Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MyzWeEOlqb.exe

Overview

General Information

Sample name:MyzWeEOlqb.exe
renamed because original name is a hash value
Original sample name:978c433d464e5054730c8003bdea37d3e8c9a0b0e254a8eacdbb57fa543da44e.exe
Analysis ID:1588683
MD5:d1b6e4986207a3d73636af9612f26101
SHA1:080ac4fa0ed47862e48bf8f2ea6794299edb57df
SHA256:978c433d464e5054730c8003bdea37d3e8c9a0b0e254a8eacdbb57fa543da44e
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • MyzWeEOlqb.exe (PID: 5476 cmdline: "C:\Users\user\Desktop\MyzWeEOlqb.exe" MD5: D1B6E4986207A3D73636AF9612F26101)
    • powershell.exe (PID: 6628 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MyzWeEOlqb.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5940 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 1396 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uGbdmwuUS.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2588 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpB0DB.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MyzWeEOlqb.exe (PID: 4892 cmdline: "C:\Users\user\Desktop\MyzWeEOlqb.exe" MD5: D1B6E4986207A3D73636AF9612F26101)
  • uGbdmwuUS.exe (PID: 6048 cmdline: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe MD5: D1B6E4986207A3D73636AF9612F26101)
    • schtasks.exe (PID: 5552 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpC2CD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • uGbdmwuUS.exe (PID: 1016 cmdline: "C:\Users\user\AppData\Roaming\uGbdmwuUS.exe" MD5: D1B6E4986207A3D73636AF9612F26101)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.3376401569.0000000002CCC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000002.3376401569.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000009.00000002.3376401569.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000E.00000002.3373024307.000000000042E000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000E.00000002.3373024307.000000000042E000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            14.2.uGbdmwuUS.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              14.2.uGbdmwuUS.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                14.2.uGbdmwuUS.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x334f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33569:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x335f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33685:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x336ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33761:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x337f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33887:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.MyzWeEOlqb.exe.38f5e38.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.MyzWeEOlqb.exe.38f5e38.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 12 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MyzWeEOlqb.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MyzWeEOlqb.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MyzWeEOlqb.exe", ParentImage: C:\Users\user\Desktop\MyzWeEOlqb.exe, ParentProcessId: 5476, ParentProcessName: MyzWeEOlqb.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MyzWeEOlqb.exe", ProcessId: 6628, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MyzWeEOlqb.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MyzWeEOlqb.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MyzWeEOlqb.exe", ParentImage: C:\Users\user\Desktop\MyzWeEOlqb.exe, ParentProcessId: 5476, ParentProcessName: MyzWeEOlqb.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MyzWeEOlqb.exe", ProcessId: 6628, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpC2CD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpC2CD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe, ParentImage: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe, ParentProcessId: 6048, ParentProcessName: uGbdmwuUS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpC2CD.tmp", ProcessId: 5552, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\MyzWeEOlqb.exe, Initiated: true, ProcessId: 4892, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49716
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpB0DB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpB0DB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\MyzWeEOlqb.exe", ParentImage: C:\Users\user\Desktop\MyzWeEOlqb.exe, ParentProcessId: 5476, ParentProcessName: MyzWeEOlqb.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpB0DB.tmp", ProcessId: 2588, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MyzWeEOlqb.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MyzWeEOlqb.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MyzWeEOlqb.exe", ParentImage: C:\Users\user\Desktop\MyzWeEOlqb.exe, ParentProcessId: 5476, ParentProcessName: MyzWeEOlqb.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MyzWeEOlqb.exe", ProcessId: 6628, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpB0DB.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpB0DB.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\MyzWeEOlqb.exe", ParentImage: C:\Users\user\Desktop\MyzWeEOlqb.exe, ParentProcessId: 5476, ParentProcessName: MyzWeEOlqb.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpB0DB.tmp", ProcessId: 2588, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.MyzWeEOlqb.exe.3930858.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeReversingLabs: Detection: 73%
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeVirustotal: Detection: 83%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: MyzWeEOlqb.exeReversingLabs: Detection: 73%
                    Source: MyzWeEOlqb.exeVirustotal: Detection: 83%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: MyzWeEOlqb.exeJoe Sandbox ML: detected
                    Source: MyzWeEOlqb.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49714 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49719 version: TLS 1.2
                    Source: MyzWeEOlqb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: oWRwy.pdbSHA256Z source: MyzWeEOlqb.exe, uGbdmwuUS.exe.0.dr
                    Source: Binary string: oWRwy.pdb source: MyzWeEOlqb.exe, uGbdmwuUS.exe.0.dr

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.MyzWeEOlqb.exe.38f5e38.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MyzWeEOlqb.exe.3930858.3.raw.unpack, type: UNPACKEDPE
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.6:49716 -> 46.175.148.58:25
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: MyzWeEOlqb.exe, 00000009.00000002.3376401569.0000000002CCC000.00000004.00000800.00020000.00000000.sdmp, uGbdmwuUS.exe, 0000000E.00000002.3375960649.0000000002C7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: MyzWeEOlqb.exe, 00000000.00000002.2149567032.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, MyzWeEOlqb.exe, 00000009.00000002.3376401569.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, uGbdmwuUS.exe, 0000000A.00000002.2196893256.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, uGbdmwuUS.exe, 0000000E.00000002.3375960649.0000000002C09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: MyzWeEOlqb.exe, 00000000.00000002.2151243032.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, uGbdmwuUS.exe, 0000000E.00000002.3373024307.000000000042E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: MyzWeEOlqb.exe, 00000000.00000002.2151243032.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, MyzWeEOlqb.exe, 00000009.00000002.3376401569.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, uGbdmwuUS.exe, 0000000E.00000002.3375960649.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, uGbdmwuUS.exe, 0000000E.00000002.3373024307.000000000042E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: MyzWeEOlqb.exe, 00000009.00000002.3376401569.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, uGbdmwuUS.exe, 0000000E.00000002.3375960649.0000000002C09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: MyzWeEOlqb.exe, 00000009.00000002.3376401569.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, uGbdmwuUS.exe, 0000000E.00000002.3375960649.0000000002C09000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49714 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49719 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\MyzWeEOlqb.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\uGbdmwuUS.exe
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 14.2.uGbdmwuUS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.MyzWeEOlqb.exe.38f5e38.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.MyzWeEOlqb.exe.3930858.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.MyzWeEOlqb.exe.38f5e38.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.MyzWeEOlqb.exe.3930858.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeCode function: 0_2_00E7D5840_2_00E7D584
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeCode function: 0_2_06E8B7480_2_06E8B748
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeCode function: 0_2_06E8D4380_2_06E8D438
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeCode function: 0_2_06E8B3200_2_06E8B320
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeCode function: 0_2_06E8B3100_2_06E8B310
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeCode function: 0_2_06E8AEE80_2_06E8AEE8
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeCode function: 0_2_06E8AEDA0_2_06E8AEDA
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeCode function: 0_2_06E8BB7F0_2_06E8BB7F
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeCode function: 9_2_00D9A9579_2_00D9A957
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeCode function: 9_2_00D94A989_2_00D94A98
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeCode function: 9_2_00D93E809_2_00D93E80
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeCode function: 9_2_00D941C89_2_00D941C8
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeCode function: 9_2_00D9F8A59_2_00D9F8A5
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 10_2_0156D58410_2_0156D584
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 10_2_0962BB7F10_2_0962BB7F
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 10_2_0962AEE810_2_0962AEE8
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 10_2_0962AEDA10_2_0962AEDA
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 10_2_0962B32010_2_0962B320
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 10_2_0962B31010_2_0962B310
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 10_2_0962D43810_2_0962D438
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 10_2_0962B74810_2_0962B748
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 10_2_0BF1031010_2_0BF10310
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 10_2_0BF125B810_2_0BF125B8
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 14_2_02BD4A9814_2_02BD4A98
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 14_2_02BD3E8014_2_02BD3E80
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 14_2_02BD41C814_2_02BD41C8
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 14_2_02BDF8A514_2_02BDF8A5
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 14_2_067B357814_2_067B3578
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 14_2_067B5D3014_2_067B5D30
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 14_2_067B45A014_2_067B45A0
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 14_2_067B103014_2_067B1030
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 14_2_067BE0B914_2_067BE0B9
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 14_2_067BA14014_2_067BA140
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 14_2_067B91E014_2_067B91E0
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 14_2_067B565014_2_067B5650
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 14_2_067BC61814_2_067BC618
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 14_2_067B3C8F14_2_067B3C8F
                    Source: MyzWeEOlqb.exe, 00000000.00000002.2149567032.00000000028F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs MyzWeEOlqb.exe
                    Source: MyzWeEOlqb.exe, 00000000.00000002.2171890191.0000000008C90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs MyzWeEOlqb.exe
                    Source: MyzWeEOlqb.exe, 00000000.00000002.2149567032.0000000002909000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs MyzWeEOlqb.exe
                    Source: MyzWeEOlqb.exe, 00000000.00000002.2147276974.00000000009CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MyzWeEOlqb.exe
                    Source: MyzWeEOlqb.exe, 00000000.00000000.2119286028.00000000004F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameoWRwy.exe< vs MyzWeEOlqb.exe
                    Source: MyzWeEOlqb.exe, 00000000.00000002.2151243032.00000000038B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs MyzWeEOlqb.exe
                    Source: MyzWeEOlqb.exe, 00000000.00000002.2151243032.00000000038B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs MyzWeEOlqb.exe
                    Source: MyzWeEOlqb.exe, 00000000.00000002.2171785776.0000000007A10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs MyzWeEOlqb.exe
                    Source: MyzWeEOlqb.exe, 00000009.00000002.3373443041.0000000000CF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs MyzWeEOlqb.exe
                    Source: MyzWeEOlqb.exeBinary or memory string: OriginalFilenameoWRwy.exe< vs MyzWeEOlqb.exe
                    Source: MyzWeEOlqb.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 14.2.uGbdmwuUS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.MyzWeEOlqb.exe.38f5e38.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.MyzWeEOlqb.exe.3930858.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.MyzWeEOlqb.exe.38f5e38.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.MyzWeEOlqb.exe.3930858.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: MyzWeEOlqb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: uGbdmwuUS.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@18/15@2/2
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeFile created: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2404:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1816:120:WilError_03
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB0DB.tmpJump to behavior
                    Source: MyzWeEOlqb.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: MyzWeEOlqb.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: MyzWeEOlqb.exeReversingLabs: Detection: 73%
                    Source: MyzWeEOlqb.exeVirustotal: Detection: 83%
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeFile read: C:\Users\user\Desktop\MyzWeEOlqb.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\MyzWeEOlqb.exe "C:\Users\user\Desktop\MyzWeEOlqb.exe"
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MyzWeEOlqb.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uGbdmwuUS.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpB0DB.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess created: C:\Users\user\Desktop\MyzWeEOlqb.exe "C:\Users\user\Desktop\MyzWeEOlqb.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe C:\Users\user\AppData\Roaming\uGbdmwuUS.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpC2CD.tmp"
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess created: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe "C:\Users\user\AppData\Roaming\uGbdmwuUS.exe"
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MyzWeEOlqb.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uGbdmwuUS.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpB0DB.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess created: C:\Users\user\Desktop\MyzWeEOlqb.exe "C:\Users\user\Desktop\MyzWeEOlqb.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpC2CD.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess created: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe "C:\Users\user\AppData\Roaming\uGbdmwuUS.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeSection loaded: edputil.dll
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: MyzWeEOlqb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: MyzWeEOlqb.exeStatic file information: File size 1141248 > 1048576
                    Source: MyzWeEOlqb.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: MyzWeEOlqb.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: oWRwy.pdbSHA256Z source: MyzWeEOlqb.exe, uGbdmwuUS.exe.0.dr
                    Source: Binary string: oWRwy.pdb source: MyzWeEOlqb.exe, uGbdmwuUS.exe.0.dr
                    Source: MyzWeEOlqb.exeStatic PE information: 0xB6972A5E [Thu Jan 27 13:21:34 2067 UTC]
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeCode function: 9_2_00D90CCB push edi; retf 9_2_00D90C7A
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeCode function: 9_2_00D90C53 push ebx; retf 9_2_00D90C52
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeCode function: 9_2_00D90C45 push ebx; retf 9_2_00D90C52
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 14_2_02BD0C6D push edi; retf 14_2_02BD0C7A
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 14_2_02BD0C53 push ebx; retf 14_2_02BD0C52
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeCode function: 14_2_02BD0C45 push ebx; retf 14_2_02BD0C52
                    Source: MyzWeEOlqb.exeStatic PE information: section name: .text entropy: 7.198360651897439
                    Source: uGbdmwuUS.exe.0.drStatic PE information: section name: .text entropy: 7.198360651897439
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeFile created: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpB0DB.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: MyzWeEOlqb.exe PID: 5476, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: uGbdmwuUS.exe PID: 6048, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeMemory allocated: E70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeMemory allocated: 28B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeMemory allocated: 27F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeMemory allocated: 8E10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeMemory allocated: 9E10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeMemory allocated: A030000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeMemory allocated: B030000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeMemory allocated: D90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeMemory allocated: 2C50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeMemory allocated: 2BA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeMemory allocated: 1560000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeMemory allocated: 32D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeMemory allocated: 30E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeMemory allocated: 9630000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeMemory allocated: 9300000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeMemory allocated: A630000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeMemory allocated: B630000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeMemory allocated: 2BD0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeMemory allocated: 2C00000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeMemory allocated: 4C00000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7409Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 663Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7848Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 471Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeWindow / User API: threadDelayed 4445Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeWindow / User API: threadDelayed 5355Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeWindow / User API: threadDelayed 1169
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeWindow / User API: threadDelayed 8693
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 1472Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1220Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4836Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3416Thread sleep count: 7848 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5492Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6568Thread sleep count: 471 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep count: 41 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -37815825351104557s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 6548Thread sleep count: 4445 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -99610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep count: 33 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -99485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -99360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -99235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -99110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 6548Thread sleep count: 5355 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -98985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -98860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -98735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -98610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -98485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -98360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -98235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -98110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -97985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -97860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -97735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -97610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -97485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -97360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -97235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -97088s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -96838s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -96733s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -96625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -96516s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -96406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -96297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -96188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -96063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -95938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -95828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -95719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -95594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -95485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -95360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -95235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -95110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -94985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -94860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -94735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -94594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -94465s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -94341s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -94235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -94110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -93985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -93860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -93735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -93610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -93485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -93360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exe TID: 2300Thread sleep time: -93235s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 4328Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -26747778906878833s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 6068Thread sleep count: 1169 > 30
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -99866s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 6068Thread sleep count: 8693 > 30
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -99750s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -99640s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -99531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -99422s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -99312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -99202s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -99093s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -98983s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -98854s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -98749s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -98640s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -98531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -98422s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -98312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -98203s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -98077s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -97966s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -97859s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -97750s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -97640s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -97531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -97421s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -97312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -97203s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -97093s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -96984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -96875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -96765s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -96653s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -96547s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -96437s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -96327s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -96218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -96109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -96000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -95890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -95781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -95672s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -95547s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -95437s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -95328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -95218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -95109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -95000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -94890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -94781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -94672s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe TID: 672Thread sleep time: -94547s >= -30000s
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 99610Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 99485Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 99360Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 99235Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 99110Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 98985Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 98860Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 98735Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 98610Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 98485Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 98360Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 98235Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 98110Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 97985Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 97860Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 97735Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 97610Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 97485Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 97360Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 97235Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 97088Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 96838Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 96733Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 96625Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 96516Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 96406Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 96297Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 96188Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 96063Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 95938Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 95828Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 95719Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 95594Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 95485Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 95360Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 95235Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 95110Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 94985Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 94860Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 94735Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 94594Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 94465Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 94341Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 94235Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 94110Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 93985Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 93860Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 93735Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 93610Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 93485Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 93360Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeThread delayed: delay time: 93235Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 99866
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 99750
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 99640
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 99531
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 99422
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 99312
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 99202
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 99093
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 98983
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 98854
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 98749
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 98640
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 98531
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 98422
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 98312
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 98203
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 98077
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 97966
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 97859
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 97750
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 97640
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 97531
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 97421
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 97312
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 97203
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 97093
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 96984
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 96875
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 96765
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 96653
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 96547
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 96437
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 96327
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 96218
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 96109
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 96000
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 95890
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 95781
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 95672
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 95547
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 95437
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 95328
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 95218
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 95109
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 95000
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 94890
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 94781
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 94672
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeThread delayed: delay time: 94547
                    Source: MyzWeEOlqb.exe, 00000009.00000002.3374186046.0000000000E48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
                    Source: uGbdmwuUS.exe, 0000000E.00000002.3374380733.000000000107B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MyzWeEOlqb.exe"
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uGbdmwuUS.exe"
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MyzWeEOlqb.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uGbdmwuUS.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeMemory written: C:\Users\user\Desktop\MyzWeEOlqb.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeMemory written: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MyzWeEOlqb.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uGbdmwuUS.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpB0DB.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeProcess created: C:\Users\user\Desktop\MyzWeEOlqb.exe "C:\Users\user\Desktop\MyzWeEOlqb.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpC2CD.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeProcess created: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe "C:\Users\user\AppData\Roaming\uGbdmwuUS.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeQueries volume information: C:\Users\user\Desktop\MyzWeEOlqb.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeQueries volume information: C:\Users\user\Desktop\MyzWeEOlqb.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeQueries volume information: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeQueries volume information: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 14.2.uGbdmwuUS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MyzWeEOlqb.exe.38f5e38.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MyzWeEOlqb.exe.3930858.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MyzWeEOlqb.exe.38f5e38.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MyzWeEOlqb.exe.3930858.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.3376401569.0000000002CCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3376401569.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3373024307.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3375960649.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3375960649.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2151243032.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: MyzWeEOlqb.exe PID: 5476, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MyzWeEOlqb.exe PID: 4892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: uGbdmwuUS.exe PID: 1016, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\MyzWeEOlqb.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\uGbdmwuUS.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 14.2.uGbdmwuUS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MyzWeEOlqb.exe.38f5e38.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MyzWeEOlqb.exe.3930858.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MyzWeEOlqb.exe.38f5e38.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MyzWeEOlqb.exe.3930858.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.3376401569.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3373024307.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3375960649.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2151243032.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: MyzWeEOlqb.exe PID: 5476, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MyzWeEOlqb.exe PID: 4892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: uGbdmwuUS.exe PID: 1016, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 14.2.uGbdmwuUS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MyzWeEOlqb.exe.38f5e38.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MyzWeEOlqb.exe.3930858.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MyzWeEOlqb.exe.38f5e38.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MyzWeEOlqb.exe.3930858.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.3376401569.0000000002CCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3376401569.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3373024307.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3375960649.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3375960649.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2151243032.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: MyzWeEOlqb.exe PID: 5476, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MyzWeEOlqb.exe PID: 4892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: uGbdmwuUS.exe PID: 1016, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		2
                    Obfuscated Files or Information                    		11
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		2
                    Software Packing                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Timestomp                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model11
                    Input Capture                    		23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588683 Sample: MyzWeEOlqb.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 46 mail.iaa-airferight.com 2->46 48 api.ipify.org 2->48 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 60 7 other signatures 2->60 8 MyzWeEOlqb.exe 7 2->8         started        12 uGbdmwuUS.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\uGbdmwuUS.exe, PE32 8->38 dropped 40 C:\Users\...\uGbdmwuUS.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpB0DB.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\MyzWeEOlqb.exe.log, ASCII 8->44 dropped 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 8->64 66 Adds a directory exclusion to Windows Defender 8->66 14 MyzWeEOlqb.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 22 8->20         started        22 schtasks.exe 1 8->22         started        68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 72 Injects a PE file into a foreign processes 12->72 24 uGbdmwuUS.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 50 api.ipify.org 104.26.12.205, 443, 49714, 49719 CLOUDFLARENETUS United States 14->50 52 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->52 74 Installs a global keyboard hook 14->74 76 Loading BitLocker PowerShell Module 18->76 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->78 80 Tries to steal Mail credentials (via file / registry access) 24->80 82 Tries to harvest and steal ftp login credentials 24->82 84 Tries to harvest and steal browser information (history, passwords, etc) 24->84 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    MyzWeEOlqb.exe74%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                    MyzWeEOlqb.exe83%VirustotalBrowse
                    MyzWeEOlqb.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\uGbdmwuUS.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\uGbdmwuUS.exe74%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                    C:\Users\user\AppData\Roaming\uGbdmwuUS.exe83%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truefalse
                      		high
                      api.ipify.org
                      		104.26.12.205
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.orgMyzWeEOlqb.exe, 00000000.00000002.2151243032.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, MyzWeEOlqb.exe, 00000009.00000002.3376401569.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, uGbdmwuUS.exe, 0000000E.00000002.3375960649.0000000002C09000.00000004.00000800.00020000.00000000.sdmp, uGbdmwuUS.exe, 0000000E.00000002.3373024307.000000000042E000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            https://account.dyn.com/MyzWeEOlqb.exe, 00000000.00000002.2151243032.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, uGbdmwuUS.exe, 0000000E.00000002.3373024307.000000000042E000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              https://api.ipify.org/tMyzWeEOlqb.exe, 00000009.00000002.3376401569.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, uGbdmwuUS.exe, 0000000E.00000002.3375960649.0000000002C09000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMyzWeEOlqb.exe, 00000000.00000002.2149567032.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, MyzWeEOlqb.exe, 00000009.00000002.3376401569.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, uGbdmwuUS.exe, 0000000A.00000002.2196893256.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, uGbdmwuUS.exe, 0000000E.00000002.3375960649.0000000002C09000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://mail.iaa-airferight.comMyzWeEOlqb.exe, 00000009.00000002.3376401569.0000000002CCC000.00000004.00000800.00020000.00000000.sdmp, uGbdmwuUS.exe, 0000000E.00000002.3375960649.0000000002C7C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    104.26.12.205
                                    		api.ipify.orgUnited States
                                    		13335CLOUDFLARENETUSfalse
                                    46.175.148.58
                                    		mail.iaa-airferight.comUkraine
                                    		56394ASLAGIDKOM-NETUAfalse

