205CFDB54CF55C888FAABBF5FF88314F24C899D6599B321D778A841CBA0
                                                          Function 067F2EC8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 785 67f2ec8-67f2ece 786 67f2ed6-67f2f64 DuplicateHandle 785->786 787 67f2ed0-67f2ed5 785->787 788 67f2f6d-67f2f8a 786->788 789 67f2f66-67f2f6c 786->789 787->786 789->788
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 067F2F57
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603111976.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_67f0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: ed0256c6db6d798c05273720caa1bba584b80321907f76d6627c9de06be7a6b2
                                                          • Instruction ID: d6da18faa4b7a45fe8d1b813cdb1116f25c3b544fe158a4b8b62525c6ec5a281
                                                          • Opcode Fuzzy Hash: ed0256c6db6d798c05273720caa1bba584b80321907f76d6627c9de06be7a6b2
                                                          • Instruction Fuzzy Hash: 932105B5D10208DFDB50CFAAD584AEEBBF4FB48310F14802AE958A7311D374A954CFA1
                                                          Function 067F2ED0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 792 67f2ed0-67f2f64 DuplicateHandle 794 67f2f6d-67f2f8a 792->794 795 67f2f66-67f2f6c 792->795 795->794
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 067F2F57
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603111976.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_67f0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: fcbabc1b1e29e34621a3051f0b6e0aee2cf903f16563a321a26bf75af5286b66
                                                          • Instruction ID: 4335eea9eebed1fd02f9606455b313e50715deafcf9ee679e2fab166a5c28515
                                                          • Opcode Fuzzy Hash: fcbabc1b1e29e34621a3051f0b6e0aee2cf903f16563a321a26bf75af5286b66
                                                          • Instruction Fuzzy Hash: 7F21E4B5D10208DFDB10CF9AD984ADEBBF4FB48310F14802AE958A3351D374A954CFA5
                                                          Function 02BEEC20 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 798 2beec20-2beec94 GlobalMemoryStatusEx 801 2beec9d-2beecc5 798->801 802 2beec96-2beec9c 798->802 802->801
                                                          APIs
                                                          • GlobalMemoryStatusEx.KERNELBASE ref: 02BEEC87
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2591272586.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_2be0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemoryStatus
                                                          • String ID:
                                                          • API String ID: 1890195054-0
                                                          • Opcode ID: 716c7b3e6b23b4dd8a8062100a61031dbc837281dc4398ad1ce5f5fdda544f29
                                                          • Instruction ID: 36b11cea066e71619c5e3ee8feb87b1a032ce2333b7a3df609f98a86e31a0f38
                                                          • Opcode Fuzzy Hash: 716c7b3e6b23b4dd8a8062100a61031dbc837281dc4398ad1ce5f5fdda544f29
                                                          • Instruction Fuzzy Hash: 16111FB1C006599BCB10CF9AC544BDEFBF4EF48224F15816AD818A7240D378A944CFA5
                                                          Function 067FB398 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 805 67fb398-67fb3d8 806 67fb3da-67fb3dd 805->806 807 67fb3e0-67fb40b GetModuleHandleW 805->807 806->807 808 67fb40d-67fb413 807->808 809 67fb414-67fb428 807->809 808->809
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 067FB3FE
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603111976.00000000067F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_67f0000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: e2d57641199f99967f6c414db8c2e34efc265e8bb37338e58c9db4be7e5791ef
                                                          • Instruction ID: ef95a715b971d978514086bc8b8120e63e48b718b1aa423b670bd1d4d1733113
                                                          • Opcode Fuzzy Hash: e2d57641199f99967f6c414db8c2e34efc265e8bb37338e58c9db4be7e5791ef
                                                          • Instruction Fuzzy Hash: F711DFB5C006498FDB10CF9AC544BEEFBF4AF88624F10842AD959A7310D375A545CFA1
                                                          Function 0680CF28 Relevance: .8, Instructions: 803COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1135 680cf28-680cf43 1136 680cf45-680cf48 1135->1136 1137 680cf91-680cf94 1136->1137 1138 680cf4a-680cf8c 1136->1138 1139 680d414-680d420 1137->1139 1140 680cf9a-680cf9d 1137->1140 1138->1137 1144 680d122-680d131 1139->1144 1145 680d426-680d713 1139->1145 1141 680cfe6-680cfe9 1140->1141 1142 680cf9f-680cfae 1140->1142 1148 680d032-680d035 1141->1148 1149 680cfeb-680d02d 1141->1149 1146 680cfb0-680cfb5 1142->1146 1147 680cfbd-680cfc9 1142->1147 1150 680d140-680d14c 1144->1150 1151 680d133-680d138 1144->1151 1357 680d719-680d71f 1145->1357 1358 680d93a-680d944 1145->1358 1146->1147 1152 680d945-680d952 1147->1152 1153 680cfcf-680cfe1 1147->1153 1154 680d037-680d079 1148->1154 1155 680d07e-680d081 1148->1155 1149->1148 1150->1152 1158 680d152-680d164 1150->1158 1151->1150 1175 680d954-680d956 1152->1175 1176 680d95a 1152->1176 1153->1141 1154->1155 1159 680d083-680d09f 1155->1159 1160 680d0a4-680d0a7 1155->1160 1170 680d169-680d16c 1158->1170 1159->1160 1163 680d0f0-680d0f3 1160->1163 1164 680d0a9-680d0eb 1160->1164 1172 680d0f5-680d0fa 1163->1172 1173 680d0fd-680d100 1163->1173 1164->1163 1179 680d17b-680d17e 1170->1179 1180 680d16e-680d170 1170->1180 1172->1173 1183 680d102-680d118 1173->1183 1184 680d11d-680d120 1173->1184 1177 680d958 1175->1177 1178 680d95e 1175->1178 1181 680d962-680d965 1176->1181 1182 680d95c-680d95d 1176->1182 1177->1176 1195 680d960-680d961 1178->1195 1196 680d966-680d97e 1178->1196 1192 680d180-680d1c2 1179->1192 1193 680d1c7-680d1ca 1179->1193 1189 680d411 1180->1189 1190 680d176 1180->1190 1181->1196 1182->1178 1183->1184 1184->1144 1184->1170 1189->1139 1190->1179 1192->1193 1199 680d213-680d216 1193->1199 1200 680d1cc-680d20e 1193->1200 1195->1181 1203 680d980-680d983 1196->1203 1210 680d225-680d228 1199->1210 1211 680d218-680d21a 1199->1211 1200->1199 1208 680d985-680d9a1 1203->1208 1209 680d9a6-680d9a9 1203->1209 1208->1209 1212 680d9b8-680d9bb 1209->1212 1213 680d9ab call 680da9d 1209->1213 1214 680d271-680d274 1210->1214 1215 680d22a-680d26c 1210->1215 1221 680d220 1211->1221 1222 680d2cf-680d2d8 1211->1222 1223 680d9bd-680d9e9 1212->1223 1224 680d9ee-680d9f0 1212->1224 1232 680d9b1-680d9b3 1213->1232 1226 680d276-680d2b8 1214->1226 1227 680d2bd-680d2bf 1214->1227 1215->1214 1221->1210 1229 680d2e7-680d2f3 1222->1229 1230 680d2da-680d2df 1222->1230 1223->1224 1234 680d9f2 1224->1234 1235 680d9f7-680d9fa 1224->1235 1226->1227 1239 680d2c1 1227->1239 1240 680d2c6-680d2c9 1227->1240 1241 680d404-680d409 1229->1241 1242 680d2f9-680d30d 1229->1242 1230->1229 1232->1212 1234->1235 1235->1203 1244 680d9fc-680da0b 1235->1244 1239->1240 1240->1136 1240->1222 1241->1189 1242->1189 1254 680d313-680d325 1242->1254 1259 680da72-680da87 1244->1259 1260 680da0d-680da70 call 6806590 1244->1260 1267 680d327-680d32d 1254->1267 1268 680d349-680d34b 1254->1268 1278 680da88 1259->1278 1260->1259 1273 680d331-680d33d 1267->1273 1274 680d32f 1267->1274 1276 680d355-680d361 1268->1276 1279 680d33f-680d347 1273->1279 1274->1279 1287 680d363-680d36d 1276->1287 1288 680d36f 1276->1288 1278->1278 1279->1276 1291 680d374-680d376 1287->1291 1288->1291 1291->1189 1292 680d37c-680d398 call 6806590 1291->1292 1302 680d3a7-680d3b3 1292->1302 1303 680d39a-680d39f 1292->1303 1302->1241 1305 680d3b5-680d402 1302->1305 1303->1302 1305->1189 1359 680d721-680d726 1357->1359 1360 680d72e-680d737 1357->1360 1359->1360 1360->1152 1361 680d73d-680d750 1360->1361 1363 680d756-680d75c 1361->1363 1364 680d92a-680d934 1361->1364 1365 680d76b-680d774 1363->1365 1366 680d75e-680d763 1363->1366 1364->1357 1364->1358 1365->1152 1367 680d77a-680d79b 1365->1367 1366->1365 1370 680d7aa-680d7b3 1367->1370 1371 680d79d-680d7a2 1367->1371 1370->1152 1372 680d7b9-680d7d6 1370->1372 1371->1370 1372->1364 1375 680d7dc-680d7e2 1372->1375 1375->1152 1376 680d7e8-680d801 1375->1376 1378 680d807-680d82e 1376->1378 1379 680d91d-680d924 1376->1379 1378->1152 1382 680d834-680d83e 1378->1382 1379->1364 1379->1375 1382->1152 1383 680d844-680d85b 1382->1383 1385 680d86a-680d885 1383->1385 1386 680d85d-680d868 1383->1386 1385->1379 1391 680d88b-680d8a4 call 6806590 1385->1391 1386->1385 1395 680d8b3-680d8bc 1391->1395 1396 680d8a6-680d8ab 1391->1396 1395->1152 1397 680d8c2-680d916 1395->1397 1396->1395 1397->1379
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 80c982d7563942dd32ce387d547625cb78643720593f37a2c65492c0c2a3bcbd
                                                          • Instruction ID: bca140c44c061562ba2991a95f3b854e64d401f169b4e447396901a8f97b602d
                                                          • Opcode Fuzzy Hash: 80c982d7563942dd32ce387d547625cb78643720593f37a2c65492c0c2a3bcbd
                                                          • Instruction Fuzzy Hash: D1622D30A00705CFEB55EFA8D990A5EB7A2FF84304B60CA68D005EF255DB71ED96CB91
                                                          Function 0680C170 Relevance: .6, Instructions: 647COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c4d205ae8047209d1a9c346e6c361621692ef95e4a07304a00a0e11ecb032ed9
                                                          • Instruction ID: 1c7220bfc5a9004a278b788efc2447a24a994d1fbfb7bdc1768c2dfc784f36d1
                                                          • Opcode Fuzzy Hash: c4d205ae8047209d1a9c346e6c361621692ef95e4a07304a00a0e11ecb032ed9
                                                          • Instruction Fuzzy Hash: B9325274B102059FEB94DFA8D890BAEB7B6FB89310F108A29D505E7395DB31DC41CB91
                                                          Function 0680B630 Relevance: .5, Instructions: 475COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b26496a53f0157853a82c0221948e03867e9bf2a6266627b067ed9d5f92e470b
                                                          • Instruction ID: 0ea9b5d53c2b1db34e9b910d92a359b9577f7089c692f72c5af6d48d5dbef366
                                                          • Opcode Fuzzy Hash: b26496a53f0157853a82c0221948e03867e9bf2a6266627b067ed9d5f92e470b
                                                          • Instruction Fuzzy Hash: 8E026F30E10209CFEBA4DBA8D8947ADB7B1FF45314F20896AD515EB295DB32DC41CB91
                                                          Function 06802ABF Relevance: .5, Instructions: 452COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cb74359d7429fef8f27a99d6be9724bcd3c058245aa9666d4f047e8b586b85dd
                                                          • Instruction ID: df926bf76985f50cc18cfad150900b2d63f09843806371bf21cfdbd9a18b5dd1
                                                          • Opcode Fuzzy Hash: cb74359d7429fef8f27a99d6be9724bcd3c058245aa9666d4f047e8b586b85dd
                                                          • Instruction Fuzzy Hash: C3024830A00204CFEBA4DB64C968A6DB7E2FF45354F54C8A9D51AEB291DBB1ED41CB90
                                                          Function 0680ACB8 Relevance: .4, Instructions: 395COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b3ad0eb163fb374bfbc1958b32be2c3ca0cccbac768f6c9ac50054bee20c36a2
                                                          • Instruction ID: ca034f95f604ce00c51c8c951a79a74a5d3318c85ce6b8d98af89b28aa93215a
                                                          • Opcode Fuzzy Hash: b3ad0eb163fb374bfbc1958b32be2c3ca0cccbac768f6c9ac50054bee20c36a2
                                                          • Instruction Fuzzy Hash: 18E16130E103058FEBA9DBA8D8906AEB7B6FF85310F108929D506EB395DB71DC41CB91
                                                          Function 06809138 Relevance: .2, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a74dab889c474cbf26cb1be3d2864e4eb9fbcc4f3a54c4473f63c45d465cdc3e
                                                          • Instruction ID: cd98c86fb9940f8d9acd9487f4fffc409de9adb3e5c13d693d7669e6ecf45d1e
                                                          • Opcode Fuzzy Hash: a74dab889c474cbf26cb1be3d2864e4eb9fbcc4f3a54c4473f63c45d465cdc3e
                                                          • Instruction Fuzzy Hash: 8F915270B006198FDF94EB69D8607AE7BB6BFC8700F508569C509EB385EF309D459BA0
                                                          Function 068061E0 Relevance: .2, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: afc7f6b02b875e001c2c0457d7de3a918a64080683dc5b02e5fda48107e23a7c
                                                          • Instruction ID: b603e7a42a56e4fc8307ff9972ec2631878c1e9816f20621abb0ed0da9c0c238
                                                          • Opcode Fuzzy Hash: afc7f6b02b875e001c2c0457d7de3a918a64080683dc5b02e5fda48107e23a7c
                                                          • Instruction Fuzzy Hash: 4861B371F001114FEF649B6ECC4066EBAE7AFC4610B554439D90ADB3A0EE76ED4287D1
                                                          Function 06804280 Relevance: .2, Instructions: 226COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f813f92a9bb74633a99de7c65188775141a0aeba8e18d84c8a7bfda6e1809547
                                                          • Instruction ID: 7ad90c05f199241fecda2f29f467a9d9be7f56fb7227e6086c2b471969293b1e
                                                          • Opcode Fuzzy Hash: f813f92a9bb74633a99de7c65188775141a0aeba8e18d84c8a7bfda6e1809547
                                                          • Instruction Fuzzy Hash: D0816234B102048FDB94DFB9D8547AEBBF2AF89300F108528D50AEB395EB75DC429B91
                                                          Function 068045A0 Relevance: .2, Instructions: 223COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 89b8e80fc6830ab346afd2e622206b37b863e24e0c6e1e1b4a609bd91e523d11
                                                          • Instruction ID: ba5e0d2d302487d265df46bc19ae1a8ba162d642be62dde07e9d646d84a40ddd
                                                          • Opcode Fuzzy Hash: 89b8e80fc6830ab346afd2e622206b37b863e24e0c6e1e1b4a609bd91e523d11
                                                          • Instruction Fuzzy Hash: 38912E30E102598BEF60DF68C850B9DB7B1FF89310F208A99D549EB291DB71A985CF91
                                                          Function 068045B8 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cc33f43ce2451c015d94dd28c2e2784f9bcf9404ab91586094b55571ee48b13f
                                                          • Instruction ID: 4a50361ce2a274f962b78547933bdb675ae70e09876c5f3406e139b33b10f51f
                                                          • Opcode Fuzzy Hash: cc33f43ce2451c015d94dd28c2e2784f9bcf9404ab91586094b55571ee48b13f
                                                          • Instruction Fuzzy Hash: D4911F30E10619CBEF64DF68C850B9DB7B1FF89310F208A99D549BB294DB71A985CF90
                                                          Function 0680EEF0 Relevance: .2, Instructions: 209COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 75df64f6e6ae26b0a85b1e0510fff8bfe718d1d4b49e6a0591d299206b5c5812
                                                          • Instruction ID: 025137caa433998724bf6e732cc1c6dcf653ada63b56a16e289706a4e8cfb537
                                                          • Opcode Fuzzy Hash: 75df64f6e6ae26b0a85b1e0510fff8bfe718d1d4b49e6a0591d299206b5c5812
                                                          • Instruction Fuzzy Hash: A3814170A002488FEB95DBA8D884AAEB7F6BF84300F14C969D505EB395DB70EC46CB51
                                                          Function 0680EF00 Relevance: .2, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3d773c74178b79b85a7381acc2e32c05adce820eb5c5a4de8158bbb81fed5af4
                                                          • Instruction ID: e39577ad4d1c91e78bb8bf002c323972d684fb37013659fce3ae171cf535e5b9
                                                          • Opcode Fuzzy Hash: 3d773c74178b79b85a7381acc2e32c05adce820eb5c5a4de8158bbb81fed5af4
                                                          • Instruction Fuzzy Hash: 1D714D70A002088FEB95DBA8D990AAEB7F6FF88300F14C969D515EB355DB70EC46CB51
                                                          Function 06804B50 Relevance: .2, Instructions: 186COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0f8dd56c55b2ac3ebd7c9571e032dd2d0ad8d9b9efe6ec06f94f9791f3630d55
                                                          • Instruction ID: 06445958c610137574b7e8b8aff1b1604b5966ff4105f50fe3190366250e33d0
                                                          • Opcode Fuzzy Hash: 0f8dd56c55b2ac3ebd7c9571e032dd2d0ad8d9b9efe6ec06f94f9791f3630d55
                                                          • Instruction Fuzzy Hash: C5615E30F002189FEB549BA9C8147AEBAF6FF88710F208529D606EB394DF758C459B91
                                                          Function 0680FC58 Relevance: .2, Instructions: 179COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 84665aa67f97ea989e470a03aa105818b48d1b3afdc67003e36f95258ff4822f