                                    General Information

                                    Joe Sandbox version:42.0.0 Malachite
                                    Analysis ID:1588683
                                    Start date and time:2025-01-11 04:08:21 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 3s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:17
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:MyzWeEOlqb.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:978c433d464e5054730c8003bdea37d3e8c9a0b0e254a8eacdbb57fa543da44e.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@18/15@2/2
                                    EGA Information:
                                    • Successful, ratio: 75%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 152
                                    • Number of non-executed functions: 8
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 2.23.242.162, 13.107.246.45, 20.109.210.53, 20.12.23.50
                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target MyzWeEOlqb.exe, PID 4892 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    04:09:14Task SchedulerRun new task: uGbdmwuUS path: C:\Users\user\AppData\Roaming\uGbdmwuUS.exe
                                    22:09:12API Interceptor1884908x Sleep call for process: MyzWeEOlqb.exe modified
                                    22:09:14API Interceptor38x Sleep call for process: powershell.exe modified
                                    22:09:17API Interceptor1479756x Sleep call for process: uGbdmwuUS.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    104.26.12.205Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    RtU8kXPnKr.exeGet hashmaliciousQuasarBrowse
                                    • api.ipify.org/
                                    jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/?format=text
                                    xKvkNk9SXR.exeGet hashmaliciousTrojanRansomBrowse
                                    • api.ipify.org/
                                    GD8c7ARn8q.exeGet hashmaliciousTrojanRansomBrowse
                                    • api.ipify.org/
                                    8AbMCL2dxM.exeGet hashmaliciousRCRU64, TrojanRansomBrowse
                                    • api.ipify.org/
                                    Simple2.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                                    • api.ipify.org/
                                    Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                    • api.ipify.org/
                                    6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                    • api.ipify.org/
                                    46.175.148.585hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                      xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                        jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                          HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                            0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                              kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                    Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                      proforma invoice.exeGet hashmaliciousAgentTeslaBrowse

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        mail.iaa-airferight.com5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        api.ipify.org5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.74.152
                                                        ukBQ4ch2nE.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        ru52XOQ1p7.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.74.152
                                                        xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        https://glfbanks.com/Get hashmaliciousHTMLPhisherBrowse
                                                        • 104.26.12.205
                                                        s2Jg1MAahY.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        Y8Q1voljvb.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        IUqsn1SBGy.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        CLOUDFLARENETUS02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • 172.67.167.146
                                                        5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.74.152
                                                        MBOaS3GRtF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.64.1
                                                        https://freesourcecodes70738.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuW-242imNXGet hashmaliciousUnknownBrowse
                                                        • 104.17.205.31
                                                        https://youtube.com0x360x380x370x340x370x340x370x300x370x330x330x610x320x660x320x660x360x310x360x640x360x360x370x320x320x650x370x320x370x350x320x660x370x320x360x620x320x650x370x300x360x380x370x300x330x660x360x390x360x340x330x640x330x320x330x300x330x300x320x360x370x330x360x390x370x340x360x350x350x660x360x390x360x340x330x640x370x330x330x310x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x320x360x310x360x650x360x650x360x350x370x320x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x330x360x630x360x390x360x330x360x620x320x360x360x350x370x360x360x350x360x650x370x340x330x330x330x640x330x310x320x620x320x350x330x320x340x360x320x620x320x350x330x350x340x320x330x320x330x350x330x300x320x350x330x350x340x340x320x620x320x350x330x350x340x320x360x390x360x650x360x340x360x350x370x380x350x660x360x320x350x660x360x330x320x350x330x350x340x340x320x620x320x350x340x340x330x300x320x350x330x390x330x330x320x350x340x340x330x300x320x350x340x320x340x320x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x300x320x350x340x320x330x320x320x350x340x340x330x300x320x350x340x320x340x340x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x310x320x350x330x380x340x360x320x620x320x350x340x340x330x310x320x350x330x380x330x310x320x350x340x340x330x310x320x350x330x380x330x320x320x350x340x340x330x340x370x380x360x340x390x320x390x330x370x320x330x300x390x340x370x330x340x300x330x340x2d0x380x380x340x330x340x370x330x340x300x340x390x300x350x370x330x370x340x330x300x340x300x330x340x380x320x2d0x340x300x390x340x380x2d0x320x2d0x340x380x380x320x2d0x330x320x380x380x340x370x370x320x390x390x320x380x380x380x340x370x340x370x320x390x300x340x390x340x370x320x340x300x380x320x340x370x340x370x320x620x320x640x320x620x320x350x340x340x330x300x320x350x330x390x330x340x320x350x340x340x330x300x320x350x340x320x330x350x320x350x340x340x330x300x320x350x340x320x340x330x320x350x340x340x330x300x320x350x340x320x330x380x320x350x340x340x330x300x320x350x340x320x340x310x320x350x340x340x330Get hashmaliciousUnknownBrowse
                                                        • 172.64.41.3
                                                        fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.48.1
                                                        fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.48.1
                                                        AJ5zYYsisA.exeGet hashmaliciousUnknownBrowse
                                                        • 188.114.97.3
                                                        1SxKeB4u0c.exeGet hashmaliciousFormBookBrowse
                                                        • 104.21.95.160
                                                        SpCuEoekPa.exeGet hashmaliciousFormBookBrowse
                                                        • 104.21.64.1
                                                        ASLAGIDKOM-NETUA5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58
                                                        proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 46.175.148.58

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        3b5074b1b5d032e5620f69f9f700ff0e5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        AJ5zYYsisA.exeGet hashmaliciousUnknownBrowse
                                                        • 104.26.12.205
                                                        AJ5zYYsisA.exeGet hashmaliciousUnknownBrowse
                                                        • 104.26.12.205
                                                        4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                        • 104.26.12.205
                                                        n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                        • 104.26.12.205
                                                        njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                        • 104.26.12.205
                                                        KtPCqWWnqM.exeGet hashmaliciousUnknownBrowse
                                                        • 104.26.12.205
                                                        YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.26.12.205
                                                        KtPCqWWnqM.exeGet hashmaliciousUnknownBrowse
                                                        • 104.26.12.205
                                                        ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                        • 104.26.12.205

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MyzWeEOlqb.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\MyzWeEOlqb.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                        Malicious:true
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uGbdmwuUS.exe.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\uGbdmwuUS.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                        Malicious:false
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):2232
                                                        Entropy (8bit):5.380134126512796
                                                        Encrypted:false
                                                        SSDEEP:48:+WSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugei/ZPUyus:+LHxvIIwLgZ2KRHWLOugss
                                                        MD5:51B9285986F06C174EC0AFC647C9A160
                                                        SHA1:552AC1971077A2F1FECA924D3204AC7147C9C090
                                                        SHA-256:B21650D905494E51A286718B030016844BCE447C09F45073CC097182C2CACB24
                                                        SHA-512:796C94EE4F01761F1D1947BA16FF45C0CF7E0FB7C4081DB5D8E54D5EC4ED447A0644CE0F06A5297FB2A62E99717C99778CA638618F6E8C7079053427ECC0B783
                                                        Malicious:false
                                                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4hqmt0yj.t33.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_em24kx4d.pkf.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_miuk1dvl.kzv.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_obvew45i.ml1.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rqdgvhiw.huk.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wtmhjdlu.xls.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xswpu3wc.nn2.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_za30vs3a.djj.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\tmpB0DB.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\MyzWeEOlqb.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1596
                                                        Entropy (8bit):5.09327359888145
                                                        Encrypted:false
                                                        SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLUQlxv:cge7QYrFdOFzOzN33ODOiDdKrsuTAMv
                                                        MD5:B14DDC8083CC9CDF8AC259699B1B703D
                                                        SHA1:E08D9B24E044D2DB2E015FD3FCC16C72E827508A
                                                        SHA-256:0F47EF67D0905AE004C79E0FF09CF63571472FFB947CEA75FF1F20F8DC25797C
                                                        SHA-512:8FEFC8A3026283F9E5FBC66BADD662B1A7EFB1025A221F2460C3788ADBA9AA3C55B0AF7E447EA078231D3A7340ABBA6689C9295F0838A4BBE99729D48B0840C2
                                                        Malicious:true
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                                        C:\Users\user\AppData\Local\Temp\tmpC2CD.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\uGbdmwuUS.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1596
                                                        Entropy (8bit):5.09327359888145
                                                        Encrypted:false
                                                        SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLUQlxv:cge7QYrFdOFzOzN33ODOiDdKrsuTAMv
                                                        MD5:B14DDC8083CC9CDF8AC259699B1B703D
                                                        SHA1:E08D9B24E044D2DB2E015FD3FCC16C72E827508A
                                                        SHA-256:0F47EF67D0905AE004C79E0FF09CF63571472FFB947CEA75FF1F20F8DC25797C
                                                        SHA-512:8FEFC8A3026283F9E5FBC66BADD662B1A7EFB1025A221F2460C3788ADBA9AA3C55B0AF7E447EA078231D3A7340ABBA6689C9295F0838A4BBE99729D48B0840C2
                                                        Malicious:false
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                                        C:\Users\user\AppData\Roaming\uGbdmwuUS.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\MyzWeEOlqb.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1141248
                                                        Entropy (8bit):6.974106647038671
                                                        Encrypted:false
                                                        SSDEEP:24576:Lzs+7f184uYuInYQUEoc5B0XDd9kPNa/Y:Lzs+7NFuIUE/ahu0w
                                                        MD5:D1B6E4986207A3D73636AF9612F26101
                                                        SHA1:080AC4FA0ED47862E48BF8F2EA6794299EDB57DF
                                                        SHA-256:978C433D464E5054730C8003BDEA37D3E8C9A0B0E254A8EACDBB57FA543DA44E
                                                        SHA-512:8E275AA148976E4B02EFD6FF07DB0CF0377D3835F70AFBF7A7358915FD301836F69D042BA9E0C2F436F798D0ED15FC44AED21B9F979A72E94D0F905141509FF4
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 74%
                                                        • Antivirus: Virustotal, Detection: 83%, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^*................0.................. ... ....@.. ....................................@.....................................O.... ..0...............................p............................................ ............... ..H............text...$.... ...................... ..`.rsrc...0.... ......................@..@.reloc...............h..............@..B........................H........x..l.......7....~...j...........................................0.............o.....8.....o....t.......u.........,@..t......o....r...po....-..o....r...po....+......,....o.......+&.u...........,...t........o....(........o....:t......u........,...o......*...................0...........#........}.....#........}.....#........}.....#.....L.@}......}......}.....s....}.....s....}.....sG...}.....sM...}......}......}.....(.......(.......{....(.......{!...(.......{....(.......

                                                        C:\Users\user\AppData\Roaming\uGbdmwuUS.exe:Zone.Identifier

                                                        Download File
                                                        Process:C:\Users\user\Desktop\MyzWeEOlqb.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:true
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):6.974106647038671
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:MyzWeEOlqb.exe
                                                        File size:1'141'248 bytes
                                                        MD5:d1b6e4986207a3d73636af9612f26101
                                                        SHA1:080ac4fa0ed47862e48bf8f2ea6794299edb57df
                                                        SHA256:978c433d464e5054730c8003bdea37d3e8c9a0b0e254a8eacdbb57fa543da44e
                                                        SHA512:8e275aa148976e4b02efd6ff07db0cf0377d3835f70afbf7a7358915fd301836f69d042ba9e0c2f436f798d0ed15fc44aed21b9f979a72e94d0f905141509ff4
                                                        SSDEEP:24576:Lzs+7f184uYuInYQUEoc5B0XDd9kPNa/Y:Lzs+7NFuIUE/ahu0w
                                                        TLSH:2135F73D69B92227E475C3778BE7E437A1349C6F3024AC6C58D277A61376A4234C326E
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^*................0.................. ... ....@.. ....................................@................................

                                                        File Icon

                                                        Icon Hash:c5949296969e8473

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4e021e
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0xB6972A5E [Thu Jan 27 13:21:34 2067 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xe01ca0x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xe20000x38130.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x11c0000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xde8c00x70.text
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000xde2240xde400855742d9be21d6a3a0df935e0495b11eFalse0.7510512601940382MySQL table definition file Version 14, type UNKNOWN, MySQL version 07.198360651897439IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xe20000x381300x38200252a596be57ad23f41cb39f85464bee8False0.30802390729398665data5.206891260572458IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x11c0000xc0x2007fc95ffdf11261660662b7f48e991226False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xe24600x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.38353658536585367
                                                        RT_ICON0xe2ac80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.48655913978494625
                                                        RT_ICON0xe2db00x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.5286885245901639
                                                        RT_ICON0xe2f980x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.5878378378378378
                                                        RT_ICON0xe30c00x6739PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9933017975402081
                                                        RT_ICON0xe97fc0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.5578358208955224
                                                        RT_ICON0xea6a40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.6367328519855595
                                                        RT_ICON0xeaf4c0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.6497695852534562
                                                        RT_ICON0xeb6140x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.47760115606936415
                                                        RT_ICON0xebb7c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.125
                                                        RT_ICON0xfc3a40x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.21113622030691612
                                                        RT_ICON0x10584c0x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 265600.21157894736842106
                                                        RT_ICON0x10c0340x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.24269870609981517
                                                        RT_ICON0x1114bc0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.22325224374114314
                                                        RT_ICON0x1156e40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.3196058091286307
                                                        RT_ICON0x117c8c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.3642120075046904
                                                        RT_ICON0x118d340x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.5086065573770492
                                                        RT_ICON0x1196bc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5735815602836879
                                                        RT_GROUP_ICON0x119b240x102data0.5697674418604651
                                                        RT_VERSION0x119c280x31cdata0.4396984924623116
                                                        RT_MANIFEST0x119f440x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 11, 2025 04:09:15.484708071 CET49714443192.168.2.6104.26.12.205
                                                        Jan 11, 2025 04:09:15.484764099 CET44349714104.26.12.205192.168.2.6
                                                        Jan 11, 2025 04:09:15.484828949 CET49714443192.168.2.6104.26.12.205
                                                        Jan 11, 2025 04:09:15.493010044 CET49714443192.168.2.6104.26.12.205
                                                        Jan 11, 2025 04:09:15.493026972 CET44349714104.26.12.205192.168.2.6
                                                        Jan 11, 2025 04:09:15.980068922 CET44349714104.26.12.205192.168.2.6
                                                        Jan 11, 2025 04:09:15.980154991 CET49714443192.168.2.6104.26.12.205
                                                        Jan 11, 2025 04:09:15.985970020 CET49714443192.168.2.6104.26.12.205
                                                        Jan 11, 2025 04:09:15.985996008 CET44349714104.26.12.205192.168.2.6
                                                        Jan 11, 2025 04:09:15.986445904 CET44349714104.26.12.205192.168.2.6
                                                        Jan 11, 2025 04:09:16.033071041 CET49714443192.168.2.6104.26.12.205
                                                        Jan 11, 2025 04:09:16.075334072 CET44349714104.26.12.205192.168.2.6
                                                        Jan 11, 2025 04:09:16.145601988 CET44349714104.26.12.205192.168.2.6
                                                        Jan 11, 2025 04:09:16.145669937 CET44349714104.26.12.205192.168.2.6
                                                        Jan 11, 2025 04:09:16.145826101 CET49714443192.168.2.6104.26.12.205
                                                        Jan 11, 2025 04:09:16.154162884 CET49714443192.168.2.6104.26.12.205
                                                        Jan 11, 2025 04:09:16.779014111 CET4971625192.168.2.646.175.148.58
                                                        Jan 11, 2025 04:09:17.921575069 CET4971625192.168.2.646.175.148.58
                                                        Jan 11, 2025 04:09:19.189384937 CET49719443192.168.2.6104.26.12.205
                                                        Jan 11, 2025 04:09:19.189435005 CET44349719104.26.12.205192.168.2.6
                                                        Jan 11, 2025 04:09:19.189642906 CET49719443192.168.2.6104.26.12.205
                                                        Jan 11, 2025 04:09:19.192321062 CET49719443192.168.2.6104.26.12.205
                                                        Jan 11, 2025 04:09:19.192337990 CET44349719104.26.12.205192.168.2.6
                                                        Jan 11, 2025 04:09:19.654957056 CET44349719104.26.12.205192.168.2.6
                                                        Jan 11, 2025 04:09:19.655148029 CET49719443192.168.2.6104.26.12.205
                                                        Jan 11, 2025 04:09:19.855452061 CET49719443192.168.2.6104.26.12.205
                                                        Jan 11, 2025 04:09:19.855526924 CET44349719104.26.12.205192.168.2.6
                                                        Jan 11, 2025 04:09:19.856590033 CET44349719104.26.12.205192.168.2.6
                                                        Jan 11, 2025 04:09:19.952658892 CET49719443192.168.2.6104.26.12.205
                                                        Jan 11, 2025 04:09:19.987015963 CET49719443192.168.2.6104.26.12.205
                                                        Jan 11, 2025 04:09:20.015161037 CET4971625192.168.2.646.175.148.58
                                                        Jan 11, 2025 04:09:20.027338982 CET44349719104.26.12.205192.168.2.6
                                                        Jan 11, 2025 04:09:20.096615076 CET44349719104.26.12.205192.168.2.6
                                                        Jan 11, 2025 04:09:20.096780062 CET44349719104.26.12.205192.168.2.6
                                                        Jan 11, 2025 04:09:20.096849918 CET49719443192.168.2.6104.26.12.205
                                                        Jan 11, 2025 04:09:20.099845886 CET49719443192.168.2.6104.26.12.205
                                                        Jan 11, 2025 04:09:20.569262981 CET4972625192.168.2.646.175.148.58
                                                        Jan 11, 2025 04:09:21.624533892 CET4972625192.168.2.646.175.148.58
                                                        Jan 11, 2025 04:09:23.624537945 CET4972625192.168.2.646.175.148.58
                                                        Jan 11, 2025 04:09:24.030967951 CET4971625192.168.2.646.175.148.58
                                                        Jan 11, 2025 04:09:27.628705978 CET4972625192.168.2.646.175.148.58
                                                        Jan 11, 2025 04:09:32.030786037 CET4971625192.168.2.646.175.148.58
                                                        Jan 11, 2025 04:09:35.640213013 CET4972625192.168.2.646.175.148.58

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 11, 2025 04:09:15.462512016 CET5749653192.168.2.61.1.1.1
                                                        Jan 11, 2025 04:09:15.469213963 CET53574961.1.1.1192.168.2.6
                                                        Jan 11, 2025 04:09:16.731894970 CET5878753192.168.2.61.1.1.1
                                                        Jan 11, 2025 04:09:16.768901110 CET53587871.1.1.1192.168.2.6

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Jan 11, 2025 04:09:15.462512016 CET192.168.2.61.1.1.10x9254Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                        Jan 11, 2025 04:09:16.731894970 CET192.168.2.61.1.1.10x262bStandard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Jan 11, 2025 04:09:15.469213963 CET1.1.1.1192.168.2.60x9254No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 04:09:15.469213963 CET1.1.1.1192.168.2.60x9254No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 04:09:15.469213963 CET1.1.1.1192.168.2.60x9254No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                        Jan 11, 2025 04:09:16.768901110 CET1.1.1.1192.168.2.60x262bNo error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • api.ipify.org

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.649714104.26.12.2054434892C:\Users\user\Desktop\MyzWeEOlqb.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 03:09:16 UTC155OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                        Host: api.ipify.org
                                                        Connection: Keep-Alive
                                                        2025-01-11 03:09:16 UTC424INHTTP/1.1 200 OK
                                                        Date: Sat, 11 Jan 2025 03:09:16 GMT
                                                        Content-Type: text/plain
                                                        Content-Length: 12
                                                        Connection: close
                                                        Vary: Origin
                                                        CF-Cache-Status: DYNAMIC
                                                        Server: cloudflare
                                                        CF-RAY: 9001b4ff7989c47c-EWR
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1479&min_rtt=1470&rtt_var=571&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1885087&cwnd=214&unsent_bytes=0&cid=508fb529e49bd194&ts=177&x=0"
                                                        2025-01-11 03:09:16 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                        Data Ascii: 8.46.123.189


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.649719104.26.12.2054431016C:\Users\user\AppData\Roaming\uGbdmwuUS.exe
                                                        TimestampBytes transferredDirectionData
                                                        2025-01-11 03:09:19 UTC155OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                        Host: api.ipify.org
                                                        Connection: Keep-Alive
                                                        2025-01-11 03:09:20 UTC424INHTTP/1.1 200 OK
                                                        Date: Sat, 11 Jan 2025 03:09:20 GMT
                                                        Content-Type: text/plain
                                                        Content-Length: 12
                                                        Connection: close
                                                        Vary: Origin
                                                        CF-Cache-Status: DYNAMIC
                                                        Server: cloudflare
                                                        CF-RAY: 9001b5183bb57c8d-EWR
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=2036&min_rtt=2031&rtt_var=772&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1407907&cwnd=192&unsent_bytes=0&cid=0ed3b365289acf6e&ts=452&x=0"
                                                        2025-01-11 03:09:20 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                        Data Ascii: 8.46.123.189


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:22:09:11
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\Desktop\MyzWeEOlqb.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\MyzWeEOlqb.exe"
                                                        Imagebase:0x410000
                                                        File size:1'141'248 bytes
                                                        MD5 hash:D1B6E4986207A3D73636AF9612F26101
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2151243032.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2151243032.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:22:09:12
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\MyzWeEOlqb.exe"
                                                        Imagebase:0xb30000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:22:09:12
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:22:09:13
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\uGbdmwuUS.exe"
                                                        Imagebase:0xb30000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:22:09:13
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:7
                                                        Start time:22:09:13
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpB0DB.tmp"
                                                        Imagebase:0x3b0000
                                                        File size:187'904 bytes
                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:8
                                                        Start time:22:09:13
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:22:09:14
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\Desktop\MyzWeEOlqb.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\MyzWeEOlqb.exe"
                                                        Imagebase:0x760000
                                                        File size:1'141'248 bytes
                                                        MD5 hash:D1B6E4986207A3D73636AF9612F26101
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3376401569.0000000002CCC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3376401569.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3376401569.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:10
                                                        Start time:22:09:14
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\AppData\Roaming\uGbdmwuUS.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\AppData\Roaming\uGbdmwuUS.exe
                                                        Imagebase:0xe00000
                                                        File size:1'141'248 bytes
                                                        MD5 hash:D1B6E4986207A3D73636AF9612F26101
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 74%, ReversingLabs
                                                        • Detection: 83%, Virustotal, Browse
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:22:09:16
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                        Imagebase:0x7ff717f30000
                                                        File size:496'640 bytes
                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:22:09:18
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGbdmwuUS" /XML "C:\Users\user\AppData\Local\Temp\tmpC2CD.tmp"
                                                        Imagebase:0x3b0000
                                                        File size:187'904 bytes
                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:13
                                                        Start time:22:09:18
                                                        Start date:10/01/2025
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:14
                                                        Start time:22:09:18
                                                        Start date:10/01/2025
                                                        Path:C:\Users\user\AppData\Roaming\uGbdmwuUS.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Roaming\uGbdmwuUS.exe"
                                                        Imagebase:0x870000
                                                        File size:1'141'248 bytes
                                                        MD5 hash:D1B6E4986207A3D73636AF9612F26101
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3373024307.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3373024307.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3375960649.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3375960649.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3375960649.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:9.4%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:54
                                                          Total number of Limit Nodes:3
                                                          execution_graph 38369 6e8def8 38370 6e8df43 ReadProcessMemory 38369->38370 38372 6e8df87 38370->38372 38385 6e8da08 38386 6e8da50 WriteProcessMemory 38385->38386 38388 6e8daa7 38386->38388 38389 6e8d388 38390 6e8d3c8 ResumeThread 38389->38390 38392 6e8d3f9 38390->38392 38393 6e8d948 38394 6e8d988 VirtualAllocEx 38393->38394 38396 6e8d9c5 38394->38396 38373 e7ae30 38376 e7af19 38373->38376 38374 e7ae3f 38377 e7af5c 38376->38377 38378 e7af39 38376->38378 38377->38374 38378->38377 38379 e7b160 GetModuleHandleW 38378->38379 38380 e7b18d 38379->38380 38380->38374 38381 6e8d870 38382 6e8d8b5 Wow64SetThreadContext 38381->38382 38384 6e8d8fd 38382->38384 38412 6e8e090 38413 6e8e119 CreateProcessA 38412->38413 38415 6e8e2db 38413->38415 38416 6e65d58 38417 6e65da6 DrawTextExW 38416->38417 38419 6e65dfe 38417->38419 38348 e74668 38349 e7467a 38348->38349 38350 e74686 38349->38350 38352 e74779 38349->38352 38353 e7479d 38352->38353 38357 e74888 38353->38357 38361 e74878 38353->38361 38359 e748af 38357->38359 38358 e7498c 38359->38358 38365 e7449c 38359->38365 38363 e748af 38361->38363 38362 e7498c 38363->38362 38364 e7449c CreateActCtxA 38363->38364 38364->38362 38366 e75918 CreateActCtxA 38365->38366 38368 e759db 38366->38368 38368->38368 38397 e7d5c8 38398 e7d60e 38397->38398 38402 e7d797 38398->38402 38405 e7d7a8 38398->38405 38399 e7d6fb 38403 e7d7d6 38402->38403 38408 e7bca0 38402->38408 38403->38399 38406 e7bca0 DuplicateHandle 38405->38406 38407 e7d7d6 38406->38407 38407->38399 38409 e7d810 DuplicateHandle 38408->38409 38411 e7d8a6 38409->38411 38411->38403