                                                          • Instruction ID: 6695b243946ca9fac35b360c46124f483991ff3eb627c74535443761a8a34c8c
                                                          • Opcode Fuzzy Hash: 84665aa67f97ea989e470a03aa105818b48d1b3afdc67003e36f95258ff4822f
                                                          • Instruction Fuzzy Hash: 0251D531E00219DFEBA4EB78E8446ADB7B2FB85311F108C79DA06D7290DF359955C790
                                                          Function 0680FA0B Relevance: .2, Instructions: 170COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d2d0d0867c080c9f39d7eafd29a8b0577a7a5527128d2133502c2bd78afa723d
                                                          • Instruction ID: 6a2ec63538f392334e4c101c12b2d81c722fb786c7b3f18957cf9ef4446af5bb
                                                          • Opcode Fuzzy Hash: d2d0d0867c080c9f39d7eafd29a8b0577a7a5527128d2133502c2bd78afa723d
                                                          • Instruction Fuzzy Hash: C351A430B10214DBFFB496A9EC6477E275AD789310F208836EA0AD73D4CE69CC5587A1
                                                          Function 0680FA18 Relevance: .2, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dc49d26acdc65137e7687f4e025b8e35ee61a6b7a14f2e6d224bae72859400b3
                                                          • Instruction ID: c04f2fce7f257e1a27710b0a6f7cb0562323499041832e98c571b166742e80cc
                                                          • Opcode Fuzzy Hash: dc49d26acdc65137e7687f4e025b8e35ee61a6b7a14f2e6d224bae72859400b3
                                                          • Instruction Fuzzy Hash: A1517330B10214DBFFB4A6A9DC64B3E275AD789750F20883AEA0AD73D4CE79CC5547A1
                                                          Function 06809127 Relevance: .2, Instructions: 161COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9cee5acd1878f89d887db4f817275bf261d80b2bd0d25cb0c45db75c34600d46
                                                          • Instruction ID: 657d5511268f23b80fb18d173fe3d37c80ba50118f01c5f231c7fdc527aa800f
                                                          • Opcode Fuzzy Hash: 9cee5acd1878f89d887db4f817275bf261d80b2bd0d25cb0c45db75c34600d46
                                                          • Instruction Fuzzy Hash: 27514470B005158FDB95EB79D860BAE7BF6ABC8750F508469C50AE7385EF30AC41DBA0
                                                          Function 068053F8 Relevance: .1, Instructions: 134COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4a90e19edf4c80154523f11dd9b059d42b93832654624661ba14795dadb4cc8b
                                                          • Instruction ID: ebd2e0ff0413cee93a63f7c6b2159120a10aabb0a2bc6ce80f3fab24cce9a5cd
                                                          • Opcode Fuzzy Hash: 4a90e19edf4c80154523f11dd9b059d42b93832654624661ba14795dadb4cc8b
                                                          • Instruction Fuzzy Hash: 44416171E006099FEFB0CE99CD80AAEF7B2FB45310F108926D215D7690D230E9558FA2
                                                          Function 06804B40 Relevance: .1, Instructions: 134COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3de6d825b0ebcf8cd21dc5c6322d955f5a752735da42f57dce73748476937234
                                                          • Instruction ID: 1aceb78742ba73f40509ea9932e7689292921e3489632c7df1c417cdd4bf7691
                                                          • Opcode Fuzzy Hash: 3de6d825b0ebcf8cd21dc5c6322d955f5a752735da42f57dce73748476937234
                                                          • Instruction Fuzzy Hash: 2F515D30A002189FEB55DFE9C814BAEBBF6BF88700F208529D605EB395DB759C05DB90
                                                          Function 0680DA9D Relevance: .1, Instructions: 123COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 37b1bded856f1bc9b60fae8a484cc99abaa91e80929237e7c8b3e4b73cbd3134
                                                          • Instruction ID: e0f45770aed92cdd0872122c5510c60570b40abe328d97b5dd147e975e408dcd
                                                          • Opcode Fuzzy Hash: 37b1bded856f1bc9b60fae8a484cc99abaa91e80929237e7c8b3e4b73cbd3134
                                                          • Instruction Fuzzy Hash: 71416030E04209DFEBA5DFA5C85069EBBB2BF85300F248929D906EB280DF75D942CB51
                                                          Function 068021D0 Relevance: .1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5612e02008af3b127dd7fe6482107d9468c07e24aa3061faf453982c3929c972
                                                          • Instruction ID: 48c4f08bb133fdade72b4b4d92c18bd2363181df11bca6d29e7bcd3f3d21bc07
                                                          • Opcode Fuzzy Hash: 5612e02008af3b127dd7fe6482107d9468c07e24aa3061faf453982c3929c972
                                                          • Instruction Fuzzy Hash: C931D230B102058FEB99ABB8D86876E7BA3AF89710F10496CC402DB394DF75CD42C7A1
                                                          Function 068021CB Relevance: .1, Instructions: 104COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 14a70174b213a68fd5711486cbab5afbf70a885da64a76b5e5881dfb4187cc11
                                                          • Instruction ID: b152960809ce59cacfec1da3ab41b2c0968716099634f7ae0bce5e07dca0050a
                                                          • Opcode Fuzzy Hash: 14a70174b213a68fd5711486cbab5afbf70a885da64a76b5e5881dfb4187cc11
                                                          • Instruction Fuzzy Hash: 2131E230B102058FEB99ABB4D86876E7BA3AF89750F10496CC402DB385DF75DD42C7A1
                                                          Function 0680D950 Relevance: .1, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ae7148b23f2e1fe7b612500a8d39d0bc4786db86d5e59edaae9a672b3cee8775
                                                          • Instruction ID: 0844a9c67d893fd1e69b79d190c14e89c70d988b19c0cc50ccde6f5f471bc998
                                                          • Opcode Fuzzy Hash: ae7148b23f2e1fe7b612500a8d39d0bc4786db86d5e59edaae9a672b3cee8775
                                                          • Instruction Fuzzy Hash: 53319430A1430ACBEB65DFA4D85069EB7F2FF85300F108929D405EB644EB71E9468B51
                                                          Function 0680208B Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6ff24a61edac5c713d712605f3dedb5b70afd76126e99186cd10ed75109c4412
                                                          • Instruction ID: b06322cd2db026aab5167aafb34814a98ef27e565a85cf70d0c399cca4e2a561
                                                          • Opcode Fuzzy Hash: 6ff24a61edac5c713d712605f3dedb5b70afd76126e99186cd10ed75109c4412
                                                          • Instruction Fuzzy Hash: 2C318330E002059BDB59DF64D8A46AEB7B2FF89300F10C929E916E7384DBB1AD42CB50
                                                          Function 06802090 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 38bf2cade2291836a3d869f573fceaf9abf09ac13a94b6046db099427ce0d7a3
                                                          • Instruction ID: 068d57ede9fbf7327c9b5ba4bdfe755f83a9cec1c495cb8866c5297029b60df9
                                                          • Opcode Fuzzy Hash: 38bf2cade2291836a3d869f573fceaf9abf09ac13a94b6046db099427ce0d7a3
                                                          • Instruction Fuzzy Hash: 29317030E102099BDB59DF64D86869EB7F2FF89300F10C929E926E7384DBB1AD41CB50
                                                          Function 06803A80 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e9285e597a494c1f8383d5b85c44028337691664d759ccccc687cbe871419311
                                                          • Instruction ID: 27270211fc1e39ce02f3387ce1e1b385f2d551ce532ad676b91f4fdae3722497
                                                          • Opcode Fuzzy Hash: e9285e597a494c1f8383d5b85c44028337691664d759ccccc687cbe871419311
                                                          • Instruction Fuzzy Hash: 14217A35E006159FEB40DFA9DC81AAEBBF9AB49B10F108566E905E7384E730DD418FA4
                                                          Function 06803A90 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e66bd57dc121f9d0d095de7c39a0c5f04b53614cbcc46a5d8a8e397e0453512f
                                                          • Instruction ID: 75792835d4cec27fb3186ca039d6d13c2bca6fe6874760e8e29fa9f9ebbc5278
                                                          • Opcode Fuzzy Hash: e66bd57dc121f9d0d095de7c39a0c5f04b53614cbcc46a5d8a8e397e0453512f
                                                          • Instruction Fuzzy Hash: A5217C75E006159FEB90DFA9D880BAEBBF5AB48B10F108465EA05E7384E730DD408BA4
                                                          Function 0125D030 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2590661013.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_125d000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 71e7722e4b5631f366501a4f7e5aaa0ac1b14df3fe8cdc4070f70920c45874cc
                                                          • Instruction ID: 2ef35bac1640511a97edcc8ba887d1ab9af1d55da1684fb13794eae883123a95
                                                          • Opcode Fuzzy Hash: 71e7722e4b5631f366501a4f7e5aaa0ac1b14df3fe8cdc4070f70920c45874cc
                                                          • Instruction Fuzzy Hash: C12122B1528208DFDB55DF94D9C0B26BBA1EB84314F20C56DDD0A4B252C37AD847CA62
                                                          Function 0125D006 Relevance: .1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2590661013.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_125d000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9e7ad8e766c3cf01048d851d32a693459d0a94181fd059f2bf5d81534c036229
                                                          • Instruction ID: 43b17a54a28cbe0a44ac0e593247a20d695fc599f74712fe810e77eda01a71b7
                                                          • Opcode Fuzzy Hash: 9e7ad8e766c3cf01048d851d32a693459d0a94181fd059f2bf5d81534c036229
                                                          • Instruction Fuzzy Hash: C0217A7550D3C48FDB03CB64C990715BF71AB46214F28C5EBD9898B2A3C33A984ACB62
                                                          Function 06803BA0 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e95911d462bcbadb7be8a98494bf3efa1290a74b9a9648495712a0b7f27d2203
                                                          • Instruction ID: 348fc648cd9155dfcb70934a3e310122038c29bc0aebcfd8fc928df4226f139f
                                                          • Opcode Fuzzy Hash: e95911d462bcbadb7be8a98494bf3efa1290a74b9a9648495712a0b7f27d2203
                                                          • Instruction Fuzzy Hash: 9311A531B005294FDB959678CC206BE77AAABC9710F00893AD506E7384EF65DC125BE4
                                                          Function 068041E3 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f9e19b7d9c12daa3868b07df95a6ef52e3f366d7215bc06015618c535ccea99d
                                                          • Instruction ID: f30a6f64d72688fd484a7b276bd39e9f13364832b65d4b7f67b4d64396999185
                                                          • Opcode Fuzzy Hash: f9e19b7d9c12daa3868b07df95a6ef52e3f366d7215bc06015618c535ccea99d
                                                          • Instruction Fuzzy Hash: 2101D431B042109FEBA596BC985172FA7DADBCE710F10887AE34AC7391DD65DC4243A6
                                                          Function 06803B8F Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7114e301e012a5d11830a59236aba2b065844e9ea312028772598bc49eeb959a
                                                          • Instruction ID: 12f55e48b238e8015077a54b1fa0889df3f9f588dc9a545364bc326a7b199411
                                                          • Opcode Fuzzy Hash: 7114e301e012a5d11830a59236aba2b065844e9ea312028772598bc49eeb959a
                                                          • Instruction Fuzzy Hash: E101D631B048150FFBD5957D9C246FE7FAA8BC9710F04493AD546D32C0EF619C129BA5
                                                          Function 06803859 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b4ca98b4367946a9f5cd4472a281cde76a89f309a32b1d14ef89fa69526d9e44
                                                          • Instruction ID: 975a1cc75e62227794d7b9fce3396cd3a5a6ff7515c3fb8c41e210f17bc1de12
                                                          • Opcode Fuzzy Hash: b4ca98b4367946a9f5cd4472a281cde76a89f309a32b1d14ef89fa69526d9e44
                                                          • Instruction Fuzzy Hash: 6521F2B1D00259AFDB40CF9AD884ADEFBB8FB49310F10856AE918B7250D374A954CFA4
                                                          Function 0680A2F0 Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 821516196339e89df6b1a692938b11eeafc62a75f866295903746a9377321181
                                                          • Instruction ID: 90795f0581ce6e9c3f814701f84257944a8cc43c595796d2fd9f6493cde84b8d
                                                          • Opcode Fuzzy Hash: 821516196339e89df6b1a692938b11eeafc62a75f866295903746a9377321181
                                                          • Instruction Fuzzy Hash: 8301B570B143104FE7A99A7CDC60B6EB7E5EB8E700F108D29E14BCB392EA21DC118381
                                                          Function 0680F171 Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5b8b1b082dc5853f2b93f150eab2bfa61a3e7286a8ea4ff7ccc626177fba7587
                                                          • Instruction ID: 23e7d99c0e11daa26f7acb9a06aa248ccc39d0885a5e853cdcf8a75afe721c7f
                                                          • Opcode Fuzzy Hash: 5b8b1b082dc5853f2b93f150eab2bfa61a3e7286a8ea4ff7ccc626177fba7587
                                                          • Instruction Fuzzy Hash: CC01B171B042104BEBA6D66CD85072EB7E6EBCA710F148869EA4ACB381DA25EC074395
                                                          Function 06803860 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c042e0dfad64a8a90881f4b977f1d8ebcaca353a0fcbf65c29acdc8a9674f1c1
                                                          • Instruction ID: 7b0791bee255ff6ad049fdbd731db603b3874ab00f3473260a35460990c4561b
                                                          • Opcode Fuzzy Hash: c042e0dfad64a8a90881f4b977f1d8ebcaca353a0fcbf65c29acdc8a9674f1c1
                                                          • Instruction Fuzzy Hash: 5311DDB1D01219AFDB00CF9AD884BDEFBB8FB49310F10812AE918A7240D374A954CFA5
                                                          Function 068041F0 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: df881f1ad2d0fc03e80d3a51887204c22b70cfd9a02f2e3a274ec35ea390f2ca
                                                          • Instruction ID: 179a98c1c0c25b6f9b365617dc2eda1b4c0502056289351235c32d7d6f4c8ea7
                                                          • Opcode Fuzzy Hash: df881f1ad2d0fc03e80d3a51887204c22b70cfd9a02f2e3a274ec35ea390f2ca
                                                          • Instruction Fuzzy Hash: 44018C31B001109BEBA4D5ADE85072FA3DBEBCD720F208839E30AC7395EE65EC424395
                                                          Function 0680F180 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f1f3dd26c0beea8ec34008557d963d8dc30455f5aebbe67b596e66e605ddb823
                                                          • Instruction ID: 887ec39bde662f560df9668be78580ad6b92d0d87d3a14aa2955440f1ba4d58b
                                                          • Opcode Fuzzy Hash: f1f3dd26c0beea8ec34008557d963d8dc30455f5aebbe67b596e66e605ddb823
                                                          • Instruction Fuzzy Hash: A9013C75B106105BEBB6D66CDC6172F63DAEBCA710F20C829EA4BC7381DE25EC124395
                                                          Function 0680A300 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8074f47c345da266cba63914cf535993b160fbd14b8b266c12dc485476b59e91
                                                          • Instruction ID: a171bc2701823cf362f4b6db890f3eb2f2cdca42b91b5ef902c162c54d1a4d78
                                                          • Opcode Fuzzy Hash: 8074f47c345da266cba63914cf535993b160fbd14b8b266c12dc485476b59e91
                                                          • Instruction Fuzzy Hash: 7E014970B106104BE7A8D67CD851B1F73D5EBCE710F108939E54BC7385EA21DC118795
                                                          Function 068082DE Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 051f08f532ee4358811fa85a6161684b57998809a59e406f35cdba09da401d8e
                                                          • Instruction ID: d2b6b267402b79af3fe9d893d475d921391e583149852cbcffdd6c624fc3f004
                                                          • Opcode Fuzzy Hash: 051f08f532ee4358811fa85a6161684b57998809a59e406f35cdba09da401d8e
                                                          • Instruction Fuzzy Hash: C0F0A076A04204CFFFE49985AD912AC77A4ABC8624F064862CE00D31C0D730D985C6A0