                                                          Executed Functions

                                                          Function 06E8E08F Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 6e8e08f-6e8e125 3 6e8e15e-6e8e17e 0->3 4 6e8e127-6e8e131 0->4 11 6e8e180-6e8e18a 3->11 12 6e8e1b7-6e8e1e6 3->12 4->3 5 6e8e133-6e8e135 4->5 6 6e8e158-6e8e15b 5->6 7 6e8e137-6e8e141 5->7 6->3 9 6e8e143 7->9 10 6e8e145-6e8e154 7->10 9->10 10->10 13 6e8e156 10->13 11->12 14 6e8e18c-6e8e18e 11->14 20 6e8e1e8-6e8e1f2 12->20 21 6e8e21f-6e8e2d9 CreateProcessA 12->21 13->6 15 6e8e190-6e8e19a 14->15 16 6e8e1b1-6e8e1b4 14->16 18 6e8e19c 15->18 19 6e8e19e-6e8e1ad 15->19 16->12 18->19 19->19 22 6e8e1af 19->22 20->21 23 6e8e1f4-6e8e1f6 20->23 32 6e8e2db-6e8e2e1 21->32 33 6e8e2e2-6e8e368 21->33 22->16 25 6e8e1f8-6e8e202 23->25 26 6e8e219-6e8e21c 23->26 27 6e8e204 25->27 28 6e8e206-6e8e215 25->28 26->21 27->28 28->28 30 6e8e217 28->30 30->26 32->33 43 6e8e378-6e8e37c 33->43 44 6e8e36a-6e8e36e 33->44 46 6e8e38c-6e8e390 43->46 47 6e8e37e-6e8e382 43->47 44->43 45 6e8e370 44->45 45->43 49 6e8e3a0-6e8e3a4 46->49 50 6e8e392-6e8e396 46->50 47->46 48 6e8e384 47->48 48->46 51 6e8e3b6-6e8e3bd 49->51 52 6e8e3a6-6e8e3ac 49->52 50->49 53 6e8e398 50->53 54 6e8e3bf-6e8e3ce 51->54 55 6e8e3d4 51->55 52->51 53->49 54->55 57 6e8e3d5 55->57 57->57
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06E8E2C6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163479387.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e80000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 2a739b24a055b235f731c23cea2efaa82c5a29af1bbdc9d2d6f1987516c6f1a2
                                                          • Instruction ID: 7c88fff9bb47d2d481677bb595c2b8106670b354929bdf293c4f7c3dcfe8f6b9
                                                          • Opcode Fuzzy Hash: 2a739b24a055b235f731c23cea2efaa82c5a29af1bbdc9d2d6f1987516c6f1a2
                                                          • Instruction Fuzzy Hash: B5916971D00319DFEB60DFA8C9457AEBBB2BF48304F0485A9E80DA7280DB749985CF91
                                                          Function 06E8E090 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 58 6e8e090-6e8e125 60 6e8e15e-6e8e17e 58->60 61 6e8e127-6e8e131 58->61 68 6e8e180-6e8e18a 60->68 69 6e8e1b7-6e8e1e6 60->69 61->60 62 6e8e133-6e8e135 61->62 63 6e8e158-6e8e15b 62->63 64 6e8e137-6e8e141 62->64 63->60 66 6e8e143 64->66 67 6e8e145-6e8e154 64->67 66->67 67->67 70 6e8e156 67->70 68->69 71 6e8e18c-6e8e18e 68->71 77 6e8e1e8-6e8e1f2 69->77 78 6e8e21f-6e8e2d9 CreateProcessA 69->78 70->63 72 6e8e190-6e8e19a 71->72 73 6e8e1b1-6e8e1b4 71->73 75 6e8e19c 72->75 76 6e8e19e-6e8e1ad 72->76 73->69 75->76 76->76 79 6e8e1af 76->79 77->78 80 6e8e1f4-6e8e1f6 77->80 89 6e8e2db-6e8e2e1 78->89 90 6e8e2e2-6e8e368 78->90 79->73 82 6e8e1f8-6e8e202 80->82 83 6e8e219-6e8e21c 80->83 84 6e8e204 82->84 85 6e8e206-6e8e215 82->85 83->78 84->85 85->85 87 6e8e217 85->87 87->83 89->90 100 6e8e378-6e8e37c 90->100 101 6e8e36a-6e8e36e 90->101 103 6e8e38c-6e8e390 100->103 104 6e8e37e-6e8e382 100->104 101->100 102 6e8e370 101->102 102->100 106 6e8e3a0-6e8e3a4 103->106 107 6e8e392-6e8e396 103->107 104->103 105 6e8e384 104->105 105->103 108 6e8e3b6-6e8e3bd 106->108 109 6e8e3a6-6e8e3ac 106->109 107->106 110 6e8e398 107->110 111 6e8e3bf-6e8e3ce 108->111 112 6e8e3d4 108->112 109->108 110->106 111->112 114 6e8e3d5 112->114 114->114
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06E8E2C6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163479387.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e80000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 6a131d227ab56214a9e371b79e72802c84b98b2c3d980d78fb0e70e96853dcce
                                                          • Instruction ID: 39a174dd3daecefbd5d270b28f219b11dd9821b45a6a1ac9061f31518b765db1
                                                          • Opcode Fuzzy Hash: 6a131d227ab56214a9e371b79e72802c84b98b2c3d980d78fb0e70e96853dcce
                                                          • Instruction Fuzzy Hash: 7B916871D00319DFEB60DFA8C9457AEBBB2BF48304F0485A9E80DA7280DB749985CF91
                                                          Function 00E7AF19 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 115 e7af19-e7af37 116 e7af63-e7af67 115->116 117 e7af39-e7af46 call e798a0 115->117 118 e7af7b-e7afbc 116->118 119 e7af69-e7af73 116->119 124 e7af5c 117->124 125 e7af48 117->125 126 e7afbe-e7afc6 118->126 127 e7afc9-e7afd7 118->127 119->118 124->116 171 e7af4e call e7b1c0 125->171 172 e7af4e call e7b1b0 125->172 126->127 128 e7affb-e7affd 127->128 129 e7afd9-e7afde 127->129 131 e7b000-e7b007 128->131 132 e7afe0-e7afe7 call e7a270 129->132 133 e7afe9 129->133 130 e7af54-e7af56 130->124 134 e7b098-e7b158 130->134 135 e7b014-e7b01b 131->135 136 e7b009-e7b011 131->136 138 e7afeb-e7aff9 132->138 133->138 166 e7b160-e7b18b GetModuleHandleW 134->166 167 e7b15a-e7b15d 134->167 139 e7b01d-e7b025 135->139 140 e7b028-e7b031 call e7a280 135->140 136->135 138->131 139->140 146 e7b033-e7b03b 140->146 147 e7b03e-e7b043 140->147 146->147 148 e7b045-e7b04c 147->148 149 e7b061-e7b06e 147->149 148->149 151 e7b04e-e7b05e call e7a290 call e7a2a0 148->151 155 e7b091-e7b097 149->155 156 e7b070-e7b08e 149->156 151->149 156->155 168 e7b194-e7b1a8 166->168 169 e7b18d-e7b193 166->169 167->166 169->168 171->130 172->130
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00E7B17E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2148720080.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e70000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 3cb1ac64b26dd685d835dd72646d94840c9f99b987107afdee87f0fdbbb3a93a
                                                          • Instruction ID: 4c7eb27e932c1ac7580e8c11efb6e5a74dbfed4f81a0610737d429137cb35d73
                                                          • Opcode Fuzzy Hash: 3cb1ac64b26dd685d835dd72646d94840c9f99b987107afdee87f0fdbbb3a93a
                                                          • Instruction Fuzzy Hash: BD815470A00B458FD724DF29D45479ABBF1FF88304F048A2EE09AE7A51DB75E845CBA1
                                                          Function 00E7449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 173 e7449c-e759d9 CreateActCtxA 176 e759e2-e75a3c 173->176 177 e759db-e759e1 173->177 184 e75a3e-e75a41 176->184 185 e75a4b-e75a4f 176->185 177->176 184->185 186 e75a51-e75a5d 185->186 187 e75a60 185->187 186->187 188 e75a61 187->188 188->188
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 00E759C9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2148720080.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e70000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 589f503f6e9526b8d900ca192a79aea04c9d1540eb5f1455050ce2b0e9d9071a
                                                          • Instruction ID: 7f1c3e4c9a95ef606b4b847a6475a1749c35aa2c62ec2c6144b25eb2b42b34af
                                                          • Opcode Fuzzy Hash: 589f503f6e9526b8d900ca192a79aea04c9d1540eb5f1455050ce2b0e9d9071a
                                                          • Instruction Fuzzy Hash: 7941B171C0071DCBEB24CFA9C98479EBBB5BF88704F20816AD508BB255DBB56946CF90
                                                          Function 00E7590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 190 e7590c-e759d9 CreateActCtxA 192 e759e2-e75a3c 190->192 193 e759db-e759e1 190->193 200 e75a3e-e75a41 192->200 201 e75a4b-e75a4f 192->201 193->192 200->201 202 e75a51-e75a5d 201->202 203 e75a60 201->203 202->203 204 e75a61 203->204 204->204
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 00E759C9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2148720080.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e70000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 5caace2e1f5df68dc066cbe7221c0065afa6311d497cf5a9ee3a3d47effdabc4
                                                          • Instruction ID: ba843cdc91f7e1651fa3fe6ed4760ee02ddacc92d91d8669cecfa29d70d532a6
                                                          • Opcode Fuzzy Hash: 5caace2e1f5df68dc066cbe7221c0065afa6311d497cf5a9ee3a3d47effdabc4
                                                          • Instruction Fuzzy Hash: 6A41DFB1C00719CFEB24CFA9C98478DBBB2BF88704F20856AD408AB255DBB56946CF50
                                                          Function 06E65D50 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 206 6e65d50-6e65da4 208 6e65da6-6e65dac 206->208 209 6e65daf-6e65dbe 206->209 208->209 210 6e65dc3-6e65dfc DrawTextExW 209->210 211 6e65dc0 209->211 212 6e65e05-6e65e22 210->212 213 6e65dfe-6e65e04 210->213 211->210 213->212
                                                          APIs
                                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 06E65DEF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163138252.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e60000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID: DrawText
                                                          • String ID:
                                                          • API String ID: 2175133113-0
                                                          • Opcode ID: 875e626a8369cff34fd762ef08f1750a307a4c9c163a2448b01368d034aeeaab
                                                          • Instruction ID: 09c6a28d9679a0ba79f2dba8b0d4a491615fc52146712b6165cfdf2d368f28e2
                                                          • Opcode Fuzzy Hash: 875e626a8369cff34fd762ef08f1750a307a4c9c163a2448b01368d034aeeaab
                                                          • Instruction Fuzzy Hash: 073102B5D003099FDB10CF9AD884ADEFBF8FB48324F14842AE818A3210D774A540CFA1
                                                          Function 00E7D808 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 216 e7d808-e7d80c 217 e7d852-e7d8a4 DuplicateHandle 216->217 218 e7d80e-e7d84f 216->218 220 e7d8a6-e7d8ac 217->220 221 e7d8ad-e7d8ca 217->221 218->217 220->221
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E7D7D6,?,?,?,?,?), ref: 00E7D897
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2148720080.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e70000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 7d8a40ff59d0532131c08463f3549c07a85c68f22cc30250d669672fbe3275d0
                                                          • Instruction ID: db6a06b2365902ebacc7e6169d524829eaa95ac2939df57b0b5f12f1ec7fdb92
                                                          • Opcode Fuzzy Hash: 7d8a40ff59d0532131c08463f3549c07a85c68f22cc30250d669672fbe3275d0
                                                          • Instruction Fuzzy Hash: D73146B58003499FDB10CFAAD884ADEFFF4EF49320F14851AE958A7250C378A941CFA1
                                                          Function 06E8DA08 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 233 6e8da08-6e8da56 235 6e8da58-6e8da64 233->235 236 6e8da66-6e8daa5 WriteProcessMemory 233->236 235->236 238 6e8daae-6e8dade 236->238 239 6e8daa7-6e8daad 236->239 239->238
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06E8DA98
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163479387.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e80000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: a6584bd2d447074365c931affe8c7b811bbd4faf37ad295ec6daba2970aa7fee
                                                          • Instruction ID: 06a152b32aa1f6452b10b4bc11a6660bf0737e014fce5b3ce0714a7a8a09d0f1
                                                          • Opcode Fuzzy Hash: a6584bd2d447074365c931affe8c7b811bbd4faf37ad295ec6daba2970aa7fee
                                                          • Instruction Fuzzy Hash: E02126719003499FDB10DFAAC881BDEBBF5FF48310F10842AE919A7240D7789950CBA5
                                                          Function 06E65D58 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 224 6e65d58-6e65da4 225 6e65da6-6e65dac 224->225 226 6e65daf-6e65dbe 224->226 225->226 227 6e65dc3-6e65dfc DrawTextExW 226->227 228 6e65dc0 226->228 229 6e65e05-6e65e22 227->229 230 6e65dfe-6e65e04 227->230 228->227 230->229
                                                          APIs
                                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 06E65DEF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163138252.0000000006E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E60000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e60000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID: DrawText
                                                          • String ID:
                                                          • API String ID: 2175133113-0
                                                          • Opcode ID: 04ffacf784de9b0d1882e27f1241644574e382a1e718ee216ae22c0191c24491
                                                          • Instruction ID: 90b4fd0c543f40dd2c06a6ba9048c61b9475de35cdfd0ff03048a34eef901316
                                                          • Opcode Fuzzy Hash: 04ffacf784de9b0d1882e27f1241644574e382a1e718ee216ae22c0191c24491
                                                          • Instruction Fuzzy Hash: 6A21CEB5D003099FDB50CF9AD884A9EFBF5BB48324F14842AE919A7250D774A944CFA0
                                                          Function 06E8D869 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 243 6e8d869-6e8d8bb 246 6e8d8cb-6e8d8ce 243->246 247 6e8d8bd-6e8d8c9 243->247 248 6e8d8d5-6e8d8fb Wow64SetThreadContext 246->248 247->246 249 6e8d8fd-6e8d903 248->249 250 6e8d904-6e8d934 248->250 249->250
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E8D8EE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163479387.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e80000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 12732e89e6a7f992bab286b6ff00916299bb5f79a76a1dd6e9eac9582b5c3ca2
                                                          • Instruction ID: 8bee12f37a388f0023093b020cc6a1e0b5a9adfc6d3403e69dd0f0e0a20c1d53
                                                          • Opcode Fuzzy Hash: 12732e89e6a7f992bab286b6ff00916299bb5f79a76a1dd6e9eac9582b5c3ca2
                                                          • Instruction Fuzzy Hash: A2213C71D003099FDB50DFAAC8857EEBBF4EF88224F148429D519A7240DB789945CBA5
                                                          Function 00E7BCA0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 254 e7bca0-e7d8a4 DuplicateHandle 257 e7d8a6-e7d8ac 254->257 258 e7d8ad-e7d8ca 254->258 257->258
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00E7D7D6,?,?,?,?,?), ref: 00E7D897
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2148720080.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e70000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 29e5c687dbb0fbfabb96b3826b92eb09950bc475bd2c6f444187b422871b3c33
                                                          • Instruction ID: 761dc602ca725686189aac912354be858b65e42b9882c4727b5e737ad3ca8090
                                                          • Opcode Fuzzy Hash: 29e5c687dbb0fbfabb96b3826b92eb09950bc475bd2c6f444187b422871b3c33
                                                          • Instruction Fuzzy Hash: 0D21D4B59043499FDB10CF9AD984ADEBBF4EB48310F14841AE918B7310D375A954CFA5
                                                          Function 06E8DEF1 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 261 6e8def1-6e8df85 ReadProcessMemory 264 6e8df8e-6e8dfbe 261->264 265 6e8df87-6e8df8d 261->265 265->264
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E8DF78
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163479387.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e80000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 4ff40b8ae947b5f9eb8c61b2f023efd5d9ba5bdb1d2d80d645efa0425fbb9cf8
                                                          • Instruction ID: 2f3b0ca3c5fdcd5b15a3d61b5356cacb4c5bcb07893504cf388ab4f451d86b02
                                                          • Opcode Fuzzy Hash: 4ff40b8ae947b5f9eb8c61b2f023efd5d9ba5bdb1d2d80d645efa0425fbb9cf8
                                                          • Instruction Fuzzy Hash: CF2128B1C003499FDB10DFAAC881BEEBBF5FF48320F10842AE518A7240D7799951DBA1
                                                          Function 06E8DEF8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 279 6e8def8-6e8df85 ReadProcessMemory 282 6e8df8e-6e8dfbe 279->282 283 6e8df87-6e8df8d 279->283 283->282
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06E8DF78
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163479387.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e80000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: ada34b25bb5e74004f48767aabf5aced2215549fd8f6aefc4b08f2f5940109a0
                                                          • Instruction ID: 3cbf0cbc7a48eb2589c2e8ce8dd56d5d75eeafca2bd3aebe52e30a5fbe4306ef
                                                          • Opcode Fuzzy Hash: ada34b25bb5e74004f48767aabf5aced2215549fd8f6aefc4b08f2f5940109a0
                                                          • Instruction Fuzzy Hash: 0D2128B18003499FDB10DFAAC881BDEFBF5FF48320F10842AE518A7240C7799510DBA5
                                                          Function 06E8D870 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 269 6e8d870-6e8d8bb 271 6e8d8cb-6e8d8fb Wow64SetThreadContext 269->271 272 6e8d8bd-6e8d8c9 269->272 274 6e8d8fd-6e8d903 271->274 275 6e8d904-6e8d934 271->275 272->271 274->275
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06E8D8EE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163479387.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e80000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 275d569c9e18fa2c06cb871e282f4bba501795859b4155bc90ba618520a9dd8c
                                                          • Instruction ID: d4a55c2697a417a82ffe90d66f1604bc73f8fc1d1d8f8107159dd04c69beaaee
                                                          • Opcode Fuzzy Hash: 275d569c9e18fa2c06cb871e282f4bba501795859b4155bc90ba618520a9dd8c
                                                          • Instruction Fuzzy Hash: AF214971D003098FDB50DFAAC8857EEBBF4EF88324F14842AD519A7240CB78A944CFA5
                                                          Function 06E8D948 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 287 6e8d948-6e8d9c3 VirtualAllocEx 290 6e8d9cc-6e8d9f1 287->290 291 6e8d9c5-6e8d9cb 287->291 291->290
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06E8D9B6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163479387.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e80000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 67a3b4dfa9ffc93a9b1f50d1c33a4590a4424e378a4d99df37074ff4509abfe5
                                                          • Instruction ID: 5571806bfe193f5c33da66f6058bb8ac34b4a317d7a9987a3da9f42cfb945fdb
                                                          • Opcode Fuzzy Hash: 67a3b4dfa9ffc93a9b1f50d1c33a4590a4424e378a4d99df37074ff4509abfe5
                                                          • Instruction Fuzzy Hash: 571126729003499FDB10DFAAC845BDFBBF5AF88324F148419E519A7250C7B5A550CBA1
                                                          Function 06E8D388 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163479387.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e80000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: a016244e2aeb4b3a9878030d708ebf15273b5b7ca48039c79e36860241299b44
                                                          • Instruction ID: 86b6c31ee74f32080a8129e8197c89d238a54a7436089a994dc85530e47b9d76
                                                          • Opcode Fuzzy Hash: a016244e2aeb4b3a9878030d708ebf15273b5b7ca48039c79e36860241299b44
                                                          • Instruction Fuzzy Hash: CF113A71D003498FDB20DFAAC84579FFBF4AF88724F248419D519A7240CB79A940CB95
                                                          Function 00E7B118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00E7B17E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2148720080.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e70000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 9bed8a89cc3540302aa19f13f7259ef5c354050d48cec09e3d1a7acff2bc7169
                                                          • Instruction ID: ade836a848d1f590d921f27c5d18a33b810b9ef9c12dca8498e99a208c4313f4
                                                          • Opcode Fuzzy Hash: 9bed8a89cc3540302aa19f13f7259ef5c354050d48cec09e3d1a7acff2bc7169
                                                          • Instruction Fuzzy Hash: 3511DFB6C017498FDB20CF9AD844B9EFBF4AB88724F10846AD419B7210D3B9A545CFA1
                                                          Function 00D0D3D8 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2147993526.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d0d000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 99c8aadd4f9eff13a1d5c49c0285118f5b33aa5ead1fd926c5833c10a8ad15ac
                                                          • Instruction ID: 66c1ecfe7b80f7b9b75522588518b5222702f431cd0cee5b69cd53384ac5a127
                                                          • Opcode Fuzzy Hash: 99c8aadd4f9eff13a1d5c49c0285118f5b33aa5ead1fd926c5833c10a8ad15ac
                                                          • Instruction Fuzzy Hash: 7C212876504204DFDB04DF54D9C0B2ABF66FB94324F24C16EE90D0B296C376E856CAB2
                                                          Function 00D1D1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2148160088.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d1d000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eb70e8a840767098dfa7a52ac75ca7ee611d8ddc630a552985368a6119b57f3e
                                                          • Instruction ID: 2352823a642dbfd30b34d6d68f1cd2e68f395748bb78d83fb4485321120c192f
                                                          • Opcode Fuzzy Hash: eb70e8a840767098dfa7a52ac75ca7ee611d8ddc630a552985368a6119b57f3e
                                                          • Instruction Fuzzy Hash: 25212271604200FFDB05DF14E9C0B66BBA2FB84314F34C66DE9494B292CB7AD886CA71
                                                          Function 00D1D01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2148160088.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d1d000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 588aa181cde2ce8431708d37eb835974bef085a67fce5ee38dcc370ba792e080
                                                          • Instruction ID: 9d6806c4a704f28200def9030c5ba8c415967124b7096322d0501ca520119d19
                                                          • Opcode Fuzzy Hash: 588aa181cde2ce8431708d37eb835974bef085a67fce5ee38dcc370ba792e080
                                                          • Instruction Fuzzy Hash: 06212275604200EFCB14DF14E9C0B66BB62FB88314F24C56DE94A0B292CB7AD887CA71
                                                          Function 00D1D005 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2148160088.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d1d000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a5dd0a10356fdb566da174c5ff474c2cdbce56aa47d3c5e6ebfe9277920c3403
                                                          • Instruction ID: 247063a4ea3a1f52faf2d15f6ee365de631c1ee17cf39b55dd34d6c4001a012c
                                                          • Opcode Fuzzy Hash: a5dd0a10356fdb566da174c5ff474c2cdbce56aa47d3c5e6ebfe9277920c3403
                                                          • Instruction Fuzzy Hash: 632183755093C09FC702CF24D590755BF71EB46314F28C5DAD8498B2A7C33A984ACB62
                                                          Function 00D0D3D3 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2147993526.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d0d000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                          • Instruction ID: 3ce1ec9b8842a28ed6355774e580e6c3e2afe0cbb19aa4d957119584cf7ea3c9
                                                          • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                          • Instruction Fuzzy Hash: 6B11E6B6504280DFCB15CF54D5C4B16BF72FB94324F28C6AAD8090B656C33AE856CBA1
                                                          Function 00D1D1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2148160088.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d1d000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                          • Instruction ID: 15f196c232b376fa38c243eb978cc8960bb33345e069d26cd8700568949dc339
                                                          • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                          • Instruction Fuzzy Hash: DC119D75504284EFCB15CF14D5C4B55FBB2FB84314F28C6ADD8494B6A6C33AD84ACB61
                                                          Function 00D0D731 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2147993526.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d0d000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cb228a92db859b0e4fca83e26c838fe51fcaf75cf752c8ecd8155759c3369e36
                                                          • Instruction ID: 58cb3a3f197cc2bcc561cdf86e8555d34f5bd6d093d15b145f73683aee098178
                                                          • Opcode Fuzzy Hash: cb228a92db859b0e4fca83e26c838fe51fcaf75cf752c8ecd8155759c3369e36
                                                          • Instruction Fuzzy Hash: 8001D6714043449AE7104EA5CDC4B67FF99EFC1365F28C41BEE4E4A2D6C6B8D841C6B2
                                                          Function 00D0D730 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2147993526.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_d0d000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 627215129524e492c5a296f1bc48bdbaeb550016eace75f0d6e27c9301bd4c98
                                                          • Instruction ID: 59a9de532085dde8b01624af99afafb7c3cb7d0bbd1740914a4fb86a7f9d393a
                                                          • Opcode Fuzzy Hash: 627215129524e492c5a296f1bc48bdbaeb550016eace75f0d6e27c9301bd4c98
                                                          • Instruction Fuzzy Hash: DFF0C272404344AEE7108E16C984B66FF98EBC0734F18C45BED0D0A282C2789840CA71

                                                          Non-executed Functions

                                                          Function 06E8B748 Relevance: 1.6, Strings: 1, Instructions: 319COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163479387.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e80000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: !d8p
                                                          • API String ID: 0-831437180
                                                          • Opcode ID: 1c738a74fa144258c75e7a4537e2b62afb4cdea57e5a092f1ff3026b88f75253
                                                          • Instruction ID: de534fcb80e4db45d7d876bcabdc2e05adf5b913af27ac038df515bf8c364740
                                                          • Opcode Fuzzy Hash: 1c738a74fa144258c75e7a4537e2b62afb4cdea57e5a092f1ff3026b88f75253
                                                          • Instruction Fuzzy Hash: CCE11D74E006598FDB14DFA9C590AAEFBB2FF89304F249269D418A7355D730AD42CFA0
                                                          Function 06E8BB7F Relevance: .3, Instructions: 321COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163479387.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e80000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e3915d913d716843b5d84857749ad16297c1e775674a0b185cc1f8a1b4354b80
                                                          • Instruction ID: 6f589ea92bfc31b9a01b616d03832cd1f1978ab2644f1a17121921acc4f6929d
                                                          • Opcode Fuzzy Hash: e3915d913d716843b5d84857749ad16297c1e775674a0b185cc1f8a1b4354b80
                                                          • Instruction Fuzzy Hash: D2E12D74E006598FDB14DFA9C580AAEFBB2FF89304F249169D418AB356D730AD42CF60
                                                          Function 06E8D438 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163479387.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e80000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9ee002df064d0355506d8e070d39713ea087cc4278e72dbb0643ea504e4d8308
                                                          • Instruction ID: 63cb084d9da04c31d615301fa94461284c28cfb86f828f8d710dec025db559ef
                                                          • Opcode Fuzzy Hash: 9ee002df064d0355506d8e070d39713ea087cc4278e72dbb0643ea504e4d8308
                                                          • Instruction Fuzzy Hash: E2E1FB74E00259CFDB14DFA9C990AAEFBB2FF89304F249169D418A7355D731A942CF60
                                                          Function 06E8B320 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163479387.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e80000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f28c4b9e310cf4ca591c9c422655c33120d6715e7c7ac7f3cd71909a0b85bf6b
                                                          • Instruction ID: 3a509c214e27b0e6d66a97180ee505a35adc08f5ab3f6ad568814c362c982366
                                                          • Opcode Fuzzy Hash: f28c4b9e310cf4ca591c9c422655c33120d6715e7c7ac7f3cd71909a0b85bf6b
                                                          • Instruction Fuzzy Hash: A7E1FA74E002598FDB14DFA9C590AAEFBF2FF89304F249269D418AB355D730A942CF60
                                                          Function 06E8AEE8 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163479387.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e80000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c6ed4dab36be74f0db30e584733f939d4bc1f620ba3510f9fb37b24d6eaaa42b
                                                          • Instruction ID: 99ec7d3f21669c0146127be51bb3aff916c235e5c60decf83fce109a94accd40
                                                          • Opcode Fuzzy Hash: c6ed4dab36be74f0db30e584733f939d4bc1f620ba3510f9fb37b24d6eaaa42b
                                                          • Instruction Fuzzy Hash: 37E1EB74E00259CFDB14DFA9C580AAEFBB2FF89304F249169D418AB355D771A942CF60
                                                          Function 00E7D584 Relevance: .3, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2148720080.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_e70000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7907c5ec5ee5a452fa509337bb17062722f8c644f1c383e75967d70f9320be5b
                                                          • Instruction ID: 683d5892536b0f7a0cc199fb4bac11ea0766e8ced337b9309f3f7e6ce2145364
                                                          • Opcode Fuzzy Hash: 7907c5ec5ee5a452fa509337bb17062722f8c644f1c383e75967d70f9320be5b
                                                          • Instruction Fuzzy Hash: 13A15936A002098FCF19DFA4C84459EB7F2FF85304B25917AE909BB262DB71E956CB40
                                                          Function 06E8B310 Relevance: .1, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163479387.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e80000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2793f0501ec90c4170a392a8fc326f5b82f37e9a31202244e9b0fc718ca05747
                                                          • Instruction ID: de37e8fed60a4fa6f386fdb82f643d0064159d61d62647e42bcd2a059ef3ad6c
                                                          • Opcode Fuzzy Hash: 2793f0501ec90c4170a392a8fc326f5b82f37e9a31202244e9b0fc718ca05747
                                                          • Instruction Fuzzy Hash: 5F511A74E006598FDB54DFA9C5805AEFBF2FF89304F248269D418A7316D7309942CFA1
                                                          Function 06E8AEDA Relevance: .1, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2163479387.0000000006E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6e80000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b3df27f62321a4acbfc577da8c53bd8f3acbbd3b25e8a30a60317d37dbc1bf54
                                                          • Instruction ID: 2b712a85277f48e6f660b8dac2de983a9f4455978a353bd5c82b3556ec0b2072
                                                          • Opcode Fuzzy Hash: b3df27f62321a4acbfc577da8c53bd8f3acbbd3b25e8a30a60317d37dbc1bf54
                                                          • Instruction Fuzzy Hash: 4C510C74E006598FDB14DFA9C5805AEFBF2BF89304F248169D418B7315D7319942CFA1