                                                          Function 06806461 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.2603288624.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_6800000_5hD3Yjf7xD.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1d88d0ceb65fc579ba02dca6e27724b12b674d6ed97b9be5dea680e710152385
                                                          • Instruction ID: d4f3a44265bf2697fcf9654231510a42de6e311d07b6f76f55e7778cdd171a9e
                                                          • Opcode Fuzzy Hash: 1d88d0ceb65fc579ba02dca6e27724b12b674d6ed97b9be5dea680e710152385
                                                          • Instruction Fuzzy Hash: 20E02270E01908BFFBF0CE748D2826E776ADB42214F208CA1C108DB2C1F132DDB18260

                                                          Execution Graph

                                                          Execution Coverage:11.4%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:211
                                                          Total number of Limit Nodes:10
                                                          execution_graph 37739 12e4668 37740 12e467a 37739->37740 37743 12e4686 37740->37743 37745 12e4779 37740->37745 37742 12e46a5 37750 12e3e1c 37743->37750 37746 12e479d 37745->37746 37754 12e4878 37746->37754 37758 12e4888 37746->37758 37751 12e3e27 37750->37751 37753 12e707e 37751->37753 37766 12e5c5c 37751->37766 37753->37742 37755 12e48af 37754->37755 37757 12e498c 37755->37757 37762 12e449c 37755->37762 37760 12e48af 37758->37760 37759 12e498c 37760->37759 37761 12e449c CreateActCtxA 37760->37761 37761->37759 37763 12e5918 CreateActCtxA 37762->37763 37765 12e59db 37763->37765 37767 12e5c67 37766->37767 37770 12e5c7c 37767->37770 37769 12e7275 37769->37753 37771 12e5c87 37770->37771 37774 12e5cac 37771->37774 37773 12e735a 37773->37769 37775 12e5cb7 37774->37775 37778 12e5cdc 37775->37778 37777 12e744d 37777->37773 37779 12e5ce7 37778->37779 37781 12e874b 37779->37781 37785 12eadf8 37779->37785 37780 12e8789 37780->37777 37781->37780 37789 12ecef8 37781->37789 37794 12ecee9 37781->37794 37799 12eae1f 37785->37799 37803 12eae30 37785->37803 37786 12eae0e 37786->37781 37790 12ecf19 37789->37790 37793 12ecf3d 37790->37793 37811 12ed097 37790->37811 37815 12ed0a8 37790->37815 37793->37780 37795 12ecf19 37794->37795 37796 12ecf3d 37795->37796 37797 12ed0a8 GetModuleHandleW 37795->37797 37798 12ed097 GetModuleHandleW 37795->37798 37796->37780 37797->37796 37798->37796 37800 12eae30 37799->37800 37806 12eaf19 37800->37806 37801 12eae3f 37801->37786 37805 12eaf19 GetModuleHandleW 37803->37805 37804 12eae3f 37804->37786 37805->37804 37807 12eaf5c 37806->37807 37808 12eaf39 37806->37808 37807->37801 37808->37807 37809 12eb160 GetModuleHandleW 37808->37809 37810 12eb18d 37809->37810 37810->37801 37812 12ed0b5 37811->37812 37813 12ed0ef 37812->37813 37819 12ebc80 37812->37819 37813->37793 37816 12ed0b5 37815->37816 37817 12ed0ef 37816->37817 37818 12ebc80 GetModuleHandleW 37816->37818 37817->37793 37818->37817 37820 12ebc8b 37819->37820 37822 12ede08 37820->37822 37823 12ed2a4 37820->37823 37822->37822 37824 12ed2af 37823->37824 37825 12e5cdc GetModuleHandleW 37824->37825 37826 12ede77 37825->37826 37826->37822 37837 12ed5c8 37838 12ed60e 37837->37838 37842 12ed7a8 37838->37842 37845 12ed797 37838->37845 37839 12ed6fb 37848 12ebca0 37842->37848 37846 12ed7d6 37845->37846 37847 12ebca0 DuplicateHandle 37845->37847 37846->37839 37847->37846 37849 12ed810 DuplicateHandle 37848->37849 37850 12ed7d6 37849->37850 37850->37839 37827 bd80f40 37828 bd810cb 37827->37828 37829 bd80f66 37827->37829 37829->37828 37832 bd811b8 37829->37832 37835 bd811c0 PostMessageW 37829->37835 37833 bd811c0 PostMessageW 37832->37833 37834 bd8122c 37833->37834 37834->37829 37836 bd8122c 37835->37836 37836->37829 37851 7355d58 37852 7355da6 DrawTextExW 37851->37852 37854 7355dfe 37852->37854 37855 737e518 37856 737e496 37855->37856 37857 737e4a6 37856->37857 37861 737fba0 37856->37861 37875 737fbfe 37856->37875 37890 737fb90 37856->37890 37862 737fbba 37861->37862 37904 bd805e3 37862->37904 37909 bd80282 37862->37909 37914 bd80112 37862->37914 37921 bd804d0 37862->37921 37930 bd8049f 37862->37930 37935 bd807ef 37862->37935 37940 bd803ad 37862->37940 37945 bd8016c 37862->37945 37950 bd802ca 37862->37950 37955 bd804c5 37862->37955 37960 bd80204 37862->37960 37863 737fbde 37863->37857 37876 737fc01 37875->37876 37877 737fb8c 37875->37877 37876->37857 37879 bd802ca 2 API calls 37877->37879 37880 bd8016c 2 API calls 37877->37880 37881 bd803ad 2 API calls 37877->37881 37882 bd807ef 2 API calls 37877->37882 37883 bd8049f 2 API calls 37877->37883 37884 bd804d0 4 API calls 37877->37884 37885 bd80112 4 API calls 37877->37885 37886 bd80282 2 API calls 37877->37886 37887 bd805e3 2 API calls 37877->37887 37888 bd80204 2 API calls 37877->37888 37889 bd804c5 2 API calls 37877->37889 37878 737fbde 37878->37857 37879->37878 37880->37878 37881->37878 37882->37878 37883->37878 37884->37878 37885->37878 37886->37878 37887->37878 37888->37878 37889->37878 37891 737fba0 37890->37891 37893 bd802ca 2 API calls 37891->37893 37894 bd8016c 2 API calls 37891->37894 37895 bd803ad 2 API calls 37891->37895 37896 bd807ef 2 API calls 37891->37896 37897 bd8049f 2 API calls 37891->37897 37898 bd804d0 4 API calls 37891->37898 37899 bd80112 4 API calls 37891->37899 37900 bd80282 2 API calls 37891->37900 37901 bd805e3 2 API calls 37891->37901 37902 bd80204 2 API calls 37891->37902 37903 bd804c5 2 API calls 37891->37903 37892 737fbde 37892->37857 37893->37892 37894->37892 37895->37892 37896->37892 37897->37892 37898->37892 37899->37892 37900->37892 37901->37892 37902->37892 37903->37892 37905 bd8088f 37904->37905 37964 737d920 37905->37964 37968 737d928 37905->37968 37906 bd80901 37910 bd8045e 37909->37910 37972 737da10 37910->37972 37976 737da18 37910->37976 37911 bd80480 37980 737dfa4 37914->37980 37984 737dfb0 37914->37984 37922 bd80178 37921->37922 37923 bd802e1 37921->37923 37925 bd8018a 37922->37925 37996 737d351 37922->37996 38000 737d358 37922->38000 37924 bd802f6 37923->37924 37988 737d2a0 37923->37988 37992 737d2a8 37923->37992 37924->37863 37925->37863 37931 bd804c2 37930->37931 37933 737d920 WriteProcessMemory 37931->37933 37934 737d928 WriteProcessMemory 37931->37934 37932 bd8054a 37932->37863 37933->37932 37934->37932 37936 bd807fc 37935->37936 37938 737d920 WriteProcessMemory 37936->37938 37939 737d928 WriteProcessMemory 37936->37939 37937 bd80a18 37938->37937 37939->37937 37943 737d351 Wow64SetThreadContext 37940->37943 37944 737d358 Wow64SetThreadContext 37940->37944 37941 bd80178 37941->37940 37942 bd8018a 37941->37942 37942->37863 37943->37941 37944->37941 37947 bd80178 37945->37947 37946 bd8018a 37946->37863 37947->37946 37948 737d351 Wow64SetThreadContext 37947->37948 37949 737d358 Wow64SetThreadContext 37947->37949 37948->37947 37949->37947 37951 bd802d0 37950->37951 37953 737d2a0 ResumeThread 37951->37953 37954 737d2a8 ResumeThread 37951->37954 37952 bd802f6 37952->37863 37953->37952 37954->37952 37956 bd80978 37955->37956 38004 bd80d90 37956->38004 38009 bd80d80 37956->38009 37957 bd80994 37962 737d351 Wow64SetThreadContext 37960->37962 37963 737d358 Wow64SetThreadContext 37960->37963 37961 bd8021e 37961->37863 37962->37961 37963->37961 37965 737d928 WriteProcessMemory 37964->37965 37967 737d9c7 37965->37967 37967->37906 37969 737d970 WriteProcessMemory 37968->37969 37971 737d9c7 37969->37971 37971->37906 37973 737da18 ReadProcessMemory 37972->37973 37975 737daa7 37973->37975 37975->37911 37977 737da63 ReadProcessMemory 37976->37977 37979 737daa7 37977->37979 37979->37911 37981 737dfb0 CreateProcessA 37980->37981 37983 737e1fb 37981->37983 37985 737e039 CreateProcessA 37984->37985 37987 737e1fb 37985->37987 37989 737d2a8 ResumeThread 37988->37989 37991 737d319 37989->37991 37991->37924 37993 737d2e8 ResumeThread 37992->37993 37995 737d319 37993->37995 37995->37924 37997 737d358 Wow64SetThreadContext 37996->37997 37999 737d3e5 37997->37999 37999->37922 38001 737d39d Wow64SetThreadContext 38000->38001 38003 737d3e5 38001->38003 38003->37922 38005 bd80da5 38004->38005 38014 737d860 38005->38014 38018 737d868 38005->38018 38006 bd80dc4 38006->37957 38010 bd80da5 38009->38010 38012 737d860 VirtualAllocEx 38010->38012 38013 737d868 VirtualAllocEx 38010->38013 38011 bd80dc4 38011->37957 38012->38011 38013->38011 38015 737d868 VirtualAllocEx 38014->38015 38017 737d8e5 38015->38017 38017->38006 38019 737d8a8 VirtualAllocEx 38018->38019 38021 737d8e5 38019->38021 38021->38006

                                                          Executed Functions

                                                          Function 0737DFA4 Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 737dfa4-737e045 3 737e047-737e051 0->3 4 737e07e-737e09e 0->4 3->4 5 737e053-737e055 3->5 9 737e0d7-737e106 4->9 10 737e0a0-737e0aa 4->10 7 737e057-737e061 5->7 8 737e078-737e07b 5->8 11 737e065-737e074 7->11 12 737e063 7->12 8->4 20 737e13f-737e1f9 CreateProcessA 9->20 21 737e108-737e112 9->21 10->9 13 737e0ac-737e0ae 10->13 11->11 14 737e076 11->14 12->11 15 737e0d1-737e0d4 13->15 16 737e0b0-737e0ba 13->16 14->8 15->9 18 737e0be-737e0cd 16->18 19 737e0bc 16->19 18->18 22 737e0cf 18->22 19->18 32 737e202-737e288 20->32 33 737e1fb-737e201 20->33 21->20 23 737e114-737e116 21->23 22->15 25 737e139-737e13c 23->25 26 737e118-737e122 23->26 25->20 27 737e126-737e135 26->27 28 737e124 26->28 27->27 29 737e137 27->29 28->27 29->25 43 737e28a-737e28e 32->43 44 737e298-737e29c 32->44 33->32 43->44 47 737e290 43->47 45 737e29e-737e2a2 44->45 46 737e2ac-737e2b0 44->46 45->46 48 737e2a4 45->48 49 737e2b2-737e2b6 46->49 50 737e2c0-737e2c4 46->50 47->44 48->46 49->50 51 737e2b8 49->51 52 737e2d6-737e2dd 50->52 53 737e2c6-737e2cc 50->53 51->50 54 737e2f4 52->54 55 737e2df-737e2ee 52->55 53->52 56 737e2f5 54->56 55->54 56->56
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0737E1E6
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1412430716.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7370000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: d7bf5345a6871ca33799edf7a67fc477e84d9bc5a05e092f1720260ca57fe2f3
                                                          • Instruction ID: b989405d8e8f69ed17ae1efc66fcb7991d0daed232d3df83cdf7f4c655ed12fb
                                                          • Opcode Fuzzy Hash: d7bf5345a6871ca33799edf7a67fc477e84d9bc5a05e092f1720260ca57fe2f3
                                                          • Instruction Fuzzy Hash: 1CA16EB1D00219CFEF24DFA9C8417EDBBB1BF48310F1481A9D859A7250DB799985CF92
                                                          Function 0737DFB0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 58 737dfb0-737e045 60 737e047-737e051 58->60 61 737e07e-737e09e 58->61 60->61 62 737e053-737e055 60->62 66 737e0d7-737e106 61->66 67 737e0a0-737e0aa 61->67 64 737e057-737e061 62->64 65 737e078-737e07b 62->65 68 737e065-737e074 64->68 69 737e063 64->69 65->61 77 737e13f-737e1f9 CreateProcessA 66->77 78 737e108-737e112 66->78 67->66 70 737e0ac-737e0ae 67->70 68->68 71 737e076 68->71 69->68 72 737e0d1-737e0d4 70->72 73 737e0b0-737e0ba 70->73 71->65 72->66 75 737e0be-737e0cd 73->75 76 737e0bc 73->76 75->75 79 737e0cf 75->79 76->75 89 737e202-737e288 77->89 90 737e1fb-737e201 77->90 78->77 80 737e114-737e116 78->80 79->72 82 737e139-737e13c 80->82 83 737e118-737e122 80->83 82->77 84 737e126-737e135 83->84 85 737e124 83->85 84->84 86 737e137 84->86 85->84 86->82 100 737e28a-737e28e 89->100 101 737e298-737e29c 89->101 90->89 100->101 104 737e290 100->104 102 737e29e-737e2a2 101->102 103 737e2ac-737e2b0 101->103 102->103 105 737e2a4 102->105 106 737e2b2-737e2b6 103->106 107 737e2c0-737e2c4 103->107 104->101 105->103 106->107 108 737e2b8 106->108 109 737e2d6-737e2dd 107->109 110 737e2c6-737e2cc 107->110 108->107 111 737e2f4 109->111 112 737e2df-737e2ee 109->112 110->109 113 737e2f5 111->113 112->111 113->113
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0737E1E6
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1412430716.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7370000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 47de684be4b6bde620711aa9050853b75926fd0e55184aa48fafb7d1774529b0
                                                          • Instruction ID: 9b5f25764d977ba824e8c1d555bdf941de212811beca39fc930f4846f4cb59f1
                                                          • Opcode Fuzzy Hash: 47de684be4b6bde620711aa9050853b75926fd0e55184aa48fafb7d1774529b0
                                                          • Instruction Fuzzy Hash: BF916EB1D00219CFEF24DFA9C8417EDBBB2BF48310F0481A9D818A7250DB799985CF92
                                                          Function 012EAF19 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 115 12eaf19-12eaf37 116 12eaf39-12eaf46 call 12e98a0 115->116 117 12eaf63-12eaf67 115->117 122 12eaf5c 116->122 123 12eaf48 116->123 119 12eaf7b-12eafbc 117->119 120 12eaf69-12eaf73 117->120 126 12eafbe-12eafc6 119->126 127 12eafc9-12eafd7 119->127 120->119 122->117 170 12eaf4e call 12eb1b0 123->170 171 12eaf4e call 12eb1c0 123->171 126->127 128 12eaffb-12eaffd 127->128 129 12eafd9-12eafde 127->129 134 12eb000-12eb007 128->134 131 12eafe9 129->131 132 12eafe0-12eafe7 call 12ea270 129->132 130 12eaf54-12eaf56 130->122 133 12eb098-12eb158 130->133 136 12eafeb-12eaff9 131->136 132->136 165 12eb15a-12eb15d 133->165 166 12eb160-12eb18b GetModuleHandleW 133->166 137 12eb009-12eb011 134->137 138 12eb014-12eb01b 134->138 136->134 137->138 140 12eb01d-12eb025 138->140 141 12eb028-12eb031 call 12ea280 138->141 140->141 146 12eb03e-12eb043 141->146 147 12eb033-12eb03b 141->147 148 12eb045-12eb04c 146->148 149 12eb061-12eb06e 146->149 147->146 148->149 151 12eb04e-12eb05e call 12ea290 call 12ea2a0 148->151 156 12eb070-12eb08e 149->156 157 12eb091-12eb097 149->157 151->149 156->157 165->166 167 12eb18d-12eb193 166->167 168 12eb194-12eb1a8 166->168 167->168 170->130 171->130
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 012EB17E
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1404999313.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_12e0000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 2c5d76a89545460871616d4e587def4f4dec54aa85a05347d14baef07c78dcdc
                                                          • Instruction ID: 36ff9b611c8dde91a68193d2cf28a49d1bd2fff201ac5146acc6a5b1eccc19a7
                                                          • Opcode Fuzzy Hash: 2c5d76a89545460871616d4e587def4f4dec54aa85a05347d14baef07c78dcdc
                                                          • Instruction Fuzzy Hash: 09817B70A10B468FE725CF29D05876ABBF1FF48300F00892ED59ADBA50D775E845CB91
                                                          Function 012E590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 172 12e590c-12e59d9 CreateActCtxA 174 12e59db-12e59e1 172->174 175 12e59e2-12e5a3c 172->175 174->175 182 12e5a3e-12e5a41 175->182 183 12e5a4b-12e5a4f 175->183 182->183 184 12e5a60 183->184 185 12e5a51-12e5a5d 183->185 187 12e5a61 184->187 185->184 187->187
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 012E59C9
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1404999313.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_12e0000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 0d120726b84d82927c348b7a230c41aad1f2fd9bc0d488491e8e89688c5a2401
                                                          • Instruction ID: 1df7e9d2c9ac1882de20855c0fb967f2f2a51dc1cf7e9d515605092201260a17
                                                          • Opcode Fuzzy Hash: 0d120726b84d82927c348b7a230c41aad1f2fd9bc0d488491e8e89688c5a2401
                                                          • Instruction Fuzzy Hash: DF41D2B5C10719CBDB24DFA9C884BDDBBF1BF49304F60846AD408AB251DB756986CF50
                                                          Function 012E449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 188 12e449c-12e59d9 CreateActCtxA 191 12e59db-12e59e1 188->191 192 12e59e2-12e5a3c 188->192 191->192 199 12e5a3e-12e5a41 192->199 200 12e5a4b-12e5a4f 192->200 199->200 201 12e5a60 200->201 202 12e5a51-12e5a5d 200->202 204 12e5a61 201->204 202->201 204->204
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 012E59C9
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1404999313.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_12e0000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 6bd70225a040678364a5dc913e4e8ed14daf5da62a3f9be405be08b8da2364a0
                                                          • Instruction ID: 3299cb80c24fa113b8c4ad8344aa41608c28a249207024591e602bec4f1e5ba9
                                                          • Opcode Fuzzy Hash: 6bd70225a040678364a5dc913e4e8ed14daf5da62a3f9be405be08b8da2364a0
                                                          • Instruction Fuzzy Hash: 0041D274C10719CBDB24DFA9C888BDEBBF5BF49304F60806AD508AB251DBB56946CF90
                                                          Function 0737D920 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 215 737d920-737d976 218 737d986-737d9c5 WriteProcessMemory 215->218 219 737d978-737d984 215->219 221 737d9c7-737d9cd 218->221 222 737d9ce-737d9fe 218->222 219->218 221->222
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0737D9B8
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1412430716.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7370000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 665fefb0b045a0006386e2d4b9cbaf6386c1eb3cb9c272f2131db399aa350692