                                                          Executed Functions

                                                          Function 00D9A957 Relevance: 2.8, Instructions: 2826COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d5e14483d379c5651eb35d077dcbdd9e6d27e38b04732260c0025927d690155e
                                                          • Instruction ID: 956967d00e6d2b92c489d8a08e819752f16331d7dd6947dd05e16893eafc0865
                                                          • Opcode Fuzzy Hash: d5e14483d379c5651eb35d077dcbdd9e6d27e38b04732260c0025927d690155e
                                                          • Instruction Fuzzy Hash: 2253F731D10B1A8ACB51EF68C8805A9F7B1FF99300F15D79AE4587B121EB70AAC5CF91
                                                          Function 00D93E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: \V[n
                                                          • API String ID: 0-1005319620
                                                          • Opcode ID: d3ed5753020dc833064ca0213dd6a7028ba3f3881f1e73a924e8f04f15329606
                                                          • Instruction ID: b6900fc391bdd9b649d6505352805e2e6a5196d4633714bf87eceb26e4cdaad0
                                                          • Opcode Fuzzy Hash: d3ed5753020dc833064ca0213dd6a7028ba3f3881f1e73a924e8f04f15329606
                                                          • Instruction Fuzzy Hash: CE916F70E00309CFDF14CFA9D995BDEBBF2AF88314F148129E415A7254EB749986CBA1
                                                          Function 00D94A98 Relevance: .3, Instructions: 266COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 757d98ea1560d6366c10cc8d5dadf87c6a0a77441151ffb8aae36f1ead62d90e
                                                          • Instruction ID: 933d0b3f383ca867d249a0ba49c7a473ab726fa9bd087ec0f0688f2696b192be
                                                          • Opcode Fuzzy Hash: 757d98ea1560d6366c10cc8d5dadf87c6a0a77441151ffb8aae36f1ead62d90e
                                                          • Instruction Fuzzy Hash: FCB15E70E00209CFDF14CFA9D891BADBBF2AF88714F288529D815E7355EB749846CB91
                                                          Function 00D94804 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: \V[n$\V[n
                                                          • API String ID: 0-3705941238
                                                          • Opcode ID: e6e6cb74fc40268379f975e97317091b47b47dc10ce0c48b7247edf601a4a535
                                                          • Instruction ID: 52b558f53f065f674866d8ab833a80853fc74d0ccb1b85133bb9affb3f10713b
                                                          • Opcode Fuzzy Hash: e6e6cb74fc40268379f975e97317091b47b47dc10ce0c48b7247edf601a4a535
                                                          • Instruction Fuzzy Hash: E1716C70D00249DFDF10DFA9D881BEEBBF2AF88714F188129E415A7255EB749842CFA5
                                                          Function 00D94810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: \V[n$\V[n
                                                          • API String ID: 0-3705941238
                                                          • Opcode ID: 31010262ddd01e50b4cf75b96f2125972b604d580efe8f3dfa32c211f0420bb9
                                                          • Instruction ID: d1f13d80300d81d3171e9aa9fe9ee2508673df91ada5fb3d6b99d7afcf15f812
                                                          • Opcode Fuzzy Hash: 31010262ddd01e50b4cf75b96f2125972b604d580efe8f3dfa32c211f0420bb9
                                                          • Instruction Fuzzy Hash: DA718C70E00249DFDF14DFA9D881B9EBBF2BF88714F188129E415A7255EB749842CFA1
                                                          Function 00D93E74 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: \V[n
                                                          • API String ID: 0-1005319620
                                                          • Opcode ID: cac8e137f4b9eb0a6017f9316bc55ea23c7ccd5918416e9806e9d57c17eae18b
                                                          • Instruction ID: e021532ca451d383ef66691e568063f672e8ffa412d674f4ec874835bf6f1c8c
                                                          • Opcode Fuzzy Hash: cac8e137f4b9eb0a6017f9316bc55ea23c7ccd5918416e9806e9d57c17eae18b
                                                          • Instruction Fuzzy Hash: 57A16F70E00349CFDF10CFA8D995BDDBBF1AF48314F188129E419A7255EB749986CBA1
                                                          Function 00D91382 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: {
                                                          • API String ID: 0-2739055043
                                                          • Opcode ID: 5a1bde083b6bd2aa71838184c7a04c6eedb6e92d5f0be9e51901931f636ef6cf
                                                          • Instruction ID: ae20d1ace41f18a6fe0c598e77fb249a45dec6230086beadcbc944fc9ccb7954
                                                          • Opcode Fuzzy Hash: 5a1bde083b6bd2aa71838184c7a04c6eedb6e92d5f0be9e51901931f636ef6cf
                                                          • Instruction Fuzzy Hash: CC21D5386043428FDF366B29D98472C7B31EB47311F58047AE447D7391DA2A8C8A8BA2
                                                          Function 00D98720 Relevance: .6, Instructions: 555COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6149e8cd6aac38cc1b49dd098a28bdac28720b867edc89b0b1ae0a9914117839
                                                          • Instruction ID: cdca2d3fb5cd76739b6de9e498bdd768d598245f05ec8a0aa93af13c32aa54de
                                                          • Opcode Fuzzy Hash: 6149e8cd6aac38cc1b49dd098a28bdac28720b867edc89b0b1ae0a9914117839
                                                          • Instruction Fuzzy Hash: 12124F307002029FDF19AB68E99472837A3EBC6316F54493DE105EB355CF7ADC8A97A1
                                                          Function 00D9A182 Relevance: .4, Instructions: 414COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aef4c1252f09904d505d23a121f6c8ade604097de729824dd10e6366e608641f
                                                          • Instruction ID: 5ca37b70320449d079def1a31c70269b6370ddd3e897d2285c2de487099fcb99
                                                          • Opcode Fuzzy Hash: aef4c1252f09904d505d23a121f6c8ade604097de729824dd10e6366e608641f
                                                          • Instruction Fuzzy Hash: BBE19035B002059FDF14DB68D594BADBBB2EF88310F248569E809EB391DB35DD42CBA1
                                                          Function 00D94A8D Relevance: .3, Instructions: 263COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 14bf75f1add76e09a69c95b64b1a1f34b29a3312d6e342ec594e39e0902278cb
                                                          • Instruction ID: 413b2ada0c6c1d72a9d20652f2946f2f901f01596e0e3fb62da5c320602d1ef0
                                                          • Opcode Fuzzy Hash: 14bf75f1add76e09a69c95b64b1a1f34b29a3312d6e342ec594e39e0902278cb
                                                          • Instruction Fuzzy Hash: D5B15E70E00209CFDF10CFA8D895BEDBBF1AF48714F288129D815E7255EB749846CBA1
                                                          Function 00D96ECF Relevance: .2, Instructions: 175COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e54d9ab12d4a6b3f341a901d0decce1b0eef644008eed074e122d10b7cada6f5
                                                          • Instruction ID: 5993d588903d1e6744d1bbe2648232eadb8a702e1df001afc60556fe87be0a38
                                                          • Opcode Fuzzy Hash: e54d9ab12d4a6b3f341a901d0decce1b0eef644008eed074e122d10b7cada6f5
                                                          • Instruction Fuzzy Hash: AB6169347142148FCF15EB68D558AAE7BF2EF89700F2400A9E406EB7A2DB75DC41CBA1
                                                          Function 00D9D8C8 Relevance: .2, Instructions: 162COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b0e06e02db3eb32c5e5113651d2aa29caa03de1e393a65f5badcaeae07c98912
                                                          • Instruction ID: c2b5e74316b2d7353a3bcb49c9c54c97024092521b4ba4b0a5a573b703269862
                                                          • Opcode Fuzzy Hash: b0e06e02db3eb32c5e5113651d2aa29caa03de1e393a65f5badcaeae07c98912
                                                          • Instruction Fuzzy Hash: CD51E632E041244BDF20EA69D8807AEF7A2EBA5320F2D8976D459EB141D335DC46CBB0
                                                          Function 00D9A6C8 Relevance: .1, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4bfe6500a8536521cb6125d50ce3a177922ad4eefb0d6744f4fae0f6f1a23586
                                                          • Instruction ID: 81ca15b6ee0711452e7831dee2511dc4841ab9a8159161ee5ad3635f8f5e8b10
                                                          • Opcode Fuzzy Hash: 4bfe6500a8536521cb6125d50ce3a177922ad4eefb0d6744f4fae0f6f1a23586
                                                          • Instruction Fuzzy Hash: A9515E75A00205DFDB04DFA9E884799FBB1FF88310F14C269E9089B395EB70D945CBA1
                                                          Function 00D96CE0 Relevance: .1, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d1648488d08eb08f78884c449eb6808b6d2090df6df05231040bac80e1141ef1
                                                          • Instruction ID: 1d76febc9c97e52d5143ebec51740f0ee514220620e89f259c581121c48db6b0
                                                          • Opcode Fuzzy Hash: d1648488d08eb08f78884c449eb6808b6d2090df6df05231040bac80e1141ef1
                                                          • Instruction Fuzzy Hash: 15510374E002188FDF18CFA9D885B9DBBB1FF48310F18852AE815AB355D774A844CFA5
                                                          Function 00D91128 Relevance: .1, Instructions: 118COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 43a32bdfe9f5d704875781fa11f1c9105ef1a8c14508ecc91f1915a7897905aa
                                                          • Instruction ID: 298b745f8c889df9caa5790e51df39d455ee993d58cc9f44e28f065c8cfbd7c4
                                                          • Opcode Fuzzy Hash: 43a32bdfe9f5d704875781fa11f1c9105ef1a8c14508ecc91f1915a7897905aa
                                                          • Instruction Fuzzy Hash: 2D51E6352153828FC70AFF28F890B553FA5BBA630534469ADD104FB26ADA606D85DF90
                                                          Function 00D91138 Relevance: .1, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b8d2b2ac8f25b586363f93095fa338c6d989561f3013d45f4a9330cb3aee51c3
                                                          • Instruction ID: 725b162e5b68652ad1be7d1b2901ca7ef7ba89ea3ab93a45be319d175e80ab7e
                                                          • Opcode Fuzzy Hash: b8d2b2ac8f25b586363f93095fa338c6d989561f3013d45f4a9330cb3aee51c3
                                                          • Instruction Fuzzy Hash: 0E51D6352153828FC60AFF28F890B593FE5FBA6305344A96DD104FB26ADA602D85DF90
                                                          Function 00D9A4F5 Relevance: .1, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a751c379cdc2e084dccdbe42686ea4e969e08dafdabdd56997054367777832c4
                                                          • Instruction ID: 7199a578e4d89c3df3364409088e0d294590609340622366f8b388a339bd11ea
                                                          • Opcode Fuzzy Hash: a751c379cdc2e084dccdbe42686ea4e969e08dafdabdd56997054367777832c4
                                                          • Instruction Fuzzy Hash: DA419072B002068BDF64DA6CD5C076EB7B2FB85310F684929D50ADB384DB35DC8187E2
                                                          Function 00D9DE6A Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f33ebb8322c091781505f94d8a1b7c886c2c94858eded8b8ff9b4757db9f674f
                                                          • Instruction ID: d65b01e34b741ca096bbca9969bf7ccc7f8e41492a6000dfc6a6a1421c824bdd
                                                          • Opcode Fuzzy Hash: f33ebb8322c091781505f94d8a1b7c886c2c94858eded8b8ff9b4757db9f674f
                                                          • Instruction Fuzzy Hash: A3312F75B01616EFD705DB68D890E3AB767BFC8300F55C168E9459B29ACB31EC42C7A0
                                                          Function 00D97D90 Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9790580236b090668d4876aefeb0bb72d856ec62e165845c8c29bfdf3c97cafb
                                                          • Instruction ID: 5e8a34e37c82ded82ae995c0e9e27f22e92deaf995cdee074c560f87503a82af
                                                          • Opcode Fuzzy Hash: 9790580236b090668d4876aefeb0bb72d856ec62e165845c8c29bfdf3c97cafb
                                                          • Instruction Fuzzy Hash: 44315C31E1424ADBDF14DF69C8447AEB7B2EF85300F248569E805FB280DB71AD468B60
                                                          Function 00D926DC Relevance: .1, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c4f89ffd17d741bf48a7e87c974db69d58e6974fa032633b5e3d766747c80a8
                                                          • Instruction ID: 112c147aef1dc4b7bb784783180050108b9b51b2e317d7cfc2c03f64676a7dfd
                                                          • Opcode Fuzzy Hash: 3c4f89ffd17d741bf48a7e87c974db69d58e6974fa032633b5e3d766747c80a8
                                                          • Instruction Fuzzy Hash: 2141EDB0D00349EFDF10DFA9C584AEEBFB5AF48314F24802AE409AB254DB759945CB90
                                                          Function 00D97D80 Relevance: .1, Instructions: 93COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 27e6e87935f6e247bd62b592df7498b8cdfb35501e0c7431033804607eebae46
                                                          • Instruction ID: 23a8d932791c788c643a6e17b877e560f677ec10326dc341cae729c838705e4b
                                                          • Opcode Fuzzy Hash: 27e6e87935f6e247bd62b592df7498b8cdfb35501e0c7431033804607eebae46
                                                          • Instruction Fuzzy Hash: D5314D30E2424ADFDF15DF69C8547AEB7B2EF95300F248569E801FB280D7719D468B60
                                                          Function 00D95097 Relevance: .1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bb67ce8103fdcd9c73ce36958115f463f0e187d31b0dd13920610b109318d4f9
                                                          • Instruction ID: 2b9976b6e30f13af7d4c5a7486f327d429de219825c5013a156da9a3d4a47526
                                                          • Opcode Fuzzy Hash: bb67ce8103fdcd9c73ce36958115f463f0e187d31b0dd13920610b109318d4f9
                                                          • Instruction Fuzzy Hash: 71313534A01755CFCF25EB78D9547AD77F6AF48340B1005B8D802AB3A9DB368C41CBA0
                                                          Function 00D926E8 Relevance: .1, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d14120edf9cdea0a8cb6c3181e5da16a38cc2f63b41f42051652090f70e9bddb
                                                          • Instruction ID: 831d0610e9c5969d62e485d3b9c5b80cd2143be8a129c182c700ba7bb116175c
                                                          • Opcode Fuzzy Hash: d14120edf9cdea0a8cb6c3181e5da16a38cc2f63b41f42051652090f70e9bddb
                                                          • Instruction Fuzzy Hash: 2941CEB0900349EFDF10DFA9C584A9EBBB5EF48714F248429E409AB254DB75A945CBA0
                                                          Function 00D950A8 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ddf9042356278f42b700cc1bcb676f307eb3a2dbbbd315f8e1a8a674caca0bf8
                                                          • Instruction ID: f58bf33595fdaee4cbd559af605e3a5070d01740254c396417112b0f19cbb82b
                                                          • Opcode Fuzzy Hash: ddf9042356278f42b700cc1bcb676f307eb3a2dbbbd315f8e1a8a674caca0bf8
                                                          • Instruction Fuzzy Hash: 43310434A00715CFDF29EB74D9557AE77FAAB88340B1005B8D405EB3A8DB369C41CBA5
                                                          Function 00D9A068 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 930f07c20a4d966228713e22c95d3b9791cd40850bf7c2e792fcaaca42e76796
                                                          • Instruction ID: 28351e168b76f45a7b7a100bdbf61224eb1eebe630bf91e6f54e6edabb1f4894
                                                          • Opcode Fuzzy Hash: 930f07c20a4d966228713e22c95d3b9791cd40850bf7c2e792fcaaca42e76796
                                                          • Instruction Fuzzy Hash: 93318D35A042469BDF19CF68D89079EB7B2EF89300F148629E805FB244DB71AC82CB91
                                                          Function 00D9A078 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8b834c99f6e41475f9259b0877af2d9a7c9d2131c4a4aa717537bbdcded787d4
                                                          • Instruction ID: eb08dde76458e9fbcc41fbb0e3112ba8a259dd1b0b7d5bec6c4c4dd6ab8e57c3
                                                          • Opcode Fuzzy Hash: 8b834c99f6e41475f9259b0877af2d9a7c9d2131c4a4aa717537bbdcded787d4
                                                          • Instruction Fuzzy Hash: 80214F35A0024A9BDF19DF68D85069EF7B6FF89300F548629E815FB244DB719C818BA1
                                                          Function 00D99F68 Relevance: .1, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f85f76eb1762e64660a051253671f1fe356806d4959cc2d85f5bf72ebb450e8e
                                                          • Instruction ID: 7584dbae19f97feac1f43e0cfe338ee9496bc9e679daa1bda5bf3fa2a24a934b
                                                          • Opcode Fuzzy Hash: f85f76eb1762e64660a051253671f1fe356806d4959cc2d85f5bf72ebb450e8e
                                                          • Instruction Fuzzy Hash: 2A218131E042199BCF19CF68C49069EF7B2EF89310F64861AE816F7794DB70AC46CB61
                                                          Function 00D9A85A Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cf2ab0921273c0b1e73525a1c8b2a8391d458e3254309e988a907045d6a0bc70
                                                          • Instruction ID: 02b993ab0ea7b5607fd6a7aa526eb635e6b51bc47335bde44be9d1c41d624ef4
                                                          • Opcode Fuzzy Hash: cf2ab0921273c0b1e73525a1c8b2a8391d458e3254309e988a907045d6a0bc70
                                                          • Instruction Fuzzy Hash: 0C21AF32B002149FEF14DB6CC854BAE7BF6FF88714F258169E501EB3A4DA718D018BA1
                                                          Function 00D96B98 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e8f7f165fd9786bbf5b5bbe76a9e5c05d8f975d5c611258779c1b2cf42c900a7
                                                          • Instruction ID: 50f1945eae5caf73f4dbb6c5af77aa1e01316dfb0b5b8db6e18433bc9f282f64
                                                          • Opcode Fuzzy Hash: e8f7f165fd9786bbf5b5bbe76a9e5c05d8f975d5c611258779c1b2cf42c900a7
                                                          • Instruction Fuzzy Hash: EC21F53020D2805FC716AB38946066E7FB1DF8A300B4545EED145CB29ADA758C45C7A2
                                                          Function 00D94F89 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 27f1cee8c934292aa72de54fa77767ebce288a74c25cde9c7c0e5e7a2104c3e7
                                                          • Instruction ID: e98064b13a19b3bfe8a49ee9eaf582de03b5d106c12635b4f6c527eaf658eb27
                                                          • Opcode Fuzzy Hash: 27f1cee8c934292aa72de54fa77767ebce288a74c25cde9c7c0e5e7a2104c3e7
                                                          • Instruction Fuzzy Hash: FA213734600205CFCB54EF78D958BAD7BF1AF89305B1005B9E40AEB3A5DB369D01CBA1
                                                          Function 00D91878 Relevance: .1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e74f3d298d040bbf04ff38f67e6fa3e4c7ec38df5371e9e895b1d8da048f4f8c
                                                          • Instruction ID: 0f72667f2509522ea343f7cca711c3c114e6302e511d90da5efc729f141a6163
                                                          • Opcode Fuzzy Hash: e74f3d298d040bbf04ff38f67e6fa3e4c7ec38df5371e9e895b1d8da048f4f8c
                                                          • Instruction Fuzzy Hash: AB215A38A00206DFDF64EB78C5247AD77F5AF49304F240869D506EB3A0DB368D41CB61
                                                          Function 00D4D030 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3373764137.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d4d000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c3b94f0e176659782ab8c4d9ca0a1d41a7ff269f5d8a8cc05b7a39ba310884c7
                                                          • Instruction ID: 2cd20e6fe14c1d70289b27b1be2c726d872a10367256fbd1e804752168eec00e
                                                          • Opcode Fuzzy Hash: c3b94f0e176659782ab8c4d9ca0a1d41a7ff269f5d8a8cc05b7a39ba310884c7
                                                          • Instruction Fuzzy Hash: C3212FB1604244EFCB14DF14D9C0B26BBA2FB84314F24C56DE94A0B292C37AD846CA72
                                                          Function 00D91888 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c761ce24d8ce2e7016a67f7076f1227cb1ef45fa2a4b6c3cc961162e6b7da332
                                                          • Instruction ID: 1acdef74a84d52529e7b7406a9d6776da6feaade0649c61caffb2ab8b8ca2151
                                                          • Opcode Fuzzy Hash: c761ce24d8ce2e7016a67f7076f1227cb1ef45fa2a4b6c3cc961162e6b7da332
                                                          • Instruction Fuzzy Hash: 04210738B00216DBDF64EB68C5257AE77F6AB49345F240468D506EB394DB328D41CBB1
                                                          Function 00D99F78 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 455dfce08073ab04436523d0b04efadf631b0e9cad725d8c279ab4b2cfe1a8ff
                                                          • Instruction ID: 634af95aeadee7eaa4931e41c05c5c4ad4c52fc4420635231470c5bb370fc8f6
                                                          • Opcode Fuzzy Hash: 455dfce08073ab04436523d0b04efadf631b0e9cad725d8c279ab4b2cfe1a8ff
                                                          • Instruction Fuzzy Hash: D2213331E002199BDF19CF68C45469EF7B6EF89310F64861AE816F7354DB70AC45CB61
                                                          Function 00D4D005 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3373764137.0000000000D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D4D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d4d000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0775756390550a6ccd495c4cc6c71d07f868e049119e6c183b84af84f3d0abd7
                                                          • Instruction ID: 4fcea5cd00bca5c84a43bd49349038d520bbcdffe702811d5f533b6a1ea110fa
                                                          • Opcode Fuzzy Hash: 0775756390550a6ccd495c4cc6c71d07f868e049119e6c183b84af84f3d0abd7
                                                          • Instruction Fuzzy Hash: F6213D7550D3C09FC713CB24C990715BF71AB46214F29C5EBD8898F6A7C23A984ACB62
                                                          Function 00D916B0 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 60b419de2690882df9dcecb841a537977429bf9e643ac7297848f492ba8aae43
                                                          • Instruction ID: 249cec7c88971cfad75485b904ce9aaf59d56e105a9a33563db6cc2a6fe4ae28
                                                          • Opcode Fuzzy Hash: 60b419de2690882df9dcecb841a537977429bf9e643ac7297848f492ba8aae43
                                                          • Instruction Fuzzy Hash: 8A21D238600243CFEF12FB68E984B293B56E784344F546A29D006E7259DF78DC85CBA1
                                                          Function 00D94F98 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 21705b33c0ff12472b12281324fc8a354d65e11e131205456778a9ffe947f5e7
                                                          • Instruction ID: c95a05aa07d940ceb3afb09f820fd855df6ff0eec943df83ff830f6cdde78030
                                                          • Opcode Fuzzy Hash: 21705b33c0ff12472b12281324fc8a354d65e11e131205456778a9ffe947f5e7
                                                          • Instruction Fuzzy Hash: FC210534600205CFCB54EF78D959BAD7BF5AB89305B100468E40AEB3A4DB369D41CBA1
                                                          Function 00D917C0 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 13949236e2c0cda64215f098ee034556e5432b380f5046d76fc22eb5035c282e
                                                          • Instruction ID: 1997a4059c2ad1259cc91fb38185de9ec5b23d32dccb802360e8e37facc835ce
                                                          • Opcode Fuzzy Hash: 13949236e2c0cda64215f098ee034556e5432b380f5046d76fc22eb5035c282e
                                                          • Instruction Fuzzy Hash: FB115779B053529FCF00ABB95908A6EBBF4EB88350F100979E805E3300EB35C802CBA1
                                                          Function 00D90848 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f3615633fb475493fbf535ce27be51db37cedf6f8c4f657dda46051aab4b6ff3
                                                          • Instruction ID: 358ee397295c22ef933951155dd90b1e1e80f74308451a2c5644649abc104f37
                                                          • Opcode Fuzzy Hash: f3615633fb475493fbf535ce27be51db37cedf6f8c4f657dda46051aab4b6ff3
                                                          • Instruction Fuzzy Hash: 21119130B002098FEF24BB79E84472A3A95FB85354F284939D106CF356DA65CC859FE1
                                                          Function 00D9148E Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 825320e02f7fb6c0627fdfc87117292940ff009aefab28cc42c19b838d4b8071
                                                          • Instruction ID: 284aa0c284277a2dc656875b9b5054a2a26cee5ea8e78f2787562d0ac220c071
                                                          • Opcode Fuzzy Hash: 825320e02f7fb6c0627fdfc87117292940ff009aefab28cc42c19b838d4b8071
                                                          • Instruction Fuzzy Hash: 69113C35A012169FCF21EFB894911AE7BB5EF48310B2905BAD806EB342D735C942CBB1
                                                          Function 00D91498 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 40510a3c95d195b423c344c25c12a5b8f94f21a0a994f4ea7e2ed4308215f47c
                                                          • Instruction ID: 9c064be122e59f0833496f83e643bbffe6f3f84c8e19175eb8f23b200b1f3fe0
                                                          • Opcode Fuzzy Hash: 40510a3c95d195b423c344c25c12a5b8f94f21a0a994f4ea7e2ed4308215f47c
                                                          • Instruction Fuzzy Hash: F1012D35A002169FCF61EFB894511AE7BF5EF48350B25047AD806EB301E735D941CBB5
                                                          Function 00D9A6B8 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3f31bb6fae4f2f7b76d0635f98d3450c0c10637a455176ffa5aaf44fa510a836
                                                          • Instruction ID: ee6e07afa842c52e9b2e2db6d0bd47c34126c07ee7285a464219470d1367c352
                                                          • Opcode Fuzzy Hash: 3f31bb6fae4f2f7b76d0635f98d3450c0c10637a455176ffa5aaf44fa510a836
                                                          • Instruction Fuzzy Hash: 95110831A052048FDB04DBA8D984B9A7F71EF85310F5881A9C8485F297EBB49D45C7F1
                                                          Function 00D98F08 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bfcd918dbda4d760f3647f437e2eb721d0696e9907e99944981cf70d1d5d2298
                                                          • Instruction ID: d42b47abe20a0feec412569c86ad1275bb956ef0494c3512e81a59c7b43cd9cf
                                                          • Opcode Fuzzy Hash: bfcd918dbda4d760f3647f437e2eb721d0696e9907e99944981cf70d1d5d2298
                                                          • Instruction Fuzzy Hash: BD015E349052CADFDB0AFBB8E990B9C7FB1EB81200F4056EDC005EB295DA751E459B61
                                                          Function 00D91524 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ff70c67212ba5e070f9b75c371659a0c88d2a3161b590a74d52f88486178bf66
                                                          • Instruction ID: 8ff309b0cd3d79fdd7853338de0a38b5de19c11a897decbee7d538b7faf4358e
                                                          • Opcode Fuzzy Hash: ff70c67212ba5e070f9b75c371659a0c88d2a3161b590a74d52f88486178bf66
                                                          • Instruction Fuzzy Hash: CAF0F63BA04111CFDF228BA494911AC7F70EF9831171A00D7D846DB212D725D902D771
                                                          Function 00D97EA8 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d17c3ee247392e58215694674ac0c460ff539aa9509b7d473033cd559b12464b
                                                          • Instruction ID: 07464649ba9d93278a97ee56d1730e9bd5406e3cc14eb55a362a1f8259e8a853
                                                          • Opcode Fuzzy Hash: d17c3ee247392e58215694674ac0c460ff539aa9509b7d473033cd559b12464b
                                                          • Instruction Fuzzy Hash: 5DF0C435B00204CFC714EB74EA98B6D77B2EF89211F5184A8E906AB3A4DB31AD42CB40
                                                          Function 00D98F18 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8e75c7183add89f0630c880659b189fbea56aeb58cd598ed0e2649d3fb6a9f82
                                                          • Instruction ID: d2abafdbbe2a2403219a810ce812176e41bf380250c0abd8176676d18b0c1d14
                                                          • Opcode Fuzzy Hash: 8e75c7183add89f0630c880659b189fbea56aeb58cd598ed0e2649d3fb6a9f82
                                                          • Instruction Fuzzy Hash: 5AF0363450028ADFDB09FFA8F98075D7BB5EB80300F50556CC104B7154DF712E449791
                                                          Function 00D9099B Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.3374086726.0000000000D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_d90000_MyzWeEOlqb.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5b4a60a4446f1003d909fa6a005cc0515f1027380c2f91c93c1c7e0eb64a16fd
                                                          • Instruction ID: b7562774443ef6d02d944193259a9ebaf8f2c9f35181b782bae89850a1294b83
                                                          • Opcode Fuzzy Hash: 5b4a60a4446f1003d909fa6a005cc0515f1027380c2f91c93c1c7e0eb64a16fd
                                                          • Instruction Fuzzy Hash: 15F0A71670D395EFEF31A5602854234BEC09B56735F4C449DD68887217E1428C58D7B2