                                                          • Instruction ID: db6d44e11404d5149aacfd015d5d307e785f7cf11b12ae7a5edb8c1de521d15a
                                                          • Opcode Fuzzy Hash: 665fefb0b045a0006386e2d4b9cbaf6386c1eb3cb9c272f2131db399aa350692
                                                          • Instruction Fuzzy Hash: 9F2177B59003099FDF10CFAAC881BEEBBF5FF48310F10842AE958A7241C7789951DBA0
                                                          Function 07355D50 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 205 7355d50-7355da4 207 7355da6-7355dac 205->207 208 7355daf-7355dbe 205->208 207->208 209 7355dc0 208->209 210 7355dc3-7355dfc DrawTextExW 208->210 209->210 211 7355e05-7355e22 210->211 212 7355dfe-7355e04 210->212 212->211
                                                          APIs
                                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07355DEF
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1412299811.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7350000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: DrawText
                                                          • String ID:
                                                          • API String ID: 2175133113-0
                                                          • Opcode ID: 27cc158b1402679fcf25b8aaf4b84692c44ede8790dbded2bb657c283e870737
                                                          • Instruction ID: 6465d9b2d871b9a73f56f828062ef6a33823dbaf17ebacdc11d802710d66b19f
                                                          • Opcode Fuzzy Hash: 27cc158b1402679fcf25b8aaf4b84692c44ede8790dbded2bb657c283e870737
                                                          • Instruction Fuzzy Hash: EA31E4B6D002099FDB10CF9AD884ADEFBF5FF48310F14842AE819A7210D774A955CFA1
                                                          Function 0737D928 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 235 737d928-737d976 237 737d986-737d9c5 WriteProcessMemory 235->237 238 737d978-737d984 235->238 240 737d9c7-737d9cd 237->240 241 737d9ce-737d9fe 237->241 238->237 240->241
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0737D9B8
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1412430716.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7370000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 3fa41a1c32e4b87d8534f220a6b0a79ce0e3d7df846163d1d2c80b7e32d88885
                                                          • Instruction ID: 45d33b985b4b7a6bb30422bcf1fb04fd4e055811119cf60ddffa3d608ee8de8f
                                                          • Opcode Fuzzy Hash: 3fa41a1c32e4b87d8534f220a6b0a79ce0e3d7df846163d1d2c80b7e32d88885
                                                          • Instruction Fuzzy Hash: AE2125B59003099FDF10CFAAC885BEEBBF5FF48310F10842AE959A7241C7789955CBA4
                                                          Function 07355D58 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 226 7355d58-7355da4 227 7355da6-7355dac 226->227 228 7355daf-7355dbe 226->228 227->228 229 7355dc0 228->229 230 7355dc3-7355dfc DrawTextExW 228->230 229->230 231 7355e05-7355e22 230->231 232 7355dfe-7355e04 230->232 232->231
                                                          APIs
                                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07355DEF
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1412299811.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7350000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: DrawText
                                                          • String ID:
                                                          • API String ID: 2175133113-0
                                                          • Opcode ID: 44624b3393749b1bf763395b2dd65b8aed229b4e120f573c0325266050a215cd
                                                          • Instruction ID: 89f7fdd062b45ddaf44e528e6bac9dc210ee8c4af123a9b467e4d8c438c09290
                                                          • Opcode Fuzzy Hash: 44624b3393749b1bf763395b2dd65b8aed229b4e120f573c0325266050a215cd
                                                          • Instruction Fuzzy Hash: E121C0B6D003499FDB10CF9AD884ADEFBF5FB48310F14842AE819A7210D774A955CFA0
                                                          Function 0737D351 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 245 737d351-737d3a3 248 737d3a5-737d3b1 245->248 249 737d3b3-737d3e3 Wow64SetThreadContext 245->249 248->249 251 737d3e5-737d3eb 249->251 252 737d3ec-737d41c 249->252 251->252
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0737D3D6
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1412430716.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7370000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 0279fbb3d77fd27471ba0be3c6235bc22f469a4920564b270aeb6c84521a76c8
                                                          • Instruction ID: 6aba447d7883af76882e2aaa0b6a9a53eefc526288c304ed45b4b73909d5b1aa
                                                          • Opcode Fuzzy Hash: 0279fbb3d77fd27471ba0be3c6235bc22f469a4920564b270aeb6c84521a76c8
                                                          • Instruction Fuzzy Hash: A42148B19003099FEB10CFAAC4857EEBBF4EF48314F14842AD459A7241C7799985CFA5
                                                          Function 012ED808 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 262 12ed808-12ed8a4 DuplicateHandle 263 12ed8ad-12ed8ca 262->263 264 12ed8a6-12ed8ac 262->264 264->263
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012ED7D6,?,?,?,?,?), ref: 012ED897
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1404999313.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_12e0000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 5f4c61059826f43d11193340ada8216d7648bdc5524d2e46a43239da0c090acb
                                                          • Instruction ID: 91e3bdad8404dd9f8f482fa8b519b6d789f8b462b4b8157ca1043bd4ede8f877
                                                          • Opcode Fuzzy Hash: 5f4c61059826f43d11193340ada8216d7648bdc5524d2e46a43239da0c090acb
                                                          • Instruction Fuzzy Hash: F32116B5C00208DFDB10DF99D585ADEBBF4FB48310F14842AE958A3350D3789955CF61
                                                          Function 012EBCA0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 256 12ebca0-12ed8a4 DuplicateHandle 258 12ed8ad-12ed8ca 256->258 259 12ed8a6-12ed8ac 256->259 259->258
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,012ED7D6,?,?,?,?,?), ref: 012ED897
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1404999313.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_12e0000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 249caa26b9b3d94fbd37912c6232826e3c88c896851366942f65b6624337f107
                                                          • Instruction ID: 50655714f526391fe6afc1b771397c9cdfee3d5226af7a35e255e3a4b1943dc3
                                                          • Opcode Fuzzy Hash: 249caa26b9b3d94fbd37912c6232826e3c88c896851366942f65b6624337f107
                                                          • Instruction Fuzzy Hash: D221D4B59002489FDB10CF9AD884AEEBBF4EB48310F14842AE958A7351D374A955CFA5
                                                          Function 0737DA10 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 267 737da10-737daa5 ReadProcessMemory 271 737daa7-737daad 267->271 272 737daae-737dade 267->272 271->272
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0737DA98
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1412430716.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7370000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 960a5c15a007d2d6f8e45d8e85f773ffd8fe8f3052196bb67f5a8d74ea8a21ad
                                                          • Instruction ID: 6a7bc11341b5b1631949f07b3fecfa89381641b50e4817d31393c84d98f5c92b
                                                          • Opcode Fuzzy Hash: 960a5c15a007d2d6f8e45d8e85f773ffd8fe8f3052196bb67f5a8d74ea8a21ad
                                                          • Instruction Fuzzy Hash: 582148B59003499FDB10DFAAC884BEEFBF5FF48310F50882AE959A7240C7799551CBA4
                                                          Function 0737D358 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 276 737d358-737d3a3 278 737d3a5-737d3b1 276->278 279 737d3b3-737d3e3 Wow64SetThreadContext 276->279 278->279 281 737d3e5-737d3eb 279->281 282 737d3ec-737d41c 279->282 281->282
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0737D3D6
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1412430716.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7370000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 26243aa37b9a971b552dba0dfd1b2c9f1ee05eef4e32549c00f7f1b93646d32e
                                                          • Instruction ID: 3bb4c459afd8359bec771de9df994499f1a566d60f432533ce1f74cc4c78a1d8
                                                          • Opcode Fuzzy Hash: 26243aa37b9a971b552dba0dfd1b2c9f1ee05eef4e32549c00f7f1b93646d32e
                                                          • Instruction Fuzzy Hash: C52149B1D003099FEB10DFAAC4857EEBBF4EF48314F54842AD459A7241C7789945CFA5
                                                          Function 0737DA18 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 286 737da18-737daa5 ReadProcessMemory 289 737daa7-737daad 286->289 290 737daae-737dade 286->290 289->290
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0737DA98
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1412430716.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7370000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 4962220dcd57ed02b309ede35864e628e5db27503315396e9f535a5ad95acd1e
                                                          • Instruction ID: 04785c3f2cb8b7714a9010fa21b0f60c5d3d8323ab29e3eed851605ce04008df
                                                          • Opcode Fuzzy Hash: 4962220dcd57ed02b309ede35864e628e5db27503315396e9f535a5ad95acd1e
                                                          • Instruction Fuzzy Hash: C32145B19003499FDB10CFAAC880BEEFBF5FF48310F50842AE958A7240C7789941CBA0
                                                          Function 0737D860 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0737D8D6
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1412430716.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7370000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: a8b345e93844c788835b6e95f9cbd67c04ce130eabf727123f4870da1756060b
                                                          • Instruction ID: 17b2dfe406caaab64790ed84f2f7afbc41a7de9cd84153b4199ce5884d578c6c
                                                          • Opcode Fuzzy Hash: a8b345e93844c788835b6e95f9cbd67c04ce130eabf727123f4870da1756060b
                                                          • Instruction Fuzzy Hash: 37118CB6800308AFDB10DFAAD4057DEBBF5EF48310F108429D555A7250C7759951CFA1
                                                          Function 0737D2A0 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1412430716.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7370000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 8def7dd19fdf7fa7cbe329c490f73e3e2c8920b421ee322eae713ec9af5eb50d
                                                          • Instruction ID: fd089a372c6847744e3d4fbb302a801a308599def8211dd8963aafe149cc9e31
                                                          • Opcode Fuzzy Hash: 8def7dd19fdf7fa7cbe329c490f73e3e2c8920b421ee322eae713ec9af5eb50d
                                                          • Instruction Fuzzy Hash: 3E118BB1D003488FEB10DFAAD4447DEFBF4EF88324F14842AC459A7240C779A945CB94
                                                          Function 0737D868 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0737D8D6
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1412430716.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7370000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 97318be637dc01fce5dc239d6fc16cdbc746efbd7331a45dfaac0a09355da144
                                                          • Instruction ID: 0459ae8e0ccdadd391c4e32334bb15d031b77e8d0291862cf15a8fbfc64080c5
                                                          • Opcode Fuzzy Hash: 97318be637dc01fce5dc239d6fc16cdbc746efbd7331a45dfaac0a09355da144
                                                          • Instruction Fuzzy Hash: 8F1167B69003089FDF10DFAAC844BEEBBF5EF48310F148429E519A7250C7799550CFA1
                                                          Function 0BD811B8 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,?,?,?), ref: 0BD8121D
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1416287591.000000000BD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BD80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_bd80000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: e17eb93c93b76ac06aa96184161ab4ba79fd0d5ee88f2c1caa0e43a0f3ac9312
                                                          • Instruction ID: ee3c1ff3394e3e40df2a0f2b89aa16e299673d11eeec1e6e17921052617995e4
                                                          • Opcode Fuzzy Hash: e17eb93c93b76ac06aa96184161ab4ba79fd0d5ee88f2c1caa0e43a0f3ac9312
                                                          • Instruction Fuzzy Hash: F11122B58003089FDB10DF9AD846BDEFBF8FB48320F20841AE958A7210D375A585CFA1
                                                          Function 0737D2A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1412430716.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7370000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 7a167bcaefa8a8a4a0fa08dbcea0b085578583cfb32d480fb3e39dcd78ffa865
                                                          • Instruction ID: 53be6ba60c4e2c22ad4d86e3df53a836f5c5bd7299d6f220d00db71240a06e32
                                                          • Opcode Fuzzy Hash: 7a167bcaefa8a8a4a0fa08dbcea0b085578583cfb32d480fb3e39dcd78ffa865
                                                          • Instruction Fuzzy Hash: CD116AB1D003088FEB20DFAAC4457DEFBF4EF88314F148429C459A7240C779A544CBA4
                                                          Function 012EB118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 012EB17E
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1404999313.00000000012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_12e0000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 512e8dd6769cd4521cb1a4e6dc4b31450187665e1dd17b687f6f191d84e3af12
                                                          • Instruction ID: 7f0558bc70f1e40cbed966ebf8b7e3d6437a9cafa7a16b03842bcbaf668a0453
                                                          • Opcode Fuzzy Hash: 512e8dd6769cd4521cb1a4e6dc4b31450187665e1dd17b687f6f191d84e3af12
                                                          • Instruction Fuzzy Hash: 4411DFB6C006498FDB10CF9AD848BDEFBF4AB88224F10842AD959A7250C379A545CFA1
                                                          Function 0BD811C0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,?,?,?), ref: 0BD8121D
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1416287591.000000000BD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BD80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_bd80000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: a12bbf55b0ee8b4902107e059962d07562e1f2db448d7bd50952a580f6793f49
                                                          • Instruction ID: 0160f813fcda7d29b7df13e74e4ceaf1bed255fcf886142ae43c8938498ce860
                                                          • Opcode Fuzzy Hash: a12bbf55b0ee8b4902107e059962d07562e1f2db448d7bd50952a580f6793f49
                                                          • Instruction Fuzzy Hash: D211D3B5800349DFDB10DF9AD445BDEFBF8EB48320F10841AD558A7250C375A554CFA1
                                                          Function 0124D1FC Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1404684272.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_124d000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b74da685b9bc5c99b3fbdb71d1fa012065bb4fd6bb039e3ef2f1fd4dd477e79a
                                                          • Instruction ID: abef321ec4600464e2c603f164876055003f2ae121d54a4dea34093e8b864aee
                                                          • Opcode Fuzzy Hash: b74da685b9bc5c99b3fbdb71d1fa012065bb4fd6bb039e3ef2f1fd4dd477e79a
                                                          • Instruction Fuzzy Hash: A8212871514308DFDB09DF94D8C4B2ABB65FB98320F20C569ED090B247C376D416CBA1
                                                          Function 0125D1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1404755890.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_125d000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6964572dd4c1f38506d93dd7ce7a25c2e823859225946395ddb9c3683c8067ed
                                                          • Instruction ID: 482b0de5f173daa038c806f0dbc98b80cabb3f4668d842d4c18e064daecee760
                                                          • Opcode Fuzzy Hash: 6964572dd4c1f38506d93dd7ce7a25c2e823859225946395ddb9c3683c8067ed
                                                          • Instruction Fuzzy Hash: F5213471524308EFDB45DF94D9C0B26BBA1FB88324F20C56DED098B253C376D846CA62
                                                          Function 0125D01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1404755890.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_125d000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eb8ea2aaf95850d97020657548a4ab2c72690f0044c7949574d5ef9662e83d9f
                                                          • Instruction ID: a96c332a606d4dbafe3b55c21c1603cb08469f903f619ca2818b3c4587112ed0
                                                          • Opcode Fuzzy Hash: eb8ea2aaf95850d97020657548a4ab2c72690f0044c7949574d5ef9662e83d9f
                                                          • Instruction Fuzzy Hash: 5D212271624308DFDB55DFA4D8C0B26BB61EB88314F20C56DDD0A4B252C37AD447CA62
                                                          Function 0125D006 Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1404755890.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_125d000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5d2eb3be168dc9f91009d393612cf16de3716908a0e35b6b742b4200eaa59834
                                                          • Instruction ID: 84f34e69c0c32fe4fe223a637a432f464776409bd93ec65a1385a740bde3d227
                                                          • Opcode Fuzzy Hash: 5d2eb3be168dc9f91009d393612cf16de3716908a0e35b6b742b4200eaa59834
                                                          • Instruction Fuzzy Hash: 0121CA755083848FCB02CF24C9D0B15BF71EB46314F28C5EAD9498B2A3C33AD80ACB62
                                                          Function 0124D1F7 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1404684272.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_124d000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e91bdf0bd23193508057cb366e2903bad23f0689d54242342d8c5009dfe04fd1
                                                          • Instruction ID: e0877abddea10ed26f9ef139f1c77e17415a442cbd58203f250f0c97fbb1e087
                                                          • Opcode Fuzzy Hash: e91bdf0bd23193508057cb366e2903bad23f0689d54242342d8c5009dfe04fd1
                                                          • Instruction Fuzzy Hash: B721CD76404244CFDB06CF54D9C4B16BF62FB84324F24C1AADD080A657C33AD42ACBA1
                                                          Function 0125D1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1404755890.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_125d000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                          • Instruction ID: e1dd39030255047b7fc664524afe8de73de4f885028052a3ebcbfb66176795fe
                                                          • Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                          • Instruction Fuzzy Hash: 3C11EB75504284CFDB02CF54C5C0B15BBA1FB84324F24C6ADDD498B293C33AD44ACB61

                                                          Non-executed Functions

                                                          Function 0735BD19 Relevance: .1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1412299811.0000000007350000.00000040.00000800.00020000.00000000.sdmp, Offset: 07350000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7350000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a99ebb60aa328fe8d881ddf503c204ceec642358704b987ce3929c80ddc0a417
                                                          • Instruction ID: 3deac0b8e9bcd0745aba5c98a98e404a7635d9b09b56ad2f94f7d89b20077761
                                                          • Opcode Fuzzy Hash: a99ebb60aa328fe8d881ddf503c204ceec642358704b987ce3929c80ddc0a417
                                                          • Instruction Fuzzy Hash: 2E2127F3509751DFEB0A9F68E8118E8FBF1EF822207058197D8089B662DB30D849C7C2
                                                          Function 0BD80249 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1416287591.000000000BD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BD80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_bd80000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 234edfa43a7f209c51b11dc4f43957acfcec22599ff4eb795b4440a465982adc
                                                          • Instruction ID: ece409944039cc00ea0233e7b8c49a6912a9393494e9b12c507ce661f60a63c8
                                                          • Opcode Fuzzy Hash: 234edfa43a7f209c51b11dc4f43957acfcec22599ff4eb795b4440a465982adc
                                                          • Instruction Fuzzy Hash: 81F03079949104CFC714AF94E4485F8F7BCFB4A327F0060A2945E97222CB30A949CF50
                                                          Function 0BD80406 Relevance: .0, Instructions: 26COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1416287591.000000000BD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BD80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_bd80000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: baa2bfbc8f9c0d1090fb1b6bc19ddc6241da76aa9c2b062e1565160b79b5b260
                                                          • Instruction ID: 67941e37ecea1aea10070e16676be07d2655acc8bafb6b2ec7777cd999299813
                                                          • Opcode Fuzzy Hash: baa2bfbc8f9c0d1090fb1b6bc19ddc6241da76aa9c2b062e1565160b79b5b260
                                                          • Instruction Fuzzy Hash: 53E04FB9D4E104CFC701AFA4A5442F8F7BCE74B72BF0420A2919E97622D630A9088B25

                                                          Execution Graph

                                                          Execution Coverage:12.8%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:17
                                                          Total number of Limit Nodes:4
                                                          execution_graph 25911 16b0848 25913 16b084e 25911->25913 25912 16b091b 25913->25912 25915 16b1380 25913->25915 25916 16b1396 25915->25916 25917 16b1480 25916->25917 25919 16b7eb0 25916->25919 25917->25913 25920 16b7eba 25919->25920 25921 16b7ed4 25920->25921 25924 6c4fa18 25920->25924 25928 6c4fa09 25920->25928 25921->25916 25926 6c4fa2d 25924->25926 25925 6c4fc42 25925->25921 25926->25925 25927 6c4fc58 GlobalMemoryStatusEx GlobalMemoryStatusEx 25926->25927 25927->25926 25929 6c4fa18 25928->25929 25930 6c4fc42 25929->25930 25931 6c4fc58 GlobalMemoryStatusEx GlobalMemoryStatusEx 25929->25931 25930->25921 25931->25929

                                                          Executed Functions

                                                          Function 06C42358 Relevance: 1.5, Instructions: 1482COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ccb39e32ad5fd96a374668a4bbd7ecf94a1db898dea8b47b52ca04934354c5e1
                                                          • Instruction ID: acf31e7cf7f595753d6f39ea3f9dd7ae3c75d68f3f38322b55cd1611359dced8
                                                          • Opcode Fuzzy Hash: ccb39e32ad5fd96a374668a4bbd7ecf94a1db898dea8b47b52ca04934354c5e1
                                                          • Instruction Fuzzy Hash: 02D23C34E10205CFDB64EF68C584A9DB7B2FF85310F5485A9E44AAB351EB34EE85CB90
                                                          Function 06C465E0 Relevance: .8, Instructions: 805COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f739b8c57260e8ad7fbe389a6115591d1e6f2c478731692a4694761168b7cb58
                                                          • Instruction ID: ed5b98aca9e485f01d65e8f8cc63e1a9e2494123f3d2f8b58a341fe4a3dc9839
                                                          • Opcode Fuzzy Hash: f739b8c57260e8ad7fbe389a6115591d1e6f2c478731692a4694761168b7cb58
                                                          • Instruction Fuzzy Hash: 2D626934B00204CFDB54EBA9D594BADBBF2EF89314F148469E806AB394DB75ED41CB90
                                                          Function 06C45588 Relevance: .6, Instructions: 594COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2165 6c45588-6c455a5 2166 6c455a7-6c455aa 2165->2166 2167 6c456f5-6c456fb 2166->2167 2168 6c455b0-6c455b3 2166->2168 2169 6c45712-6c4571c 2167->2169 2170 6c456fd 2167->2170 2171 6c455b5-6c455bb 2168->2171 2172 6c455c2-6c455c5 2168->2172 2184 6c45723-6c45725 2169->2184 2173 6c45702-6c45705 2170->2173 2174 6c455bd 2171->2174 2175 6c4560a-6c45610 2171->2175 2176 6c455c7-6c455dd 2172->2176 2177 6c455e2-6c455e5 2172->2177 2182 6c45707-6c45708 2173->2182 2183 6c4570d-6c45710 2173->2183 2174->2172 2180 6c45616-6c4561e 2175->2180 2181 6c45763-6c45793 2175->2181 2176->2177 2178 6c455e7-6c455ed 2177->2178 2179 6c455f8-6c455fb 2177->2179 2185 6c455f3 2178->2185 2186 6c4568a-6c4568d 2178->2186 2187 6c45605-6c45608 2179->2187 2188 6c455fd-6c45600 2179->2188 2180->2181 2189 6c45624-6c45631 2180->2189 2201 6c4579d-6c457a0 2181->2201 2182->2183 2183->2169 2190 6c4572a-6c4572d 2183->2190 2184->2190 2185->2179 2192 6c45692-6c45695 2186->2192 2187->2175 2193 6c45640-6c45643 2187->2193 2188->2187 2189->2181 2195 6c45637-6c4563b 2189->2195 2196 6c45743-6c45745 2190->2196 2197 6c4572f-6c4573e 2190->2197 2192->2171 2200 6c4569b-6c4569e 2192->2200 2202 6c45645-6c45664 2193->2202 2203 6c45669-6c4566c 2193->2203 2195->2193 2198 6c45747 2196->2198 2199 6c4574c-6c4574f 2196->2199 2197->2196 2198->2199 2199->2166 2207 6c45755-6c45762 2199->2207 2208 6c456a0-6c456a4 2200->2208 2209 6c456af-6c456b2 2200->2209 2210 6c457c2-6c457c5 2201->2210 2211 6c457a2-6c457a6 2201->2211 2202->2203 2205 6c45685-6c45688 2203->2205 2206 6c4566e-6c45680 2203->2206 2205->2186 2205->2192 2206->2205 2208->2207 2212 6c456aa 2208->2212 2215 6c456b4-6c456bd 2209->2215 2216 6c456be-6c456c1 2209->2216 2217 6c457c7-6c457d8 2210->2217 2218 6c457dd-6c457e0 2210->2218 2213 6c457ac-6c457b4 2211->2213 2214 6c4588e-6c45898 2211->2214 2212->2209 2213->2214 2223 6c457ba-6c457bd 2213->2223 2240 6c458c3-6c458cd 2214->2240 2241 6c4589a-6c458c1 2214->2241 2224 6c456d5-6c456d8 2216->2224 2225 6c456c3-6c456d0 2216->2225 2217->2218 2220 6c457f4-6c457f7 2218->2220 2221 6c457e2-6c457e9 2218->2221 2230 6c45819-6c4581c 2220->2230 2231 6c457f9-6c457fd 2220->2231 2228 6c45886-6c4588d 2221->2228 2229 6c457ef 2221->2229 2223->2210 2226 6c456df-6c456e2 2224->2226 2227 6c456da-6c456dc 2224->2227 2225->2224 2235 6c456e4-6c456eb 2226->2235 2236 6c456f0-6c456f3 2226->2236 2227->2226 2229->2220 2238 6c45826-6c45829 2230->2238 2239 6c4581e-6c45825 2230->2239 2231->2214 2237 6c45803-6c4580b 2231->2237 2235->2236 2236->2167 2236->2173 2237->2214 2243 6c45811-6c45814 2237->2243 2244 6c45843-6c45846 2238->2244 2245 6c4582b-6c4582f 2238->2245 2246 6c458ce-6c458d1 2240->2246 2241->2240 2243->2230 2248 6c45860-6c45863 2244->2248 2249 6c45848-6c4584c 2244->2249 2245->2214 2247 6c45831-6c45839 2245->2247 2250 6c458d3-6c458da 2246->2250 2251 6c458db-6c458de 2246->2251 2247->2214 2256 6c4583b-6c4583e 2247->2256 2254 6c45874-6c45876 2248->2254 2255 6c45865-6c4586f 2248->2255 2249->2214 2257 6c4584e-6c45856 2249->2257 2250->2251 2252 6c458e0-6c458f1 2251->2252 2253 6c458f8-6c458fb 2251->2253 2260 6c458fd-6c4590e 2252->2260 2267 6c458f3 2252->2267 2259 6c45915-6c45918 2253->2259 2253->2260 2261 6c4587d-6c45880 2254->2261 2262 6c45878 2254->2262 2255->2254 2256->2244 2257->2214 2258 6c45858-6c4585b 2257->2258 2258->2248 2265 6c45960-6c45af4 2259->2265 2266 6c4591a-6c4591d 2259->2266 2272 6c45930-6c45937 2260->2272 2273 6c45910 2260->2273 2261->2201 2261->2228 2262->2261 2316 6c45c2d-6c45c40 2265->2316 2317 6c45afa-6c45b01 2265->2317 2269 6c4591f-6c45926 2266->2269 2270 6c4592b-6c4592e 2266->2270 2267->2253 2269->2270 2270->2272 2274 6c4593c-6c4593f 2270->2274 2272->2274 2273->2259 2275 6c45957-6c4595a 2274->2275 2276 6c45941-6c45954 2274->2276 2275->2265 2277 6c45c43-6c45c46 2275->2277 2279 6c45c64-6c45c67 2277->2279 2280 6c45c48-6c45c59 2277->2280 2282 6c45c85-6c45c88 2279->2282 2283 6c45c69-6c45c7a 2279->2283 2280->2272 2287 6c45c5f 2280->2287 2282->2265 2286 6c45c8e-6c45c91 2282->2286 2283->2272 2294 6c45c80 2283->2294 2289 6c45c93-6c45ca4 2286->2289 2290 6c45caf-6c45cb1 2286->2290 2287->2279 2289->2276 2298 6c45caa 2289->2298 2292 6c45cb3 2290->2292 2293 6c45cb8-6c45cbb 2290->2293 2292->2293 2293->2246 2295 6c45cc1-6c45cca 2293->2295 2294->2282 2298->2290 2318 6c45bb5-6c45bbc 2317->2318 2319 6c45b07-6c45b3a 2317->2319 2318->2316 2320 6c45bbe-6c45bf1 2318->2320 2330 6c45b3c 2319->2330 2331 6c45b3f-6c45b80 2319->2331 2332 6c45bf6-6c45c23 2320->2332 2333 6c45bf3 2320->2333 2330->2331 2341 6c45b82-6c45b93 2331->2341 2342 6c45b98-6c45b9f 2331->2342 2332->2295 2333->2332 2341->2295 2344 6c45ba7-6c45ba9 2342->2344 2344->2295
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 84194a00a9e4294fe6ac63be23bc72adfc663f5167be7114973f18b029b99996
                                                          • Instruction ID: f79951070109abca1bd93bb07b79c04b8d6385ca23c1540c5d42e8bd2548a48a
                                                          • Opcode Fuzzy Hash: 84194a00a9e4294fe6ac63be23bc72adfc663f5167be7114973f18b029b99996
                                                          • Instruction Fuzzy Hash: 5622A175E102148FDF64EBA8C4807AEBBB2EF89320F64846AD415EB344DB35DD46CB91
                                                          Function 06C4B20F Relevance: .6, Instructions: 584COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e2ec3365f38bdc3af079cb32cb01e429f246794351af05e1312040287adbae16
                                                          • Instruction ID: 330e911b4f71e68a6c71de24920d836ff6df3bbb1233c20d8fc8a6786628c6a0
                                                          • Opcode Fuzzy Hash: e2ec3365f38bdc3af079cb32cb01e429f246794351af05e1312040287adbae16
                                                          • Instruction Fuzzy Hash: 04225070E101098FEF64EBA9D4947AEB7F6FB45310F24852AE405EB391CA39DD81CB91
                                                          Function 06C47D68 Relevance: .5, Instructions: 473COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2873 6c47d68-6c47d86 2874 6c47d88-6c47d8b 2873->2874 2875 6c47da2-6c47da5 2874->2875 2876 6c47d8d-6c47d9b 2874->2876 2877 6c47dc6-6c47dc9 2875->2877 2878 6c47da7-6c47dc1 2875->2878 2882 6c47d9d 2876->2882 2883 6c47e0e-6c47e24 2876->2883 2880 6c47dd6-6c47dd9 2877->2880 2881 6c47dcb-6c47dd5 2877->2881 2878->2877 2884 6c47dfc-6c47dfe 2880->2884 2885 6c47ddb-6c47df7 2880->2885 2882->2875 2892 6c4803f-6c48049 2883->2892 2893 6c47e2a-6c47e33 2883->2893 2887 6c47e05-6c47e08 2884->2887 2888 6c47e00 2884->2888 2885->2884 2887->2874 2887->2883 2888->2887 2894 6c47e39-6c47e56 2893->2894 2895 6c4804a-6c4807f 2893->2895 2905 6c4802c-6c48039 2894->2905 2906 6c47e5c-6c47e84 2894->2906 2899 6c48081-6c48084 2895->2899 2901 6c48086-6c480a2 2899->2901 2902 6c480a7-6c480aa 2899->2902 2901->2902 2903 6c480b0-6c480bf 2902->2903 2904 6c482df-6c482e2 2902->2904 2915 6c480c1-6c480dc 2903->2915 2916 6c480de-6c48122 2903->2916 2907 6c4838d-6c4838f 2904->2907 2908 6c482e8-6c482f4 2904->2908 2905->2892 2905->2893 2906->2905 2928 6c47e8a-6c47e93 2906->2928 2911 6c48396-6c48399 2907->2911 2912 6c48391 2907->2912 2917 6c482ff-6c48301 2908->2917 2911->2899 2918 6c4839f-6c483a8 2911->2918 2912->2911 2915->2916 2931 6c482b3-6c482c9 2916->2931 2932 6c48128-6c48139 2916->2932 2919 6c48303-6c48309 2917->2919 2920 6c48319-6c4831d 2917->2920 2923 6c4830d-6c4830f 2919->2923 2924 6c4830b 2919->2924 2926 6c4831f-6c48329 2920->2926 2927 6c4832b 2920->2927 2923->2920 2924->2920 2930 6c48330-6c48332 2926->2930 2927->2930 2928->2895 2929 6c47e99-6c47eb5 2928->2929 2942 6c4801a-6c48026 2929->2942 2943 6c47ebb-6c47ee5 2929->2943 2933 6c48334-6c48337 2930->2933 2934 6c48343-6c4837c 2930->2934 2931->2904 2940 6c4829e-6c482ad 2932->2940 2941 6c4813f-6c4815c 2932->2941 2933->2918 2934->2903 2955 6c48382-6c4838c 2934->2955 2940->2931 2940->2932 2941->2940 2952 6c48162-6c48258 call 6c46590 2941->2952 2942->2905 2942->2928 2957 6c48010-6c48015 2943->2957 2958 6c47eeb-6c47f13 2943->2958 3006 6c48266 2952->3006 3007 6c4825a-6c48264 2952->3007 2957->2942 2958->2957 2964 6c47f19-6c47f47 2958->2964 2964->2957 2970 6c47f4d-6c47f56 2964->2970 2970->2957 2971 6c47f5c-6c47f8e 2970->2971 2979 6c47f90-6c47f94 2971->2979 2980 6c47f99-6c47fb5 2971->2980 2979->2957 2981 6c47f96 2979->2981 2980->2942 2982 6c47fb7-6c4800e call 6c46590 2980->2982 2981->2980 2982->2942 3008 6c4826b-6c4826d 3006->3008 3007->3008 3008->2940 3009 6c4826f-6c48274 3008->3009 3010 6c48276-6c48280 3009->3010 3011 6c48282 3009->3011 3012 6c48287-6c48289 3010->3012 3011->3012 3012->2940 3013 6c4828b-6c48297 3012->3013 3013->2940
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ad982b599399f4c1b6938689598354d815520c45aeaa2f119d2f7c078fba1624
                                                          • Instruction ID: e735951d4e48ee8323db01222d9e10f9560292fd2c96b05b937f92596f8ca039
                                                          • Opcode Fuzzy Hash: ad982b599399f4c1b6938689598354d815520c45aeaa2f119d2f7c078fba1624
                                                          • Instruction Fuzzy Hash: 72029C30B11205CFDB54EFA9D4946AEBBE2FF84710F148568D806AB395DB35ED42CB90