                                                          Execution Graph

                                                          Execution Coverage:10.3%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:173
                                                          Total number of Limit Nodes:9
                                                          execution_graph 44668 962e6c3 44672 962fd60 44668->44672 44690 962fd70 44668->44690 44669 962e6de 44673 962fd8a 44672->44673 44708 bf108b1 44673->44708 44716 bf10d2c 44673->44716 44720 bf10a8c 44673->44720 44725 bf107aa 44673->44725 44730 bf10529 44673->44730 44735 bf10807 44673->44735 44743 bf10ac4 44673->44743 44748 bf10bc5 44673->44748 44753 bf1075e 44673->44753 44758 bf10dfd 44673->44758 44763 bf10698 44673->44763 44768 bf10bb0 44673->44768 44773 bf10310 44673->44773 44778 bf10931 44673->44778 44783 bf10731 44673->44783 44674 962fdae 44674->44669 44691 962fd8a 44690->44691 44693 bf108b1 4 API calls 44691->44693 44694 bf10731 2 API calls 44691->44694 44695 bf10931 2 API calls 44691->44695 44696 bf10310 2 API calls 44691->44696 44697 bf10bb0 2 API calls 44691->44697 44698 bf10698 2 API calls 44691->44698 44699 bf10dfd 2 API calls 44691->44699 44700 bf1075e 2 API calls 44691->44700 44701 bf10bc5 2 API calls 44691->44701 44702 bf10ac4 2 API calls 44691->44702 44703 bf10807 4 API calls 44691->44703 44704 bf10529 2 API calls 44691->44704 44705 bf107aa 2 API calls 44691->44705 44706 bf10a8c 2 API calls 44691->44706 44707 bf10d2c 2 API calls 44691->44707 44692 962fdae 44692->44669 44693->44692 44694->44692 44695->44692 44696->44692 44697->44692 44698->44692 44699->44692 44700->44692 44701->44692 44702->44692 44703->44692 44704->44692 44705->44692 44706->44692 44707->44692 44709 bf108b2 44708->44709 44710 bf1051f 44709->44710 44788 962da01 44709->44788 44792 962da08 44709->44792 44796 962d870 44710->44796 44800 962d869 44710->44800 44711 bf10e2a 44804 962def1 44716->44804 44808 962def8 44716->44808 44717 bf10d4e 44717->44674 44722 bf10416 44720->44722 44721 bf10f39 44721->44674 44722->44721 44812 962e090 44722->44812 44816 962e084 44722->44816 44726 bf10ad5 44725->44726 44728 962d870 Wow64SetThreadContext 44726->44728 44729 962d869 Wow64SetThreadContext 44726->44729 44727 bf10af0 44728->44727 44729->44727 44731 bf1051f 44730->44731 44733 962d870 Wow64SetThreadContext 44731->44733 44734 962d869 Wow64SetThreadContext 44731->44734 44732 bf10e2a 44733->44732 44734->44732 44736 bf10910 44735->44736 44737 bf1051f 44736->44737 44739 962da01 WriteProcessMemory 44736->44739 44740 962da08 WriteProcessMemory 44736->44740 44741 962d870 Wow64SetThreadContext 44737->44741 44742 962d869 Wow64SetThreadContext 44737->44742 44738 bf10e2a 44739->44737 44740->44737 44741->44738 44742->44738 44744 bf10cf9 44743->44744 44820 962d940 44744->44820 44824 962d948 44744->44824 44745 bf10d17 44750 bf10416 44748->44750 44749 bf10f39 44749->44674 44750->44749 44751 962e090 CreateProcessA 44750->44751 44752 962e084 CreateProcessA 44750->44752 44751->44750 44752->44750 44754 bf10764 44753->44754 44755 bf10bbd 44754->44755 44828 962d380 44754->44828 44832 962d388 44754->44832 44759 bf10e03 44758->44759 44760 bf10e2a 44759->44760 44761 962d870 Wow64SetThreadContext 44759->44761 44762 962d869 Wow64SetThreadContext 44759->44762 44761->44760 44762->44760 44764 bf106b3 44763->44764 44766 962da01 WriteProcessMemory 44764->44766 44767 962da08 WriteProcessMemory 44764->44767 44765 bf10da5 44766->44765 44767->44765 44769 bf10775 44768->44769 44770 bf10bbd 44768->44770 44769->44768 44771 962d380 ResumeThread 44769->44771 44772 962d388 ResumeThread 44769->44772 44771->44769 44772->44769 44775 bf10343 44773->44775 44774 bf10f39 44774->44674 44775->44774 44776 962e090 CreateProcessA 44775->44776 44777 962e084 CreateProcessA 44775->44777 44776->44775 44777->44775 44779 bf1051f 44778->44779 44779->44778 44781 962d870 Wow64SetThreadContext 44779->44781 44782 962d869 Wow64SetThreadContext 44779->44782 44780 bf10e2a 44781->44780 44782->44780 44784 bf10758 44783->44784 44786 962da01 WriteProcessMemory 44784->44786 44787 962da08 WriteProcessMemory 44784->44787 44785 bf10e78 44786->44785 44787->44785 44789 962da50 WriteProcessMemory 44788->44789 44791 962daa7 44789->44791 44791->44710 44793 962da50 WriteProcessMemory 44792->44793 44795 962daa7 44793->44795 44795->44710 44797 962d8b5 Wow64SetThreadContext 44796->44797 44799 962d8fd 44797->44799 44799->44711 44801 962d870 Wow64SetThreadContext 44800->44801 44803 962d8fd 44801->44803 44803->44711 44805 962def8 ReadProcessMemory 44804->44805 44807 962df87 44805->44807 44807->44717 44809 962df43 ReadProcessMemory 44808->44809 44811 962df87 44809->44811 44811->44717 44813 962e119 44812->44813 44813->44813 44814 962e27e CreateProcessA 44813->44814 44815 962e2db 44814->44815 44817 962e090 CreateProcessA 44816->44817 44819 962e2db 44817->44819 44821 962d948 VirtualAllocEx 44820->44821 44823 962d9c5 44821->44823 44823->44745 44825 962d988 VirtualAllocEx 44824->44825 44827 962d9c5 44825->44827 44827->44745 44829 962d3c8 ResumeThread 44828->44829 44831 962d3f9 44829->44831 44831->44754 44833 962d3c8 ResumeThread 44832->44833 44835 962d3f9 44833->44835 44835->44754 44845 7ea5d58 44846 7ea5da6 DrawTextExW 44845->44846 44848 7ea5dfe 44846->44848 44836 156ae30 44837 156ae31 44836->44837 44840 156af19 44837->44840 44838 156ae3f 44841 156af39 44840->44841 44842 156af5c 44840->44842 44841->44842 44843 156b160 GetModuleHandleW 44841->44843 44842->44838 44844 156b18d 44843->44844 44844->44838 44642 bf11128 44644 bf1112d 44642->44644 44643 bf112b3 44644->44643 44647 bf113a1 PostMessageW 44644->44647 44649 bf113a8 PostMessageW 44644->44649 44648 bf11414 44647->44648 44648->44644 44650 bf11414 44649->44650 44650->44644 44651 156d5c8 44652 156d5c9 44651->44652 44656 156d797 44652->44656 44660 156d7a8 44652->44660 44653 156d6fb 44657 156d7a8 44656->44657 44664 156bca0 44657->44664 44661 156d7ad 44660->44661 44662 156bca0 DuplicateHandle 44661->44662 44663 156d7d6 44662->44663 44663->44653 44665 156d810 DuplicateHandle 44664->44665 44667 156d7d6 44665->44667 44667->44653 44849 1564668 44850 1564669 44849->44850 44851 1564686 44850->44851 44853 1564779 44850->44853 44854 156477c 44853->44854 44858 1564878 44854->44858 44862 1564888 44854->44862 44860 156487c 44858->44860 44859 156498c 44859->44859 44860->44859 44866 156449c 44860->44866 44864 1564889 44862->44864 44863 156498c 44863->44863 44864->44863 44865 156449c CreateActCtxA 44864->44865 44865->44863 44867 1565918 CreateActCtxA 44866->44867 44869 15659db 44867->44869