                                                          Function 06C47688 Relevance: .5, Instructions: 468COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3183 6c47688-6c476af 3184 6c476b1-6c476b4 3183->3184 3185 6c476b6-6c476d5 3184->3185 3186 6c476da-6c476dd 3184->3186 3185->3186 3187 6c476f5-6c476f8 3186->3187 3188 6c476df-6c476e5 3186->3188 3189 6c47d3c-6c47d3e 3187->3189 3190 6c476fe-6c4771e 3187->3190 3192 6c476f0 3188->3192 3193 6c47d45-6c47d48 3189->3193 3194 6c47d40 3189->3194 3198 6c47720-6c47726 3190->3198 3199 6c4772b-6c4774b 3190->3199 3192->3187 3193->3184 3196 6c47d4e-6c47d57 3193->3196 3194->3193 3198->3196 3201 6c47751-6c4775d 3199->3201 3202 6c47d2e-6c47d3b 3199->3202 3203 6c47d24-6c47d29 3201->3203 3204 6c47763-6c4778d 3201->3204 3203->3202 3207 6c477a7-6c477ba 3204->3207 3208 6c4778f-6c477a2 3204->3208 3213 6c477d2-6c477eb 3207->3213 3214 6c477bc-6c477c2 3207->3214 3209 6c47cda-6c47ce1 3208->3209 3211 6c47ce3 3209->3211 3212 6c47cef 3209->3212 3211->3212 3212->3203 3218 6c47803-6c47820 3213->3218 3219 6c477ed-6c477f3 3213->3219 3215 6c477c4 3214->3215 3216 6c477c6-6c477c8 3214->3216 3215->3213 3216->3213 3223 6c47822-6c47825 3218->3223 3224 6c47839-6c47843 3218->3224 3220 6c477f5 3219->3220 3221 6c477f7-6c477f9 3219->3221 3220->3218 3221->3218 3223->3224 3225 6c47827-6c47837 3223->3225 3228 6c47849-6c47864 3224->3228 3225->3228 3230 6c47866-6c47879 3228->3230 3231 6c4787e-6c4788d 3228->3231 3230->3209 3232 6c47cc5-6c47cd8 3231->3232 3233 6c47893-6c4792a 3231->3233 3232->3209 3242 6c47930-6c47952 3233->3242 3243 6c47cb3-6c47cbf 3233->3243 3242->3243 3245 6c47958-6c47962 3242->3245 3243->3232 3243->3233 3245->3243 3246 6c47968-6c47973 3245->3246 3246->3243 3247 6c47979-6c47a4f 3246->3247 3259 6c47a51-6c47a53 3247->3259 3260 6c47a5d-6c47a8d 3247->3260 3259->3260 3264 6c47a8f-6c47a91 3260->3264 3265 6c47a9b-6c47aa5 3260->3265 3264->3265 3266 6c47b05-6c47b09 3265->3266 3267 6c47aa7-6c47aab 3265->3267 3268 6c47ca4-6c47cad 3266->3268 3269 6c47b0f-6c47b4b 3266->3269 3267->3266 3270 6c47aad-6c47ad7 3267->3270 3268->3243 3268->3247 3281 6c47b4d-6c47b4f 3269->3281 3282 6c47b59-6c47b66 3269->3282 3277 6c47ae5-6c47b02 3270->3277 3278 6c47ad9-6c47adb 3270->3278 3277->3266 3278->3277 3281->3282 3282->3268 3284 6c47b6c-6c47b77 3282->3284 3286 6c47b8f-6c47bbb 3284->3286 3287 6c47b79-6c47b7f 3284->3287 3286->3268 3294 6c47bc1-6c47bd7 3286->3294 3288 6c47b81 3287->3288 3289 6c47b83-6c47b85 3287->3289 3288->3286 3289->3286 3294->3268 3296 6c47bdd-6c47c05 3294->3296 3296->3268 3301 6c47c0b-6c47c16 3296->3301 3303 6c47c2e-6c47c34 3301->3303 3304 6c47c18-6c47c1e 3301->3304 3307 6c47c36 3303->3307 3308 6c47c38-6c47c44 3303->3308 3305 6c47c20 3304->3305 3306 6c47c22-6c47c24 3304->3306 3305->3303 3306->3303 3309 6c47c46-6c47c9d call 6c46590 3307->3309 3308->3309 3309->3268
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4bcb7d0ed2cafdfa294c2304091e62f27cdf5de787d54ff713e481d72e3d4a3e
                                                          • Instruction ID: 6d12316b28c8bfc582bb2bb0c4a048c1fee7c534b5e97865d46045c2cbf17f7e
                                                          • Opcode Fuzzy Hash: 4bcb7d0ed2cafdfa294c2304091e62f27cdf5de787d54ff713e481d72e3d4a3e
                                                          • Instruction Fuzzy Hash: 14120034E00219CFDB64EFA9D9946AEB7B2FF84314F208569D406AB354DB349D85CFA0
                                                          Function 016BEB38 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 152COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2591334342.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_16b0000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: _
                                                          • API String ID: 0-701932520
                                                          • Opcode ID: 0ca5676180d72651b1c9f76c6b8487745faf72ccb8a2e1e67233ddb55ceb02c7
                                                          • Instruction ID: dab4dd51d135edeb625f1d801b9a62a7358b5bdee27d01e21ae5e07aac30dd3b
                                                          • Opcode Fuzzy Hash: 0ca5676180d72651b1c9f76c6b8487745faf72ccb8a2e1e67233ddb55ceb02c7
                                                          • Instruction Fuzzy Hash: 4A515772E043898FDB14DFA9D8443EDBBB1AF89220F05856AD518E7381E7349885CBE1
                                                          Function 016BEC20 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 688 16bec20-16bec94 GlobalMemoryStatusEx 690 16bec9d-16becc5 688->690 691 16bec96-16bec9c 688->691 691->690
                                                          APIs
                                                          • GlobalMemoryStatusEx.KERNELBASE ref: 016BEC87
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2591334342.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_16b0000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemoryStatus
                                                          • String ID:
                                                          • API String ID: 1890195054-0
                                                          • Opcode ID: 3c4478e622f2ee9680a97f4facdc4539d36d8a2596165a298fefbf514ad7223b
                                                          • Instruction ID: b0b66965af69553df7f0c8a85f0b2f499b67e55fa2c7fe52b3f31abe0381811a
                                                          • Opcode Fuzzy Hash: 3c4478e622f2ee9680a97f4facdc4539d36d8a2596165a298fefbf514ad7223b
                                                          • Instruction Fuzzy Hash: 8B1112B1C006599BDB10CF9AC444BEEFBF4AF48220F15812AD818A7241D378A944CFA1
                                                          Function 06C4CF28 Relevance: .8, Instructions: 797COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1463 6c4cf28-6c4cf43 1464 6c4cf45-6c4cf48 1463->1464 1465 6c4cf91-6c4cf94 1464->1465 1466 6c4cf4a-6c4cf8c 1464->1466 1467 6c4d414-6c4d420 1465->1467 1468 6c4cf9a-6c4cf9d 1465->1468 1466->1465 1469 6c4d426-6c4d713 1467->1469 1470 6c4d122-6c4d131 1467->1470 1472 6c4cfe6-6c4cfe9 1468->1472 1473 6c4cf9f-6c4cfae 1468->1473 1676 6c4d719-6c4d71f 1469->1676 1677 6c4d93a-6c4d944 1469->1677 1476 6c4d140-6c4d14c 1470->1476 1477 6c4d133-6c4d138 1470->1477 1474 6c4d032-6c4d035 1472->1474 1475 6c4cfeb-6c4d02d 1472->1475 1478 6c4cfb0-6c4cfb5 1473->1478 1479 6c4cfbd-6c4cfc9 1473->1479 1484 6c4d037-6c4d079 1474->1484 1485 6c4d07e-6c4d081 1474->1485 1475->1474 1482 6c4d945-6c4d97e 1476->1482 1483 6c4d152-6c4d164 1476->1483 1477->1476 1478->1479 1479->1482 1486 6c4cfcf-6c4cfe1 1479->1486 1498 6c4d980-6c4d983 1482->1498 1500 6c4d169-6c4d16c 1483->1500 1484->1485 1488 6c4d0a4-6c4d0a7 1485->1488 1489 6c4d083-6c4d09f 1485->1489 1486->1472 1492 6c4d0f0-6c4d0f3 1488->1492 1493 6c4d0a9-6c4d0eb 1488->1493 1489->1488 1501 6c4d0f5-6c4d0fa 1492->1501 1502 6c4d0fd-6c4d100 1492->1502 1493->1492 1506 6c4d985-6c4d9a1 1498->1506 1507 6c4d9a6-6c4d9a9 1498->1507 1510 6c4d16e-6c4d170 1500->1510 1511 6c4d17b-6c4d17e 1500->1511 1501->1502 1512 6c4d102-6c4d118 1502->1512 1513 6c4d11d-6c4d120 1502->1513 1506->1507 1517 6c4d9b8-6c4d9bb 1507->1517 1518 6c4d9ab 1507->1518 1519 6c4d176 1510->1519 1520 6c4d411 1510->1520 1514 6c4d1c7-6c4d1ca 1511->1514 1515 6c4d180-6c4d1c2 1511->1515 1512->1513 1513->1470 1513->1500 1530 6c4d213-6c4d216 1514->1530 1531 6c4d1cc-6c4d20e 1514->1531 1515->1514 1526 6c4d9bd-6c4d9e9 1517->1526 1527 6c4d9ee-6c4d9f0 1517->1527 1723 6c4d9ab call 6c4dab0 1518->1723 1724 6c4d9ab call 6c4da9d 1518->1724 1519->1511 1520->1467 1526->1527 1535 6c4d9f7-6c4d9fa 1527->1535 1536 6c4d9f2 1527->1536 1532 6c4d225-6c4d228 1530->1532 1533 6c4d218-6c4d21a 1530->1533 1531->1530 1544 6c4d271-6c4d274 1532->1544 1545 6c4d22a-6c4d26c 1532->1545 1542 6c4d220 1533->1542 1543 6c4d2cf-6c4d2d8 1533->1543 1534 6c4d9b1-6c4d9b3 1534->1517 1535->1498 1546 6c4d9fc-6c4da0b 1535->1546 1536->1535 1542->1532 1550 6c4d2e7-6c4d2f3 1543->1550 1551 6c4d2da-6c4d2df 1543->1551 1553 6c4d276-6c4d2b8 1544->1553 1554 6c4d2bd-6c4d2bf 1544->1554 1545->1544 1566 6c4da72-6c4da87 1546->1566 1567 6c4da0d-6c4da70 call 6c46590 1546->1567 1559 6c4d404-6c4d409 1550->1559 1560 6c4d2f9-6c4d30d 1550->1560 1551->1550 1553->1554 1557 6c4d2c6-6c4d2c9 1554->1557 1558 6c4d2c1 1554->1558 1557->1464 1557->1543 1558->1557 1559->1520 1560->1520 1577 6c4d313-6c4d325 1560->1577 1583 6c4da88 1566->1583 1567->1566 1592 6c4d327-6c4d32d 1577->1592 1593 6c4d349-6c4d34b 1577->1593 1583->1583 1596 6c4d331-6c4d33d 1592->1596 1597 6c4d32f 1592->1597 1595 6c4d355-6c4d361 1593->1595 1609 6c4d363-6c4d36d 1595->1609 1610 6c4d36f 1595->1610 1601 6c4d33f-6c4d347 1596->1601 1597->1601 1601->1595 1611 6c4d374-6c4d376 1609->1611 1610->1611 1611->1520 1614 6c4d37c-6c4d398 call 6c46590 1611->1614 1623 6c4d3a7-6c4d3b3 1614->1623 1624 6c4d39a-6c4d39f 1614->1624 1623->1559 1625 6c4d3b5-6c4d402 1623->1625 1624->1623 1625->1520 1678 6c4d721-6c4d726 1676->1678 1679 6c4d72e-6c4d737 1676->1679 1678->1679 1679->1482 1680 6c4d73d-6c4d750 1679->1680 1682 6c4d756-6c4d75c 1680->1682 1683 6c4d92a-6c4d934 1680->1683 1684 6c4d75e-6c4d763 1682->1684 1685 6c4d76b-6c4d774 1682->1685 1683->1676 1683->1677 1684->1685 1685->1482 1686 6c4d77a-6c4d79b 1685->1686 1689 6c4d79d-6c4d7a2 1686->1689 1690 6c4d7aa-6c4d7b3 1686->1690 1689->1690 1690->1482 1691 6c4d7b9-6c4d7d6 1690->1691 1691->1683 1694 6c4d7dc-6c4d7e2 1691->1694 1694->1482 1695 6c4d7e8-6c4d801 1694->1695 1697 6c4d807-6c4d82e 1695->1697 1698 6c4d91d-6c4d924 1695->1698 1697->1482 1701 6c4d834-6c4d83e 1697->1701 1698->1683 1698->1694 1701->1482 1702 6c4d844-6c4d85b 1701->1702 1704 6c4d85d-6c4d868 1702->1704 1705 6c4d86a-6c4d885 1702->1705 1704->1705 1705->1698 1710 6c4d88b-6c4d8a4 call 6c46590 1705->1710 1714 6c4d8a6-6c4d8ab 1710->1714 1715 6c4d8b3-6c4d8bc 1710->1715 1714->1715 1715->1482 1716 6c4d8c2-6c4d916 1715->1716 1716->1698 1723->1534 1724->1534
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a6136529447d667b8bd7ba95db4b22b8bcf9d9a0bf8a00172996d23029e13b80
                                                          • Instruction ID: d9c45ce9f5896386fa6fd51c0ff9b74c17e99cc88bb96339eed3a97de8b740c6
                                                          • Opcode Fuzzy Hash: a6136529447d667b8bd7ba95db4b22b8bcf9d9a0bf8a00172996d23029e13b80
                                                          • Instruction Fuzzy Hash: 98625B70A00209CFDB55EFA8D590A5EBBF2FF84310B208A68D006AF755DB75ED46CB91
                                                          Function 06C4C170 Relevance: .6, Instructions: 637COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1725 6c4c170-6c4c18e 1726 6c4c190-6c4c193 1725->1726 1727 6c4c195-6c4c1b9 1726->1727 1728 6c4c1be-6c4c1c1 1726->1728 1727->1728 1729 6c4c1d5-6c4c1d8 1728->1729 1730 6c4c1c3-6c4c1ca 1728->1730 1731 6c4c1ea-6c4c1ed 1729->1731 1732 6c4c1da-6c4c1e5 1729->1732 1734 6c4c1d0 1730->1734 1735 6c4c4e3-6c4c4e6 1730->1735 1737 6c4c203-6c4c206 1731->1737 1738 6c4c1ef-6c4c1f8 1731->1738 1732->1731 1734->1729 1736 6c4c4eb-6c4c4ed 1735->1736 1740 6c4c4f4-6c4c4f7 1736->1740 1741 6c4c4ef 1736->1741 1744 6c4c21c-6c4c21f 1737->1744 1745 6c4c208-6c4c211 1737->1745 1742 6c4c1fe 1738->1742 1743 6c4c399-6c4c3a2 1738->1743 1740->1726 1749 6c4c4fd-6c4c507 1740->1749 1741->1740 1742->1737 1747 6c4c508-6c4c53d 1743->1747 1748 6c4c3a8-6c4c3af 1743->1748 1752 6c4c221-6c4c245 1744->1752 1753 6c4c24a-6c4c24d 1744->1753 1750 6c4c217 1745->1750 1751 6c4c4ba-6c4c4c3 1745->1751 1766 6c4c53f-6c4c542 1747->1766 1756 6c4c3b4-6c4c3b7 1748->1756 1750->1744 1751->1747 1758 6c4c4c5-6c4c4cc 1751->1758 1752->1753 1754 6c4c276-6c4c279 1753->1754 1755 6c4c24f-6c4c271 1753->1755 1762 6c4c291-6c4c294 1754->1762 1763 6c4c27b-6c4c28c 1754->1763 1755->1754 1760 6c4c3c1-6c4c3c4 1756->1760 1761 6c4c3b9-6c4c3bc 1756->1761 1765 6c4c4d1-6c4c4d4 1758->1765 1768 6c4c3c6-6c4c3cc 1760->1768 1769 6c4c3d1-6c4c3d4 1760->1769 1761->1760 1770 6c4c2b5-6c4c2b8 1762->1770 1771 6c4c296-6c4c2b0 1762->1771 1763->1762 1772 6c4c4d6-6c4c4d9 1765->1772 1773 6c4c4de-6c4c4e1 1765->1773 1776 6c4c544-6c4c55d 1766->1776 1777 6c4c56e-6c4c571 1766->1777 1768->1769 1778 6c4c3f5-6c4c3f8 1769->1778 1779 6c4c3d6-6c4c3f0 1769->1779 1774 6c4c316-6c4c319 1770->1774 1775 6c4c2ba-6c4c311 1770->1775 1771->1770 1772->1773 1773->1735 1773->1736 1783 6c4c326-6c4c329 1774->1783 1784 6c4c31b-6c4c321 1774->1784 1775->1774 1818 6c4c5f3-6c4c5ff 1776->1818 1819 6c4c563-6c4c56d 1776->1819 1786 6c4c573-6c4c57d 1777->1786 1787 6c4c57e-6c4c581 1777->1787 1788 6c4c402-6c4c405 1778->1788 1789 6c4c3fa-6c4c3ff 1778->1789 1779->1778 1783->1745 1793 6c4c32f-6c4c332 1783->1793 1784->1783 1796 6c4c5a4-6c4c5a7 1787->1796 1797 6c4c583-6c4c59f 1787->1797 1790 6c4c407-6c4c40c 1788->1790 1791 6c4c40f-6c4c412 1788->1791 1789->1788 1790->1791 1799 6c4c414-6c4c423 1791->1799 1800 6c4c42a-6c4c42d 1791->1800 1803 6c4c334-6c4c350 1793->1803 1804 6c4c355-6c4c358 1793->1804 1801 6c4c5be-6c4c5c1 1796->1801 1802 6c4c5a9-6c4c5b7 1796->1802 1797->1796 1799->1761 1827 6c4c425 1799->1827 1807 6c4c42f-6c4c454 1800->1807 1808 6c4c459-6c4c45c 1800->1808 1809 6c4c5e1-6c4c5e3 1801->1809 1810 6c4c5c3-6c4c5dc 1801->1810 1802->1776 1833 6c4c5b9 1802->1833 1803->1804 1812 6c4c370-6c4c373 1804->1812 1813 6c4c35a-6c4c36b 1804->1813 1807->1808 1808->1738 1822 6c4c462-6c4c465 1808->1822 1820 6c4c5e5 1809->1820 1821 6c4c5ea-6c4c5ed 1809->1821 1810->1809 1823 6c4c394-6c4c397 1812->1823 1824 6c4c375-6c4c38f 1812->1824 1813->1812 1825 6c4c605-6c4c60e 1818->1825 1826 6c4c79f-6c4c7a9 1818->1826 1820->1821 1821->1766 1821->1818 1830 6c4c486-6c4c489 1822->1830 1831 6c4c467-6c4c481 1822->1831 1823->1743 1823->1756 1824->1823 1836 6c4c614-6c4c634 1825->1836 1837 6c4c7aa-6c4c7de 1825->1837 1827->1800 1840 6c4c4b5-6c4c4b8 1830->1840 1841 6c4c48b-6c4c4b0 1830->1841 1831->1830 1833->1801 1856 6c4c78d-6c4c799 1836->1856 1857 6c4c63a-6c4c643 1836->1857 1850 6c4c7e0-6c4c7e3 1837->1850 1840->1751 1840->1765 1841->1840 1853 6c4c7e5-6c4c801 1850->1853 1854 6c4c806-6c4c809 1850->1854 1853->1854 1858 6c4c9c3-6c4c9c5 1854->1858 1859 6c4c80f-6c4c81d 1854->1859 1856->1825 1856->1826 1857->1837 1861 6c4c649-6c4c678 call 6c46590 1857->1861 1864 6c4c9c7 1858->1864 1865 6c4c9cc-6c4c9cf 1858->1865 1868 6c4c824-6c4c826 1859->1868 1880 6c4c6ba-6c4c6d0 1861->1880 1881 6c4c67a-6c4c6b2 1861->1881 1864->1865 1865->1850 1866 6c4c9d5-6c4c9de 1865->1866 1869 6c4c83d-6c4c867 1868->1869 1870 6c4c828-6c4c82b 1868->1870 1878 6c4c86d-6c4c876 1869->1878 1879 6c4c9b8-6c4c9c2 1869->1879 1870->1866 1882 6c4c991-6c4c9b6 1878->1882 1883 6c4c87c-6c4c989 call 6c46590 1878->1883 1888 6c4c6d2-6c4c6e6 1880->1888 1889 6c4c6ee-6c4c704 1880->1889 1881->1880 1882->1866 1883->1878 1932 6c4c98f 1883->1932 1888->1889 1895 6c4c706-6c4c71a 1889->1895 1896 6c4c722-6c4c735 1889->1896 1895->1896 1902 6c4c737-6c4c741 1896->1902 1903 6c4c743 1896->1903 1906 6c4c748-6c4c74a 1902->1906 1903->1906 1907 6c4c74c-6c4c751 1906->1907 1908 6c4c77b-6c4c787 1906->1908 1910 6c4c753-6c4c75d 1907->1910 1911 6c4c75f 1907->1911 1908->1856 1908->1857 1912 6c4c764-6c4c766 1910->1912 1911->1912 1912->1908 1914 6c4c768-6c4c774 1912->1914 1914->1908 1932->1879
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 973a91c05ad1dc642fb89161fc0dedf2fde4531e2179ffb8857606ea1a9033c9
                                                          • Instruction ID: 82b2d42f5bd613eac665556d53676f1bd6bc2a2c0e185ff60881c340c5b409f6
                                                          • Opcode Fuzzy Hash: 973a91c05ad1dc642fb89161fc0dedf2fde4531e2179ffb8857606ea1a9033c9
                                                          • Instruction Fuzzy Hash: 80324F74B11205DFDB54EFA8D990BAEBBB2EB88310F108529D406E7361DB39ED41CB91
                                                          Function 06C4B630 Relevance: .5, Instructions: 471COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3015 6c4b630-6c4b650 3016 6c4b652-6c4b655 3015->3016 3017 6c4b657-6c4b65e 3016->3017 3018 6c4b66f-6c4b672 3016->3018 3019 6c4b664-6c4b66a 3017->3019 3020 6c4b9d3-6c4ba0e 3017->3020 3021 6c4b674-6c4b67d 3018->3021 3022 6c4b682-6c4b685 3018->3022 3019->3018 3030 6c4ba10-6c4ba13 3020->3030 3021->3022 3023 6c4b687-6c4b689 3022->3023 3024 6c4b68c-6c4b68f 3022->3024 3023->3024 3025 6c4b691-6c4b697 3024->3025 3026 6c4b69c-6c4b69f 3024->3026 3025->3026 3028 6c4b6a5-6c4b6a8 3026->3028 3029 6c4b770-6c4b771 3026->3029 3032 6c4b6c5-6c4b6c8 3028->3032 3033 6c4b6aa-6c4b6b3 3028->3033 3031 6c4b776-6c4b779 3029->3031 3034 6c4bc7f-6c4bc82 3030->3034 3035 6c4ba19-6c4ba41 3030->3035 3036 6c4b7ce-6c4b7d1 3031->3036 3037 6c4b77b-6c4b7c9 call 6c46590 3031->3037 3041 6c4b6d8-6c4b6db 3032->3041 3042 6c4b6ca-6c4b6d3 3032->3042 3033->3020 3038 6c4b6b9-6c4b6c0 3033->3038 3039 6c4bc84-6c4bca0 3034->3039 3040 6c4bca5-6c4bca7 3034->3040 3083 6c4ba43-6c4ba46 3035->3083 3084 6c4ba4b-6c4ba8f 3035->3084 3048 6c4b810-6c4b813 3036->3048 3049 6c4b7d3-6c4b7e8 3036->3049 3037->3036 3038->3032 3039->3040 3046 6c4bcae-6c4bcb1 3040->3046 3047 6c4bca9 3040->3047 3044 6c4b6dd-6c4b6e6 3041->3044 3045 6c4b6eb-6c4b6ee 3041->3045 3042->3041 3044->3045 3050 6c4b6f0-6c4b6f6 3045->3050 3051 6c4b708-6c4b70b 3045->3051 3046->3030 3052 6c4bcb7-6c4bcc0 3046->3052 3047->3046 3054 6c4b815-6c4b82a 3048->3054 3055 6c4b852-6c4b855 3048->3055 3049->3020 3071 6c4b7ee-6c4b80b 3049->3071 3050->3020 3058 6c4b6fc-6c4b703 3050->3058 3061 6c4b70d-6c4b713 3051->3061 3062 6c4b71a-6c4b71d 3051->3062 3054->3020 3075 6c4b830-6c4b84d 3054->3075 3059 6c4b857-6c4b85e 3055->3059 3060 6c4b87f-6c4b882 3055->3060 3058->3051 3059->3020 3067 6c4b864-6c4b874 3059->3067 3072 6c4b884-6c4b8a0 3060->3072 3073 6c4b8a5-6c4b8a8 3060->3073 3061->3050 3068 6c4b715 3061->3068 3069 6c4b72f-6c4b732 3062->3069 3070 6c4b71f-6c4b72a 3062->3070 3099 6c4b947-6c4b94e 3067->3099 3100 6c4b87a 3067->3100 3068->3062 3079 6c4b734-6c4b73b 3069->3079 3080 6c4b749-6c4b74c 3069->3080 3070->3069 3071->3048 3072->3073 3076 6c4b8ca-6c4b8cd 3073->3076 3077 6c4b8aa-6c4b8c5 3073->3077 3075->3055 3085 6c4b8d7-6c4b8da 3076->3085 3086 6c4b8cf-6c4b8d2 3076->3086 3077->3076 3079->3020 3092 6c4b741-6c4b744 3079->3092 3081 6c4b756-6c4b759 3080->3081 3082 6c4b74e-6c4b753 3080->3082 3096 6c4b766-6c4b769 3081->3096 3097 6c4b75b-6c4b761 3081->3097 3082->3081 3083->3052 3130 6c4bc74-6c4bc7e 3084->3130 3131 6c4ba95-6c4ba9e 3084->3131 3094 6c4b8dc-6c4b8df 3085->3094 3095 6c4b92e-6c4b937 3085->3095 3086->3085 3092->3080 3105 6c4b8f0-6c4b8f3 3094->3105 3106 6c4b8e1-6c4b8e5 3094->3106 3095->3033 3101 6c4b93d 3095->3101 3096->3061 3102 6c4b76b-6c4b76e 3096->3102 3097->3096 3099->3020 3103 6c4b954-6c4b964 3099->3103 3100->3060 3113 6c4b942-6c4b945 3101->3113 3102->3029 3102->3031 3103->3029 3121 6c4b96a 3103->3121 3111 6c4b8f5-6c4b8fe 3105->3111 3112 6c4b903-6c4b906 3105->3112 3106->3044 3110 6c4b8eb 3106->3110 3110->3105 3111->3112 3112->3029 3118 6c4b90c-6c4b90f 3112->3118 3113->3099 3115 6c4b96f-6c4b972 3113->3115 3122 6c4b984-6c4b987 3115->3122 3123 6c4b974 3115->3123 3119 6c4b911-6c4b918 3118->3119 3120 6c4b929-6c4b92c 3118->3120 3119->3020 3125 6c4b91e-6c4b924 3119->3125 3120->3095 3120->3113 3121->3115 3122->3029 3124 6c4b98d-6c4b990 3122->3124 3132 6c4b97c-6c4b97f 3123->3132 3128 6c4b9b6-6c4b9b8 3124->3128 3129 6c4b992-6c4b999 3124->3129 3125->3120 3135 6c4b9bf-6c4b9c2 3128->3135 3136 6c4b9ba 3128->3136 3129->3020 3133 6c4b99b-6c4b9ab 3129->3133 3137 6c4baa4-6c4bb10 call 6c46590 3131->3137 3138 6c4bc6a-6c4bc6f 3131->3138 3132->3122 3133->3059 3143 6c4b9b1 3133->3143 3135->3016 3139 6c4b9c8-6c4b9d2 3135->3139 3136->3135 3149 6c4bb16-6c4bb1b 3137->3149 3150 6c4bc0a-6c4bc1f 3137->3150 3138->3130 3143->3128 3152 6c4bb37 3149->3152 3153 6c4bb1d-6c4bb23 3149->3153 3150->3138 3156 6c4bb39-6c4bb3f 3152->3156 3154 6c4bb25-6c4bb27 3153->3154 3155 6c4bb29-6c4bb2b 3153->3155 3159 6c4bb35 3154->3159 3155->3159 3157 6c4bb54-6c4bb61 3156->3157 3158 6c4bb41-6c4bb47 3156->3158 3166 6c4bb63-6c4bb69 3157->3166 3167 6c4bb79-6c4bb86 3157->3167 3160 6c4bbf5-6c4bc04 3158->3160 3161 6c4bb4d 3158->3161 3159->3156 3160->3149 3160->3150 3161->3157 3162 6c4bbbc-6c4bbc9 3161->3162 3163 6c4bb88-6c4bb95 3161->3163 3174 6c4bbe1-6c4bbee 3162->3174 3175 6c4bbcb-6c4bbd1 3162->3175 3172 6c4bb97-6c4bb9d 3163->3172 3173 6c4bbad-6c4bbba 3163->3173 3168 6c4bb6d-6c4bb6f 3166->3168 3169 6c4bb6b 3166->3169 3167->3160 3168->3167 3169->3167 3177 6c4bba1-6c4bba3 3172->3177 3178 6c4bb9f 3172->3178 3173->3160 3174->3160 3179 6c4bbd5-6c4bbd7 3175->3179 3180 6c4bbd3 3175->3180 3177->3173 3178->3173 3179->3174 3180->3174
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1d975ba1d66db98bd2b0481f7dfbc177a70fcdae64408b221adafb8981320763
                                                          • Instruction ID: bebfb083a0a705ef98067009c83577cf7e8e74df2c60bf4d67a4a6c472bacf6a
                                                          • Opcode Fuzzy Hash: 1d975ba1d66db98bd2b0481f7dfbc177a70fcdae64408b221adafb8981320763
                                                          • Instruction Fuzzy Hash: FA025930E14209CFDB64EFA9D4806AEB7F2FB85310F20856AD405EB255DB35EE45CB91
                                                          Function 06C4ACB8 Relevance: .4, Instructions: 395COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3319 6c4acb8-6c4acd6 3320 6c4acd8-6c4acdb 3319->3320 3321 6c4ace5-6c4ace8 3320->3321 3322 6c4acdd-6c4ace2 3320->3322 3323 6c4acea-6c4ad06 3321->3323 3324 6c4ad0b-6c4ad0e 3321->3324 3322->3321 3323->3324 3325 6c4ad10-6c4ad14 3324->3325 3326 6c4ad1f-6c4ad22 3324->3326 3328 6c4aee4-6c4aeee 3325->3328 3329 6c4ad1a 3325->3329 3330 6c4ad24-6c4ad37 3326->3330 3331 6c4ad3c-6c4ad3f 3326->3331 3329->3326 3330->3331 3332 6c4ad41-6c4ad4a 3331->3332 3333 6c4ad4f-6c4ad52 3331->3333 3332->3333 3336 6c4aed5-6c4aede 3333->3336 3337 6c4ad58-6c4ad5b 3333->3337 3336->3328 3339 6c4ad5d-6c4ad66 3336->3339 3338 6c4ad75-6c4ad78 3337->3338 3337->3339 3342 6c4ad8c-6c4ad8e 3338->3342 3343 6c4ad7a-6c4ad87 3338->3343 3340 6c4ad6c-6c4ad70 3339->3340 3341 6c4aeef-6c4af01 3339->3341 3340->3338 3349 6c4af03-6c4af26 3341->3349 3350 6c4aebf-6c4aecb 3341->3350 3344 6c4ad95-6c4ad98 3342->3344 3345 6c4ad90 3342->3345 3343->3342 3344->3320 3347 6c4ad9e-6c4adc2 3344->3347 3345->3344 3358 6c4aed2 3347->3358 3362 6c4adc8-6c4add7 3347->3362 3352 6c4af28-6c4af2b 3349->3352 3350->3358 3354 6c4b194-6c4b197 3352->3354 3355 6c4af31-6c4af6c 3352->3355 3356 6c4b1a6-6c4b1a9 3354->3356 3357 6c4b199 call 6c4b20f 3354->3357 3364 6c4af72-6c4af7e 3355->3364 3365 6c4b15f-6c4b172 3355->3365 3360 6c4b1ba-6c4b1bd 3356->3360 3361 6c4b1ab-6c4b1af 3356->3361 3366 6c4b19f-6c4b1a1 3357->3366 3358->3336 3368 6c4b1bf-6c4b1c9 3360->3368 3369 6c4b1ca-6c4b1cd 3360->3369 3361->3355 3367 6c4b1b5 3361->3367 3374 6c4adef-6c4ae2a call 6c46590 3362->3374 3375 6c4add9-6c4addf 3362->3375 3383 6c4af80-6c4af99 3364->3383 3384 6c4af9e-6c4afe2 3364->3384 3373 6c4b174 3365->3373 3366->3356 3367->3360 3371 6c4b1f0-6c4b1f2 3369->3371 3372 6c4b1cf-6c4b1eb 3369->3372 3376 6c4b1f4 3371->3376 3377 6c4b1f9-6c4b1fc 3371->3377 3372->3371 3385 6c4b175 3373->3385 3397 6c4ae42-6c4ae59 3374->3397 3398 6c4ae2c-6c4ae32 3374->3398 3379 6c4ade1 3375->3379 3380 6c4ade3-6c4ade5 3375->3380 3376->3377 3377->3352 3382 6c4b202-6c4b20c 3377->3382 3379->3374 3380->3374 3383->3373 3402 6c4afe4-6c4aff6 3384->3402 3403 6c4affe-6c4b03d 3384->3403 3385->3385 3412 6c4ae71-6c4ae82 3397->3412 3413 6c4ae5b-6c4ae61 3397->3413 3400 6c4ae34 3398->3400 3401 6c4ae36-6c4ae38 3398->3401 3400->3397 3401->3397 3402->3403 3408 6c4b124-6c4b139 3403->3408 3409 6c4b043-6c4b11e call 6c46590 3403->3409 3408->3365 3409->3408 3419 6c4ae84-6c4ae8a 3412->3419 3420 6c4ae9a-6c4aeb7 3412->3420 3414 6c4ae65-6c4ae67 3413->3414 3415 6c4ae63 3413->3415 3414->3412 3415->3412 3422 6c4ae8c 3419->3422 3423 6c4ae8e-6c4ae90 3419->3423 3420->3350 3422->3420 3423->3420
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e549d677affa94755d296bca80d5fa3e290c9b159e8bf7ff0ce6168cd36b45d3
                                                          • Instruction ID: 167cb3c11b1f9ac94d947ad95631a118673f5c43e50b7609ed1b4e1a2a375c96
                                                          • Opcode Fuzzy Hash: e549d677affa94755d296bca80d5fa3e290c9b159e8bf7ff0ce6168cd36b45d3
                                                          • Instruction Fuzzy Hash: F6E15C30E10209CFDB65EFA9D8906AEB7B2FF85310F20852DD416AB254DB35ED46CB91
                                                          Function 06C49138 Relevance: .2, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f65b6b7271dde6f6446e7f3a7a5ce1ccb31870d4b1174dddb05e85dd150d0b59
                                                          • Instruction ID: 5964660af5fda5cced08dc42e6363f58d908a7c55e56231bf60f76805175bf9a
                                                          • Opcode Fuzzy Hash: f65b6b7271dde6f6446e7f3a7a5ce1ccb31870d4b1174dddb05e85dd150d0b59
                                                          • Instruction Fuzzy Hash: 2C914B70B002199FDB54DF69D9607AFBBF2FB88710F108569C80AAB345EF349D419BA0
                                                          Function 06C461E0 Relevance: .2, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e94d15de2ecc61164381081f7ffe6480485d3f2eff39adb6e15c3308411d1031
                                                          • Instruction ID: 8e44bd143e6988233bb6cbd68a7689266bada67208a78abead782cd3202812cb
                                                          • Opcode Fuzzy Hash: e94d15de2ecc61164381081f7ffe6480485d3f2eff39adb6e15c3308411d1031
                                                          • Instruction Fuzzy Hash: 3561C171F001104BDF64AA7ECC8466EBAE7AFC5620B554439D80ADB364DE76ED0287D1
                                                          Function 06C445A0 Relevance: .2, Instructions: 221COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 43c626c14d4dc6d5e9762561814da8737f086f0ee88d6dc114156c511b12e1c4
                                                          • Instruction ID: 50e0f91a81dc2107e34c9a401a3e0d88b1490ed8952b0979d46aa6dbc2f40b99
                                                          • Opcode Fuzzy Hash: 43c626c14d4dc6d5e9762561814da8737f086f0ee88d6dc114156c511b12e1c4
                                                          • Instruction Fuzzy Hash: BD913E30E102598FDF64DF68C890B9DB7B1FF89310F20C699D549BB295DB70AA85CB90
                                                          Function 06C44280 Relevance: .2, Instructions: 219COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aeae5d5b40430fd0b2d8fe851c7cf554f922c94ac84a68cb9dc30c07b90d847f
                                                          • Instruction ID: a50066a75c2c856c59ab842a3b694bb7f00f1b102a950d610a6afa3ac2006618
                                                          • Opcode Fuzzy Hash: aeae5d5b40430fd0b2d8fe851c7cf554f922c94ac84a68cb9dc30c07b90d847f
                                                          • Instruction Fuzzy Hash: 5C815E70B102058BDB58DFA9D4547AEBBF2EB88700F208568D40AEB355EF35DD428B91
                                                          Function 06C44290 Relevance: .2, Instructions: 218COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e75f4ff4d21adca2d40885517648b430435a3f01a3d24f57ce91b931b64d27fd
                                                          • Instruction ID: dd22a2924138f479f8ff92f76ce30bcb05e4b305471512c6f015613947994bc8
                                                          • Opcode Fuzzy Hash: e75f4ff4d21adca2d40885517648b430435a3f01a3d24f57ce91b931b64d27fd
                                                          • Instruction Fuzzy Hash: 17814E70B102098BDF58DFA9D4547AEBBF2EB89700F208568D40AEB354EF35DD428791
                                                          Function 06C445B8 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c9a20f86f36e4415fe2bd24ab6d60133aa38c32a7b8bede0752687add8c0f63
                                                          • Instruction ID: 366e1cb736cbe26728060eae705fc22fef7f0431d0f5e3587e2cacdad5f0c147
                                                          • Opcode Fuzzy Hash: 3c9a20f86f36e4415fe2bd24ab6d60133aa38c32a7b8bede0752687add8c0f63
                                                          • Instruction Fuzzy Hash: 1B912F30E106198BDF64DF68C890B9DB7B1FF89310F20C699D549BB284DB71AA85CF90
                                                          Function 06C4EEF0 Relevance: .2, Instructions: 203COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5f20b3b07e7d79571e65e6c2f6f7b7c92921fea0bac378d228ddefa5c62d29de
                                                          • Instruction ID: f643f40c74a14760a3d41159ca058b3f401cca232d5993655b2ab270b3f4bc50
                                                          • Opcode Fuzzy Hash: 5f20b3b07e7d79571e65e6c2f6f7b7c92921fea0bac378d228ddefa5c62d29de
                                                          • Instruction Fuzzy Hash: C9714A70E002498FDB54EFA8D980AAEBBF6FF88310F248529D415AB355DB30ED46CB40
                                                          Function 06C4EF00 Relevance: .2, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fa977f4692acc63a0a3a079b230a86ceb9855187a7536920afa67eb3d3ebae73
                                                          • Instruction ID: b162f5ed875c9948ff2df0f825aff454aa76535c787805b652de069dc8cb2a63
                                                          • Opcode Fuzzy Hash: fa977f4692acc63a0a3a079b230a86ceb9855187a7536920afa67eb3d3ebae73
                                                          • Instruction Fuzzy Hash: 3C714C70A002499FDB54EFA8D980AAEBBF6FF88310F248429D415EB355DB34ED46CB50
                                                          Function 06C44B50 Relevance: .2, Instructions: 186COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 31c569a0df2ad70ecd0669a1cda844ad8d226c9754c271a08b22b1297ac11e22
                                                          • Instruction ID: 21144b5b28fd0a290d2a2265a81a89f839e20fae1853bbb3201d328530245f9b
                                                          • Opcode Fuzzy Hash: 31c569a0df2ad70ecd0669a1cda844ad8d226c9754c271a08b22b1297ac11e22
                                                          • Instruction Fuzzy Hash: 0A616F70E002099FEB54EFA9C8547AEBAF6FB88710F20852AD106AB394DF755D45CB90
                                                          Function 06C4FC58 Relevance: .2, Instructions: 177COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9afd43b8d2e9e0c990df2f914d21442aeaeb3989882c2ca3a18cb46f44339c96
                                                          • Instruction ID: e898e9d2329d387c42888ce0abbebaa4224a82df19d30c045dc1ceb2ada0920f
                                                          • Opcode Fuzzy Hash: 9afd43b8d2e9e0c990df2f914d21442aeaeb3989882c2ca3a18cb46f44339c96
                                                          • Instruction Fuzzy Hash: 8751C031E00109DFDB24FFB8E5946AEBBB2EB88311F10887DE116D7250DB359A55CB90
                                                          Function 06C4FA09 Relevance: .2, Instructions: 166COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f27925e229240ec9c393cf707f2a7464f22cb1edd79b7b62c93985d977b79784
                                                          • Instruction ID: 65fbd7088aaec79cce8e4d78e578f14a10b5bb1ce0c96ba689c1f5b08b68c86f
                                                          • Opcode Fuzzy Hash: f27925e229240ec9c393cf707f2a7464f22cb1edd79b7b62c93985d977b79784
                                                          • Instruction Fuzzy Hash: 15516170B20204DBEF64EAA9E854B7E275AD789750F20843EE40BD7790C97DCD5193A2
                                                          Function 06C4FA18 Relevance: .2, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ec24d0cf9fd9f8430e881d808e6a58808088820ec9385a18de36cea1ee3c968c
                                                          • Instruction ID: c76c82f50fedc089fe00f1ee20f355eacf3fa5f0d046b5f8fd369c39dcdba4fe
                                                          • Opcode Fuzzy Hash: ec24d0cf9fd9f8430e881d808e6a58808088820ec9385a18de36cea1ee3c968c
                                                          • Instruction Fuzzy Hash: 96517F70B202049BEF64EAA9E894B7E275AD7C9710F20843EE40BD7790CD6DCD5153A2
                                                          Function 06C49127 Relevance: .2, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 670b3f0ea2b98503a63b588b13f25186c0adec43900423b98efee5a1a17d36ec
                                                          • Instruction ID: 09b854aa18a8cff6bbef0b3d497cde642eab2e3f3503efc5e2dfdb5edca4c1a5
                                                          • Opcode Fuzzy Hash: 670b3f0ea2b98503a63b588b13f25186c0adec43900423b98efee5a1a17d36ec
                                                          • Instruction Fuzzy Hash: 8F512E70B001149FDB54DF69D9A0BAFBBF6EB88710F508469C80AAB355DF34AD41DBA0
                                                          Function 06C44B40 Relevance: .1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 28d8c718c85b68d3ebab5a095fe713b208333f62e89f8c4c85b60746c86108ff
                                                          • Instruction ID: ee0bf7805d1c7919a70a2c2a80b5fad34f6906fe22a086c416fa26c7779f8735
                                                          • Opcode Fuzzy Hash: 28d8c718c85b68d3ebab5a095fe713b208333f62e89f8c4c85b60746c86108ff
                                                          • Instruction Fuzzy Hash: EF417F70B102089FEB54DFA9C854BAEBBF6FF88710F20852AD105AB394DB759C05CB90
                                                          Function 06C45408 Relevance: .1, Instructions: 126COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5720089aadf12f5ed1e477ee4ea68322b430bb553be5ad30d8f939c0c38b3aae
                                                          • Instruction ID: 7a5ce9f69b9ddb60d7991fe1922e9e33ee63c641cc6e7920182a83a02e5a8621
                                                          • Opcode Fuzzy Hash: 5720089aadf12f5ed1e477ee4ea68322b430bb553be5ad30d8f939c0c38b3aae
                                                          • Instruction Fuzzy Hash: 94413A71E0060A8BDF70DEA9D880ABFF7F2FB84310F50892AE11AD7654D631E955CB91
                                                          Function 06C4DAB0 Relevance: .1, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c7e2f3eab13f1b15ffa696a313e457942648bf9d2719854427c0686cee7d624e
                                                          • Instruction ID: 0ea430b82f65828716b4b6e329b125228b8b70f6660ba52da504c65c0f2bddd7
                                                          • Opcode Fuzzy Hash: c7e2f3eab13f1b15ffa696a313e457942648bf9d2719854427c0686cee7d624e
                                                          • Instruction Fuzzy Hash: D6415E70E10309DBDB64FFA5D49469EBBB2BF85700F20852DD806EB240EB70E946CB91
                                                          Function 06C4DA9D Relevance: .1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 16bfcd5c184915dc83d4fd81c2a9254ec0917659ee2d20ba35f7ed19e765f0f7
                                                          • Instruction ID: 71e63d6b8a7514352a7b1610d0b572ff7da65e37c4b5ad0b05c0d2d2e184d8e6
                                                          • Opcode Fuzzy Hash: 16bfcd5c184915dc83d4fd81c2a9254ec0917659ee2d20ba35f7ed19e765f0f7
                                                          • Instruction Fuzzy Hash: FB417C70E00309DBDB65EFA9D49469EBBB2BF85200F10452EE802EB240EB70E942CB51
                                                          Function 06C421BD Relevance: .1, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2551af6684e9971dbba98bd3820a9457cf5c00a77cb0bf3ac44d8e19c0645e06
                                                          • Instruction ID: 7fc8d1504481847dd3a8e36d7c3b37cc9320fa926bb0ba0464a1febc7ae8db20
                                                          • Opcode Fuzzy Hash: 2551af6684e9971dbba98bd3820a9457cf5c00a77cb0bf3ac44d8e19c0645e06
                                                          • Instruction Fuzzy Hash: 0E31CE30B142058FDB65EB78D55866E7BA2AB89210F14446CE402EB395EF38CE05C7A1
                                                          Function 06C421D0 Relevance: .1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5915c24c53e30c72afcf39b279eda63b42d2d3e9603fbe3379581af35c8fcbd6
                                                          • Instruction ID: 29e527fbc3f8ee69c43565ccf535e8e467f8fcb3a01283652f148ea2ff51193c
                                                          • Opcode Fuzzy Hash: 5915c24c53e30c72afcf39b279eda63b42d2d3e9603fbe3379581af35c8fcbd6
                                                          • Instruction Fuzzy Hash: BE319E30B102059BDB69EB79D55866E7BA3AB89610F10446CE402DB355DF39CE01C7A5
                                                          Function 06C4D950 Relevance: .1, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 808e4eff7c910e5805a7dffa2bd4796ca39039e784b4cb8d21f7be72033f194b
                                                          • Instruction ID: de88cdb6c447fe5ac6b4c50743553159c8924fc971ddeeb410e763c3ccbfc3cb
                                                          • Opcode Fuzzy Hash: 808e4eff7c910e5805a7dffa2bd4796ca39039e784b4cb8d21f7be72033f194b
                                                          • Instruction Fuzzy Hash: CC317470E1430ADBDB25EFA5D89069EBBB2FF85200F108569D406EB640EB71F946CB51
                                                          Function 06C4208B Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bcdad6ce4f9ef1c614361e156e167602b2e49cf416cc0c9f6a20c9272a912427
                                                          • Instruction ID: 83fc53898eb496acc041b871eff5a7b78be838e7159245dfc7ac119b51dd7920
                                                          • Opcode Fuzzy Hash: bcdad6ce4f9ef1c614361e156e167602b2e49cf416cc0c9f6a20c9272a912427
                                                          • Instruction Fuzzy Hash: 5D318934E106059BCB18DF68D895AAEBBF2FF88300F108529E806E7340DB75EE42CB50
                                                          Function 06C42090 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: acd25996636303e0f62292ac2ae0f5b61239d553260c80b3e4de3f7f566cb979
                                                          • Instruction ID: c2259fe35fdd89ea70e63294843e00af66da45551af52c772755381c3e3e8b95
                                                          • Opcode Fuzzy Hash: acd25996636303e0f62292ac2ae0f5b61239d553260c80b3e4de3f7f566cb979
                                                          • Instruction Fuzzy Hash: 3C316E35E106099BCB19DF68D895AAEBBF2FF89300F108529E906E7350DB75EE41CB50
                                                          Function 06C43A80 Relevance: .1, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6904610982e9b0c276b46c695c4e4260aaaaa3d3f9bd7ed175d7c288b4b2e58b
                                                          • Instruction ID: a98a2d6464c87f27fba81db2354d2b5ac21d4b9f3104a5462e2e071b9a01d7ee
                                                          • Opcode Fuzzy Hash: 6904610982e9b0c276b46c695c4e4260aaaaa3d3f9bd7ed175d7c288b4b2e58b
                                                          • Instruction Fuzzy Hash: 07212C75F012159FDB50DFA9D880AEEBBF5EB88710F10806AE905E7381E734DD419BA4
                                                          Function 06C43A90 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 79ac48943a78b347431caa17e277624d3225678dbb56d9aeea138e41683b6420
                                                          • Instruction ID: 4a80fd109078668e71e809452477a3314e8c8f7808a95a18d26a01d775d8f5b8
                                                          • Opcode Fuzzy Hash: 79ac48943a78b347431caa17e277624d3225678dbb56d9aeea138e41683b6420
                                                          • Instruction Fuzzy Hash: E9213B75E016159FDB50DFAED880AAEBBF1EB88710F108069E909E7380E734DD408BA4
                                                          Function 0122D030 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2589689674.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_122d000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 545e498d1bcccfbcbe7bcdff336f13969f62f6fc9eb0e0dc1b53b1c38798c0b0
                                                          • Instruction ID: f7a7b91b4652e81e16cbf7c840329de55338019ec4f58195d769c32d4bd1fb9a
                                                          • Opcode Fuzzy Hash: 545e498d1bcccfbcbe7bcdff336f13969f62f6fc9eb0e0dc1b53b1c38798c0b0
                                                          • Instruction Fuzzy Hash: DD216771518308EFDB10DF94D8C0B2ABB61FB84314F20C56DE9090B262C37BD447CA62
                                                          Function 06C453F8 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f687eaf5a99e9d83a071865180129b445b175f316b6ad58e704a00db7c80b87a
                                                          • Instruction ID: 1e7cebf04ef22973ee621a0ec1b7416d04c1dfd3ff070dc59f9a139d5c1ad2bd
                                                          • Opcode Fuzzy Hash: f687eaf5a99e9d83a071865180129b445b175f316b6ad58e704a00db7c80b87a
                                                          • Instruction Fuzzy Hash: CF216F32A007059BCB20DFA5CCC1AAFFBF6FB84710F548929E15697654D730B955CB90
                                                          Function 06C46D00 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ec0d21e32452a1b1854b262d2919d3bce075dd62acb3550dd5eadd29df7e4da3
                                                          • Instruction ID: 5489dad635e95fa72dcd4067c7d9c5e0cf9a4b7a687ca7adcea553b21cb617cc
                                                          • Opcode Fuzzy Hash: ec0d21e32452a1b1854b262d2919d3bce075dd62acb3550dd5eadd29df7e4da3
                                                          • Instruction Fuzzy Hash: 9021AF30B101089BDF94EBAAE8506AEBBF6EB85310F248429E405EB344DB35ED418B94
                                                          Function 06C43BA0 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 73c1b769b1f31276edc674dd1ce1a6c2c8f801ccb2b86d3aec85ee72c0fbf7f6
                                                          • Instruction ID: 6d3b0b3263c132feb5e66d8dd4d08bc3025c19f055aaf4aaba41bdaf93b53815
                                                          • Opcode Fuzzy Hash: 73c1b769b1f31276edc674dd1ce1a6c2c8f801ccb2b86d3aec85ee72c0fbf7f6
                                                          • Instruction Fuzzy Hash: 7D11A531B005284BDB54EA6AC8546AE7BAAEBC8750F004539D40AE7340DF25DD029BE0
                                                          Function 06C441E2 Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8febd3c59d3a38aa02cdce5105462786c34b5a03cbbaf1f72f08e38d8e782555
                                                          • Instruction ID: 4dcd22efaee288a5db9cc5448ff70b0059d8cf790744f8e4a58bf553aabefd8d
                                                          • Opcode Fuzzy Hash: 8febd3c59d3a38aa02cdce5105462786c34b5a03cbbaf1f72f08e38d8e782555
                                                          • Instruction Fuzzy Hash: 4E01D431B101104BDB74E9ACE858B2BB7CBDBC9760F20843DE54AC7355ED55ED428395
                                                          Function 06C4F171 Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bc1d6925dde4bb6820630b65c43cc22f78b289cf956a83c139181eef0e95a650
                                                          • Instruction ID: abc3cd32fa7efbc651f4c43fedb760048a6cc194134dbe042b92208828fb57a0
                                                          • Opcode Fuzzy Hash: bc1d6925dde4bb6820630b65c43cc22f78b289cf956a83c139181eef0e95a650
                                                          • Instruction Fuzzy Hash: BE018F71B000155BDB65EA6CD8A0B6FB7DAEBC9720F20842DE64BC7341DA25DD1243A5
                                                          Function 0122D02B Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2589689674.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_122d000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                          • Instruction ID: 5034d3101b71a8d3e0bf29f218bfde26407c6532a2c8424b9a397c38138d183b
                                                          • Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                          • Instruction Fuzzy Hash: 0A11BB75504284DFCB12CF54D5C4B19BBA1FB84314F28C6AAD9494B667C33AD44ACB62
                                                          Function 06C47678 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 43edb1efc0d13116afe12d9b45afda928988ae3797371aa99f800a3bb54d7224
                                                          • Instruction ID: 684d66d8c2c494b31ea257d394f65da994d0a3d756d6f5f0f7d6b22f52f77f42
                                                          • Opcode Fuzzy Hash: 43edb1efc0d13116afe12d9b45afda928988ae3797371aa99f800a3bb54d7224
                                                          • Instruction Fuzzy Hash: 9C110871E11124CBDB24EF28DC407AAB376EB81350F0044BDD80AE7380D7349E468BD1
                                                          Function 06C43040 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 14571b429c9be2080b0736c500360609899c4184e9acde4f3d0f62de91f9a8f4
                                                          • Instruction ID: 967d10c27ff6757e4e22a7b922089900baf19a4bb98d53e041226c976eef8dc5
                                                          • Opcode Fuzzy Hash: 14571b429c9be2080b0736c500360609899c4184e9acde4f3d0f62de91f9a8f4
                                                          • Instruction Fuzzy Hash: 77018471E002589BDB54EBBAD8405DEFBF5EFC9710F10856AD509E7300EA319A40CBA0
                                                          Function 06C43859 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c8902bb4ddcd393a2244b78ff13ad428dd50090bf5dad3bc8a875c677bcef9fe
                                                          • Instruction ID: 0da5fd81a58a74214cd9ebe144d23187ec960a6e36c4bf74c2ed34a8cc290199
                                                          • Opcode Fuzzy Hash: c8902bb4ddcd393a2244b78ff13ad428dd50090bf5dad3bc8a875c677bcef9fe
                                                          • Instruction Fuzzy Hash: B321FCB1D00659AFCB00DF9AD884ADEFBF8FB49310F10812AE918A7240C374A944CFA5
                                                          Function 06C43860 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: da6b5e9a82e097bdc7d4c77d0a0a0f7fd82db7aedd50a10efde77b298aa76c34
                                                          • Instruction ID: d49bb22ab7591eda7dedc8b0bc65c14126ebb06124c06e73ac7c050768e5a1ca
                                                          • Opcode Fuzzy Hash: da6b5e9a82e097bdc7d4c77d0a0a0f7fd82db7aedd50a10efde77b298aa76c34
                                                          • Instruction Fuzzy Hash: 8A11BFB5D01659AFCB00DF9AD884BDEFBB8FB49310F50812AE918B7240C375A954CFA5
                                                          Function 06C4A2F0 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 00596e503cab1f65f81ec77bd1d5403e14725205c81cad56897de4910cd4bd79
                                                          • Instruction ID: ad6fdac2b54dc99eed04dba948412d2c50f2a8d68dc454fe36cdc1033807c4e4
                                                          • Opcode Fuzzy Hash: 00596e503cab1f65f81ec77bd1d5403e14725205c81cad56897de4910cd4bd79
                                                          • Instruction Fuzzy Hash: FA01BCB1B104005BDBA0DABCE86076EB7D6EB89310F10843DEA4BC7384EA25DD128381
                                                          Function 06C441F0 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dd983aa22ca331158c0b1673ab4376c0e75642cecf02f6cf290e7c2947469aa3
                                                          • Instruction ID: 6dd6af8db451565bad69d98999d156807381d48d0afcd3d76a4fb263a78eaec6
                                                          • Opcode Fuzzy Hash: dd983aa22ca331158c0b1673ab4376c0e75642cecf02f6cf290e7c2947469aa3
                                                          • Instruction Fuzzy Hash: 1601AD30B100110BDBB8E9ADE458B2BA7CAEBC9760F20C43DE10AC7351DE65ED424395
                                                          Function 06C43B8F Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0d80ebc4aa358d0e69bb4bcfa4d7eae36b20f60d0209e82ab20bfbff3d197790
                                                          • Instruction ID: 68fb2b03d332997f9857cc9d44f4e2a0a06234324ee24174ebb0d6f0f42ad78e
                                                          • Opcode Fuzzy Hash: 0d80ebc4aa358d0e69bb4bcfa4d7eae36b20f60d0209e82ab20bfbff3d197790
                                                          • Instruction Fuzzy Hash: 5401F772B005244BDB55EA6ECC246EF7BAADBC8710F04413ED81AE7380EF248D1257E1
                                                          Function 06C4F180 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 60240c68f99108949f203abe0e8ca366dc3b81ebf46691ee6d50bdba55073833
                                                          • Instruction ID: 4882cc7be7d61eec064a00262de575edb16dedb48983840a453ffa5798f7f0dc
                                                          • Opcode Fuzzy Hash: 60240c68f99108949f203abe0e8ca366dc3b81ebf46691ee6d50bdba55073833
                                                          • Instruction Fuzzy Hash: 8401AF71B100155BDBA5E66CD8A0B2FB7DAEBC9720F20883DE60BC7380DE25DD1243A5
                                                          Function 06C4A300 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3cf38bf3ee8b84e2ec8814ce0d2099fe020c48879fa142fcf0f9952af4c695af
                                                          • Instruction ID: 511a0f70cc8be23fb69f907b72165e90a45b112003a462cd1f59de77b85553fa
                                                          • Opcode Fuzzy Hash: 3cf38bf3ee8b84e2ec8814ce0d2099fe020c48879fa142fcf0f9952af4c695af
                                                          • Instruction Fuzzy Hash: C601A470B100145BDBA0EAACE46072FB3DAEBC9760F10883DE60FC7384EA25ED118394
                                                          Function 06C4C7C0 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ad7ae3a70fc4d728948db0f154fbe1e4358dd000ea9ccbca3d1865787283af00
                                                          • Instruction ID: 621b6d2cf33f273e8305aa5e43693c31fd1a4e3160b54ae57a526697bebf3d9b
                                                          • Opcode Fuzzy Hash: ad7ae3a70fc4d728948db0f154fbe1e4358dd000ea9ccbca3d1865787283af00
                                                          • Instruction Fuzzy Hash: 0001F471F21228ABDB64EAA9E840A9E7776FB85310F00403EE901EB340DA36AD048780
                                                          Function 06C482DE Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f3e143a7edab2c1bb9b967d70c8ec3d205d519855ef007ac4c1034cdfdcdd2e6
                                                          • Instruction ID: 1b70582ed6fcb45b8fe32016d7049d29dc0fa2b6a7641da8eb87e85017154582
                                                          • Opcode Fuzzy Hash: f3e143a7edab2c1bb9b967d70c8ec3d205d519855ef007ac4c1034cdfdcdd2e6
                                                          • Instruction Fuzzy Hash: EDF06535F06210CFDF64FE4AE9803B873A5E740654F1841BADD01D7144D739DB11C6A1
                                                          Function 06C46461 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3eca0db0140451d5e488f2189e28f683f13b746b99a3192924f0d23ee653ff9a
                                                          • Instruction ID: 1067f884593dbbe1c20247dff9a958b3544d9fe9e11f2ccfe57611552628aec8
                                                          • Opcode Fuzzy Hash: 3eca0db0140451d5e488f2189e28f683f13b746b99a3192924f0d23ee653ff9a
                                                          • Instruction Fuzzy Hash: C2E086F2E151049BDFA0EE71CAA535A7766EB42354F204DA9C809CB345E237DF158781
                                                          Function 06C46470 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.2604406352.0000000006C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C40000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_6c40000_qIQACwuR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
                                                          • Instruction ID: 2939923727b0973e5ad017c816b2c5e4b8251572a1938df5e54e781f7be187c3
                                                          • Opcode Fuzzy Hash: aa976699a50b98a0a6b50c08d3026a88d70fc42e5459dfcadbf44bb0d2ea6d04
                                                          • Instruction Fuzzy Hash: 50E0C2B0E10108ABDF50EEB2C94575AB7ADD702244F2088A8D409CB201E132DF014780