                                                          Executed Functions

                                                          Function 0962E084 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 962e084-962e125 3 962e127-962e131 0->3 4 962e15e-962e17e 0->4 3->4 5 962e133-962e135 3->5 9 962e180-962e18a 4->9 10 962e1b7-962e1e6 4->10 7 962e137-962e141 5->7 8 962e158-962e15b 5->8 11 962e143 7->11 12 962e145-962e154 7->12 8->4 9->10 13 962e18c-962e18e 9->13 20 962e1e8-962e1f2 10->20 21 962e21f-962e2d9 CreateProcessA 10->21 11->12 12->12 14 962e156 12->14 15 962e190-962e19a 13->15 16 962e1b1-962e1b4 13->16 14->8 18 962e19e-962e1ad 15->18 19 962e19c 15->19 16->10 18->18 22 962e1af 18->22 19->18 20->21 23 962e1f4-962e1f6 20->23 32 962e2e2-962e368 21->32 33 962e2db-962e2e1 21->33 22->16 25 962e1f8-962e202 23->25 26 962e219-962e21c 23->26 27 962e206-962e215 25->27 28 962e204 25->28 26->21 27->27 29 962e217 27->29 28->27 29->26 43 962e36a-962e36e 32->43 44 962e378-962e37c 32->44 33->32 43->44 47 962e370 43->47 45 962e37e-962e382 44->45 46 962e38c-962e390 44->46 45->46 48 962e384 45->48 49 962e392-962e396 46->49 50 962e3a0-962e3a4 46->50 47->44 48->46 49->50 51 962e398 49->51 52 962e3b6-962e3bd 50->52 53 962e3a6-962e3ac 50->53 51->50 54 962e3d4 52->54 55 962e3bf-962e3ce 52->55 53->52 56 962e3d5 54->56 55->54 56->56
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0962E2C6
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2202504947.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_9620000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 2a3ffef26495a21ac1f7ef9e7ecb90135250542523a6bae63eaee7fc367eaffd
                                                          • Instruction ID: 5811d114b2eb2217e6cc8f6858fdc469fb00e4ae92484b97a63851a06d2b43db
                                                          • Opcode Fuzzy Hash: 2a3ffef26495a21ac1f7ef9e7ecb90135250542523a6bae63eaee7fc367eaffd
                                                          • Instruction Fuzzy Hash: BCA15971D01629DFEF25CFA8C8457ADBBB2AF48310F148169E809A7340DB759985CF91
                                                          Function 0962E090 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 58 962e090-962e125 60 962e127-962e131 58->60 61 962e15e-962e17e 58->61 60->61 62 962e133-962e135 60->62 66 962e180-962e18a 61->66 67 962e1b7-962e1e6 61->67 64 962e137-962e141 62->64 65 962e158-962e15b 62->65 68 962e143 64->68 69 962e145-962e154 64->69 65->61 66->67 70 962e18c-962e18e 66->70 77 962e1e8-962e1f2 67->77 78 962e21f-962e2d9 CreateProcessA 67->78 68->69 69->69 71 962e156 69->71 72 962e190-962e19a 70->72 73 962e1b1-962e1b4 70->73 71->65 75 962e19e-962e1ad 72->75 76 962e19c 72->76 73->67 75->75 79 962e1af 75->79 76->75 77->78 80 962e1f4-962e1f6 77->80 89 962e2e2-962e368 78->89 90 962e2db-962e2e1 78->90 79->73 82 962e1f8-962e202 80->82 83 962e219-962e21c 80->83 84 962e206-962e215 82->84 85 962e204 82->85 83->78 84->84 86 962e217 84->86 85->84 86->83 100 962e36a-962e36e 89->100 101 962e378-962e37c 89->101 90->89 100->101 104 962e370 100->104 102 962e37e-962e382 101->102 103 962e38c-962e390 101->103 102->103 105 962e384 102->105 106 962e392-962e396 103->106 107 962e3a0-962e3a4 103->107 104->101 105->103 106->107 108 962e398 106->108 109 962e3b6-962e3bd 107->109 110 962e3a6-962e3ac 107->110 108->107 111 962e3d4 109->111 112 962e3bf-962e3ce 109->112 110->109 113 962e3d5 111->113 112->111 113->113
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0962E2C6
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2202504947.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_9620000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 69d83f43c0ca303b38413da326ac10a29eee18ef568b7c3946bb9f8581096f15
                                                          • Instruction ID: 3365424d8e9234048dfb5e20b5ef085e7c459fbb12894345134d785a0c29053f
                                                          • Opcode Fuzzy Hash: 69d83f43c0ca303b38413da326ac10a29eee18ef568b7c3946bb9f8581096f15
                                                          • Instruction Fuzzy Hash: B5915871D01629DFEF25CFA8C845BADBBB2BF48310F148169E809A7380DB759985CF91
                                                          Function 0156AF19 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 115 156af19-156af37 116 156af63-156af67 115->116 117 156af39-156af46 call 15698a0 115->117 118 156af7b-156afbc 116->118 119 156af69-156af73 116->119 124 156af5c 117->124 125 156af48 117->125 126 156afbe-156afc6 118->126 127 156afc9-156afd7 118->127 119->118 124->116 172 156af4e call 156b1c0 125->172 173 156af4e call 156b1b0 125->173 126->127 128 156affb-156affd 127->128 129 156afd9-156afde 127->129 131 156b000-156b007 128->131 132 156afe0-156afe7 call 156a270 129->132 133 156afe9 129->133 130 156af54-156af56 130->124 134 156b098-156b116 130->134 135 156b014-156b01b 131->135 136 156b009-156b011 131->136 138 156afeb-156aff9 132->138 133->138 165 156b11d-156b158 134->165 166 156b118-156b11c 134->166 139 156b01d-156b025 135->139 140 156b028-156b031 call 156a280 135->140 136->135 138->131 139->140 146 156b033-156b03b 140->146 147 156b03e-156b043 140->147 146->147 148 156b045-156b04c 147->148 149 156b061-156b06e 147->149 148->149 151 156b04e-156b05e call 156a290 call 156a2a0 148->151 155 156b070-156b08e 149->155 156 156b091-156b097 149->156 151->149 155->156 167 156b160-156b18b GetModuleHandleW 165->167 168 156b15a-156b15d 165->168 166->165 169 156b194-156b1a8 167->169 170 156b18d-156b193 167->170 168->167 170->169 172->130 173->130
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0156B17E
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2187930707.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_1560000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: b26862d39617bf140caf901361a91db15d6ad0621f8590db6539befa7070af0c
                                                          • Instruction ID: 7ed350f88e0935361fc1b04bc530bdc3db02789d59649cca90fc8292e5d16385
                                                          • Opcode Fuzzy Hash: b26862d39617bf140caf901361a91db15d6ad0621f8590db6539befa7070af0c
                                                          • Instruction Fuzzy Hash: B8817770A00B469FE725DF2AD44479ABBF5FF88300F008A2DD09ADBA51DB75E845CB91
                                                          Function 0156590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 174 156590c-156590e 175 1565915-1565916 174->175 176 1565910 174->176 177 156591d-15659d9 CreateActCtxA 175->177 178 1565918-156591c 175->178 176->175 180 15659e2-1565a3c 177->180 181 15659db-15659e1 177->181 178->177 188 1565a3e-1565a41 180->188 189 1565a4b-1565a4f 180->189 181->180 188->189 190 1565a60 189->190 191 1565a51-1565a5d 189->191 193 1565a61 190->193 191->190 193->193
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 015659C9
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2187930707.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_1560000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 677b737c4f13ba347c91a58f43a5e384d122bce2eacb91bd89babe21704bd115
                                                          • Instruction ID: a7ecc1d108377cf62844a8202fe14f98ff065db9bf271ffaab55b805999e249c
                                                          • Opcode Fuzzy Hash: 677b737c4f13ba347c91a58f43a5e384d122bce2eacb91bd89babe21704bd115
                                                          • Instruction Fuzzy Hash: B341F2B0C0072DCBDF24CFA9C984B8DBBB5BF49714F20816AD508AB251EBB56945CF90
                                                          Function 0156449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 194 156449c-15659d9 CreateActCtxA 198 15659e2-1565a3c 194->198 199 15659db-15659e1 194->199 206 1565a3e-1565a41 198->206 207 1565a4b-1565a4f 198->207 199->198 206->207 208 1565a60 207->208 209 1565a51-1565a5d 207->209 211 1565a61 208->211 209->208 211->211
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 015659C9
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2187930707.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_1560000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 07189b57a533f8edebf9b542b0713b48eedac2319e54e6a5023266e7b254d362
                                                          • Instruction ID: 87042bc450f70c400b73695abc50120f1c7648733b8cc86c7ac2b86148498b96
                                                          • Opcode Fuzzy Hash: 07189b57a533f8edebf9b542b0713b48eedac2319e54e6a5023266e7b254d362
                                                          • Instruction Fuzzy Hash: 9741C1B0C0072DCBDF24CFA9C98479DBBB5BF49704F20856AD508AB251DBB56945CF90
                                                          Function 07EA5D50 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 212 7ea5d50-7ea5da4 214 7ea5daf-7ea5dbe 212->214 215 7ea5da6-7ea5dac 212->215 216 7ea5dc3-7ea5dfc DrawTextExW 214->216 217 7ea5dc0 214->217 215->214 218 7ea5dfe-7ea5e04 216->218 219 7ea5e05-7ea5e22 216->219 217->216 218->219
                                                          APIs
                                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07EA5DEF
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2202150887.0000000007EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7ea0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: DrawText
                                                          • String ID:
                                                          • API String ID: 2175133113-0
                                                          • Opcode ID: 0948f26f154b59b23be65b07324103704f4c18cab61e8561c2eafa0e76fdbbef
                                                          • Instruction ID: f63ee1e13170ba2e1064fbeeec2c5b95e4a9d579d3b79331b3f22469dba6bb6d
                                                          • Opcode Fuzzy Hash: 0948f26f154b59b23be65b07324103704f4c18cab61e8561c2eafa0e76fdbbef
                                                          • Instruction Fuzzy Hash: 5B3104B590130AAFDB10CF9AD884ADEFBF5FB48324F14842AE519A7210D774A554CFA0
                                                          Function 0962DA01 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 233 962da01-962da56 235 962da66-962daa5 WriteProcessMemory 233->235 236 962da58-962da64 233->236 238 962daa7-962daad 235->238 239 962daae-962dade 235->239 236->235 238->239
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0962DA98
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2202504947.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_9620000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: b704a26a3da054e11ce8c872fbdc6cde10a5d1be479f0b99976943aff64d77e4
                                                          • Instruction ID: f43d0d1cbf1d6a26b1c34ac878fa8b4a9f5479d9438869b149864ffeb4a632e3
                                                          • Opcode Fuzzy Hash: b704a26a3da054e11ce8c872fbdc6cde10a5d1be479f0b99976943aff64d77e4
                                                          • Instruction Fuzzy Hash: 0521357290035A9FDF10CFA9C881BEEBBF5FF88310F10842AE519A7240C7789950CBA0
                                                          Function 0156D808 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 222 156d808-156d80a 223 156d811-156d814 222->223 224 156d80c 222->224 227 156d815-156d84f 223->227 225 156d852-156d8a4 DuplicateHandle 224->225 226 156d80e 224->226 229 156d8a6-156d8ac 225->229 230 156d8ad-156d8ca 225->230 226->227 228 156d810 226->228 227->225 228->223 229->230
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0156D7D6,?,?,?,?,?), ref: 0156D897
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2187930707.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_1560000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 38edd48cc927e1749c7dee30e1fe44450c274f15b0b088ef1cb33490d0608a7b
                                                          • Instruction ID: 1db03414d3ff530f664f91bf1dd93361eefa01b73d74768459b743347c738fd4
                                                          • Opcode Fuzzy Hash: 38edd48cc927e1749c7dee30e1fe44450c274f15b0b088ef1cb33490d0608a7b
                                                          • Instruction Fuzzy Hash: 162148B59002499FDB10CF99D884ADEBFF8FB48320F14851AE958A7251C374A941CBA0
                                                          Function 0962DA08 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 252 962da08-962da56 254 962da66-962daa5 WriteProcessMemory 252->254 255 962da58-962da64 252->255 257 962daa7-962daad 254->257 258 962daae-962dade 254->258 255->254 257->258
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0962DA98
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2202504947.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_9620000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 413db66502747f96779e8977c01567a8dce31a6dffc89b9dc65ccb01a9904c63
                                                          • Instruction ID: faf46bde2fce67353ad671c6b469bb06d8b8bbf3a5374af7720f888eece65689
                                                          • Opcode Fuzzy Hash: 413db66502747f96779e8977c01567a8dce31a6dffc89b9dc65ccb01a9904c63
                                                          • Instruction Fuzzy Hash: F22126729003599FDF10CFAAC885BDEBBF5FF48310F10842AE919A7240D7789950CBA5
                                                          Function 07EA5D58 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 243 7ea5d58-7ea5da4 244 7ea5daf-7ea5dbe 243->244 245 7ea5da6-7ea5dac 243->245 246 7ea5dc3-7ea5dfc DrawTextExW 244->246 247 7ea5dc0 244->247 245->244 248 7ea5dfe-7ea5e04 246->248 249 7ea5e05-7ea5e22 246->249 247->246 248->249
                                                          APIs
                                                          • DrawTextExW.USER32(?,?,?,?,?,?), ref: 07EA5DEF
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2202150887.0000000007EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_7ea0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: DrawText
                                                          • String ID:
                                                          • API String ID: 2175133113-0
                                                          • Opcode ID: ba84138d1a6e3fd4da83e29e68063a1061801bf9600bb4f5bfcf03fe18c523e4
                                                          • Instruction ID: 28521721e197b9675947bf3320743069876d6a4346ae5cedc4f90e030159db98
                                                          • Opcode Fuzzy Hash: ba84138d1a6e3fd4da83e29e68063a1061801bf9600bb4f5bfcf03fe18c523e4
                                                          • Instruction Fuzzy Hash: 7321D4B5D0130A9FDB10CF9AD884A9EFBF5FF58324F14842AE919A7210D774A954CFA0
                                                          Function 0962D869 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 262 962d869-962d8bb 265 962d8cb-962d8fb Wow64SetThreadContext 262->265 266 962d8bd-962d8c9 262->266 268 962d904-962d934 265->268 269 962d8fd-962d903 265->269 266->265 269->268
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0962D8EE
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2202504947.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_9620000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 47238c6ca8e63bceb405cafdfc2a720b495fdb9e1562470abe8540b79dc2eef5
                                                          • Instruction ID: cb0a9678a84dbb1ec69be1ebca955eae683df46f33d6da0691297cacb56b8485
                                                          • Opcode Fuzzy Hash: 47238c6ca8e63bceb405cafdfc2a720b495fdb9e1562470abe8540b79dc2eef5
                                                          • Instruction Fuzzy Hash: A4215C71D007098FDB10CFAAC4857AEBBF4EF48314F10842DD519A7241CB78A544CFA4
                                                          Function 0962DEF1 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 273 962def1-962df85 ReadProcessMemory 277 962df87-962df8d 273->277 278 962df8e-962dfbe 273->278 277->278
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0962DF78
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2202504947.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_9620000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: fea1b1bd302c420c1a654f89a66a2bbeec6c32bb686ec0ec6e40913c86cc58bc
                                                          • Instruction ID: 717d1835e401e42b2775f0abe843d4a3332df29b1e86958fb78a5f69376b8b6c
                                                          • Opcode Fuzzy Hash: fea1b1bd302c420c1a654f89a66a2bbeec6c32bb686ec0ec6e40913c86cc58bc
                                                          • Instruction Fuzzy Hash: 702125B18003499FDB10CFAAC881BEEBBF5FF48310F10842EE519A7251D779A901CBA5
                                                          Function 0156BCA0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 282 156bca0-156d8a4 DuplicateHandle 287 156d8a6-156d8ac 282->287 288 156d8ad-156d8ca 282->288 287->288
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0156D7D6,?,?,?,?,?), ref: 0156D897
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2187930707.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_1560000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 81414369ec5e94ea1f26280d8b545eb362aa02a709e1dcdd972eed74291a3cb6
                                                          • Instruction ID: d65665d44911f3a4f6df463b90da2f9e5ed4ad7c3dcb67992dc3a160f3cd33ce
                                                          • Opcode Fuzzy Hash: 81414369ec5e94ea1f26280d8b545eb362aa02a709e1dcdd972eed74291a3cb6
                                                          • Instruction Fuzzy Hash: AC21D4B59002499FDB10CF9AD984ADEBBF9FB48310F14842AE958A7311D378A954CFA4
                                                          Function 0962D870 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 291 962d870-962d8bb 293 962d8cb-962d8fb Wow64SetThreadContext 291->293 294 962d8bd-962d8c9 291->294 296 962d904-962d934 293->296 297 962d8fd-962d903 293->297 294->293 297->296
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0962D8EE
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2202504947.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_9620000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 4fdab7535c6b67b2a885148aa689dfb43991722a9272050aa4124af58482f3fd
                                                          • Instruction ID: e5700add160880174de090be13a2e4160693d9b812be3d1e16385cd23b17346e
                                                          • Opcode Fuzzy Hash: 4fdab7535c6b67b2a885148aa689dfb43991722a9272050aa4124af58482f3fd
                                                          • Instruction Fuzzy Hash: 5B214971D007098FDB10CFAAC4857EEBBF4EF88324F148429E519A7241CB78A944CFA5
                                                          Function 0962DEF8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 301 962def8-962df85 ReadProcessMemory 304 962df87-962df8d 301->304 305 962df8e-962dfbe 301->305 304->305
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0962DF78
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2202504947.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_9620000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: baa145c7b8da19a550f245d1ba36365104a8a01974fd0e990a56ca1bd665db73
                                                          • Instruction ID: 8257fe856f1e0b46f0c0f7a692d537f5b81e5c700538058814da56371cbd4f64
                                                          • Opcode Fuzzy Hash: baa145c7b8da19a550f245d1ba36365104a8a01974fd0e990a56ca1bd665db73
                                                          • Instruction Fuzzy Hash: 552116B18003599FDB10CFAAC881BDEBBF5FF48310F108429E519A7240D7799910CBA5
                                                          Function 0962D940 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0962D9B6
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2202504947.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_9620000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 34fc08f742a9840fb73214a7de7d2b6e5f0f0234a28a09666f977eff3e76b92c
                                                          • Instruction ID: dcdd5776fb1bc4bc7850811a34494018f98d851b09740bba7ca1557bf2485b85
                                                          • Opcode Fuzzy Hash: 34fc08f742a9840fb73214a7de7d2b6e5f0f0234a28a09666f977eff3e76b92c
                                                          • Instruction Fuzzy Hash: B621567290024A9FDB10CFAAC844BDEBBF5EF88324F248419E519A7250C775A540CFA0
                                                          Function 0962D948 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0962D9B6
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2202504947.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_9620000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: f35a88974f494c69f3d0f8369f4a184ffab50017b5e3885bf4fbfdf7d24f4c94
                                                          • Instruction ID: edfeeab38538b422d1ea4686b37adb0fd01dc0bc17c356f1fa07c45933edf424
                                                          • Opcode Fuzzy Hash: f35a88974f494c69f3d0f8369f4a184ffab50017b5e3885bf4fbfdf7d24f4c94
                                                          • Instruction Fuzzy Hash: B51153728002499FDF10DFAAC844BDEBBF5EF88320F208819E519A7250CB75A910CFA0
                                                          Function 0962D380 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2202504947.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_9620000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: b78ace5a685578739d864a086603a51db606011065a9841e22d07070de0fd720
                                                          • Instruction ID: 01f15493d7972d89824184b6ad8d427210f4b777825d1bcacbd87ff3b23022b8
                                                          • Opcode Fuzzy Hash: b78ace5a685578739d864a086603a51db606011065a9841e22d07070de0fd720
                                                          • Instruction Fuzzy Hash: 3E114971D003498FDB24CFAAC4857AEFBF5AF88324F248419D519A7250CB79A900CF95
                                                          Function 0962D388 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2202504947.0000000009620000.00000040.00000800.00020000.00000000.sdmp, Offset: 09620000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_9620000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 0e294038f7e1795844f7db726a75675d0937462652677649e0a1b5370dafd862
                                                          • Instruction ID: dd5b3116ed8432d2f9da37e9dd1a00c0637c855fd6c170a15ff46a8093f4a4e2
                                                          • Opcode Fuzzy Hash: 0e294038f7e1795844f7db726a75675d0937462652677649e0a1b5370dafd862
                                                          • Instruction Fuzzy Hash: AA1136B1D003498FDB20DFAAC84579EFBF5EF88724F248419D519A7240CB79A940CFA5
                                                          Function 0156B118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0156B17E
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2187930707.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_1560000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: b57f5049496083af697e5dd761a2dcf826f7a739b2edb4e48a0f26574f835dee
                                                          • Instruction ID: 0582169d3bf7592de92acbca19832b08f8b5d3f8c407cf3fb6f9d5da75ef703a
                                                          • Opcode Fuzzy Hash: b57f5049496083af697e5dd761a2dcf826f7a739b2edb4e48a0f26574f835dee
                                                          • Instruction Fuzzy Hash: 8011D2B6D00749DFDB10CF9AC444B9EFBF9FB88624F10841AD519A7210D379A545CFA1
                                                          Function 0BF113A1 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,?,?,?), ref: 0BF11405
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2203280551.000000000BF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_bf10000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: 420d4a3f7f138f27a37c1a3a8d4ab4a1659d2a0f9a131a474ff4394585f39b96
                                                          • Instruction ID: fb7fbd541992be265d07ec08c99389bad828ed733f2b3bf7f21108dfbf1d3d6c
                                                          • Opcode Fuzzy Hash: 420d4a3f7f138f27a37c1a3a8d4ab4a1659d2a0f9a131a474ff4394585f39b96
                                                          • Instruction Fuzzy Hash: D111D2B68007499FDB10CF99D445BDEBBF4EB48714F20881AD559A7210C3B5A554CFA1
                                                          Function 0BF113A8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,?,?,?), ref: 0BF11405
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2203280551.000000000BF10000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BF10000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_bf10000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: faefb11874245f0db46a7a1b3a61ce6acf612b29ebcd838987ca911e9c4d3fa5
                                                          • Instruction ID: 3a51241383f43621655371b96d05a7ec3a45bc3b05a5fb40d91c7f6945d522ff
                                                          • Opcode Fuzzy Hash: faefb11874245f0db46a7a1b3a61ce6acf612b29ebcd838987ca911e9c4d3fa5
                                                          • Instruction Fuzzy Hash: 0211D3B68003499FDB10CF9AD545BDEFBF8EB48724F208859E558B7201C3B5A944CFA1
                                                          Function 0150D3D8 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2187075116.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_150d000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a03486c13677d4d06df81def6fdc51551f800437a9eb64dbcc0076262586cede
                                                          • Instruction ID: 47f986b15a1af23e138d5eeeb540bb01e32675dceb68f128e782312ac88e92b3
                                                          • Opcode Fuzzy Hash: a03486c13677d4d06df81def6fdc51551f800437a9eb64dbcc0076262586cede
                                                          • Instruction Fuzzy Hash: 2521F476504204DFDB06DFD4D9C0B6ABFB5FB84324F20C569E9090F296C3B6E456CAA2
                                                          Function 0150D4C4 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2187075116.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_150d000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8962f056df8accaa3b3eb6f61875d31f7bb77b661783c9d98fa749e71eb926b8
                                                          • Instruction ID: f79357f926bf107b4c84b4df7e3370d77be0127ac76126067fcc7d4d50ec0c78
                                                          • Opcode Fuzzy Hash: 8962f056df8accaa3b3eb6f61875d31f7bb77b661783c9d98fa749e71eb926b8
                                                          • Instruction Fuzzy Hash: 7F21F172504240EFDB06DFD8D9C0B2ABFB5FB88318F248569ED090F296C376D456CAA1
                                                          Function 0151D1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2187562607.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_151d000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6d129022aa25911a725efbbf8e04c83684bac8791c99e0bc9732ac2756f7f9ee
                                                          • Instruction ID: ce6d5ac87c9651e46ea8060b2206be6410afdb9c72c5aa1d4d1510981acf2a1f
                                                          • Opcode Fuzzy Hash: 6d129022aa25911a725efbbf8e04c83684bac8791c99e0bc9732ac2756f7f9ee
                                                          • Instruction Fuzzy Hash: 51214971504300EFEB06DF94D5C4B69BBB1FB84324F20CA6DD9294F25AC37AD446CA61
                                                          Function 0151D01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2187562607.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_151d000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 74b4d066bcfbe8a06cd4e9f27f4078cce2b693c12a511aa3be623650ac77da67
                                                          • Instruction ID: e7f813aeab70fbb764331e5ed14576227c4b0586fec5e465a009d8cee68c8b52
                                                          • Opcode Fuzzy Hash: 74b4d066bcfbe8a06cd4e9f27f4078cce2b693c12a511aa3be623650ac77da67
                                                          • Instruction Fuzzy Hash: 6E210375504204EFEB16DF54D9C8B2ABBB1FB84314F20C96DD90A0F25AD37AD446CA61
                                                          Function 0151D006 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2187562607.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_151d000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b43a0b22da3d391ce47e2e5dcb7fd6792d71ac33e68a661adcc0f6e9f8fd9fe7
                                                          • Instruction ID: 1ed41fdd7edefa4c21055ec29fa8982661863242a0c2c868f1cbb12c08ca179c
                                                          • Opcode Fuzzy Hash: b43a0b22da3d391ce47e2e5dcb7fd6792d71ac33e68a661adcc0f6e9f8fd9fe7
                                                          • Instruction Fuzzy Hash: 9E218B755093808FDB03CF24D994B15BF71FB46214F28C5EAD8498F2A7C33A984ACB62
                                                          Function 0150D3D3 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2187075116.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_150d000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                          • Instruction ID: 97d20bfe686c70065071194082a88b87b1ed79d481cec36487f3a00b875749cf
                                                          • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                          • Instruction Fuzzy Hash: 2311CDB6404280CFCB02CF84D5C0B5ABF71FB84224F2482A9D8090A256C37AE456CBA1
                                                          Function 0150D4BF Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2187075116.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_150d000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                          • Instruction ID: 8015af7c4b84605b4b7ca3cf8ac280fffe94819952383afb66d64f9c05d8b1cf
                                                          • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                          • Instruction Fuzzy Hash: EA119D76504280CFCB16CF94D5C4B1ABF71FB88218F2486A9DC490B696C33AD45ACBA1
                                                          Function 0151D1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2187562607.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_151d000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                          • Instruction ID: 9a0502707137f8bc0cdd80c9442c5308ea1762d88a1bd05e4a600ff70fb81cdd
                                                          • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                          • Instruction Fuzzy Hash: A811BB75504280DFDB02CF54C5C4B59BBB1FB84224F24C6A9D8594F6AAC33AD40ACB61
                                                          Function 0150D731 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2187075116.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_150d000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f1b713b992423e739134aefcb04a4723e0d9d39e92d61ad75d75073df7c08877
                                                          • Instruction ID: 2ddb22c2e7826c78d3b98155c02f8aaa693937b1e9a0c2340331432a2cc20338
                                                          • Opcode Fuzzy Hash: f1b713b992423e739134aefcb04a4723e0d9d39e92d61ad75d75073df7c08877
                                                          • Instruction Fuzzy Hash: 3801A7714053849AF7124AE9CDC476AFFE8FF81364F18C55AEE094E1D7C6B99840C6B1
                                                          Function 0150D730 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.2187075116.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_150d000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 310dba94a5dc1ce91c7c7576def28ab5cefd960296b1aa0a24edcc4bbe9096d9
                                                          • Instruction ID: 5e434f350c89e68c7692fcd60993a618986d5772cfa55d05cf3cdf3163772eee
                                                          • Opcode Fuzzy Hash: 310dba94a5dc1ce91c7c7576def28ab5cefd960296b1aa0a24edcc4bbe9096d9
                                                          • Instruction Fuzzy Hash: 0DF062724053849AE7118A9AD9C4B66FFE8EF81634F18C55AED084E287C379A844CA71

                                                          Execution Graph

                                                          Execution Coverage:12.2%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:19
                                                          Total number of Limit Nodes:4
                                                          execution_graph 24434 2bd0848 24435 2bd084e 24434->24435 24436 2bd091b 24435->24436 24438 2bd1383 24435->24438 24440 2bd138a 24438->24440 24439 2bd1484 24439->24435 24440->24439 24442 2bd7ea8 24440->24442 24443 2bd7eb2 24442->24443 24444 2bd7ecc 24443->24444 24447 67bd9f0 24443->24447 24452 67bd9e0 24443->24452 24444->24440 24449 67bda05 24447->24449 24448 67bdc1a 24448->24444 24449->24448 24450 67bdc31 GlobalMemoryStatusEx 24449->24450 24451 67bde88 GlobalMemoryStatusEx 24449->24451 24450->24449 24451->24449 24454 67bd9e4 24452->24454 24453 67bdc1a 24453->24444 24454->24453 24455 67bde88 GlobalMemoryStatusEx 24454->24455 24456 67bdc31 GlobalMemoryStatusEx 24454->24456 24455->24454 24456->24454

                                                          Executed Functions

                                                          Function 02BD3E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 109 2bd3e80-2bd3ee6 111 2bd3ee8-2bd3ef3 109->111 112 2bd3f30-2bd3f32 109->112 111->112 114 2bd3ef5-2bd3f01 111->114 113 2bd3f34-2bd3f8c 112->113 123 2bd3f8e-2bd3f99 113->123 124 2bd3fd6-2bd3fd8 113->124 115 2bd3f24-2bd3f2e 114->115 116 2bd3f03-2bd3f0d 114->116 115->113 117 2bd3f0f 116->117 118 2bd3f11-2bd3f20 116->118 117->118 118->118 120 2bd3f22 118->120 120->115 123->124 126 2bd3f9b-2bd3fa7 123->126 125 2bd3fda-2bd3ff2 124->125 133 2bd403c-2bd403e 125->133 134 2bd3ff4-2bd3fff 125->134 127 2bd3fa9-2bd3fb3 126->127 128 2bd3fca-2bd3fd4 126->128 129 2bd3fb5 127->129 130 2bd3fb7-2bd3fc6 127->130 128->125 129->130 130->130 132 2bd3fc8 130->132 132->128 135 2bd4040-2bd408e 133->135 134->133 136 2bd4001-2bd400d 134->136 144 2bd4094-2bd40a2 135->144 137 2bd400f-2bd4019 136->137 138 2bd4030-2bd403a 136->138 140 2bd401d-2bd402c 137->140 141 2bd401b 137->141 138->135 140->140 142 2bd402e 140->142 141->140 142->138 145 2bd40ab-2bd410b 144->145 146 2bd40a4-2bd40aa 144->146 153 2bd410d-2bd4111 145->153 154 2bd411b-2bd411f 145->154 146->145 153->154 155 2bd4113 153->155 156 2bd412f-2bd4133 154->156 157 2bd4121-2bd4125 154->157 155->154 159 2bd4135-2bd4139 156->159 160 2bd4143-2bd4147 156->160 157->156 158 2bd4127-2bd412a call 2bd0ab8 157->158 158->156 159->160 161 2bd413b-2bd413e call 2bd0ab8 159->161 162 2bd4149-2bd414d 160->162 163 2bd4157-2bd415b 160->163 161->160 162->163 166 2bd414f-2bd4152 call 2bd0ab8 162->166 167 2bd415d-2bd4161 163->167 168 2bd416b-2bd416f 163->168 166->163 167->168 170 2bd4163 167->170 171 2bd417f 168->171 172 2bd4171-2bd4175 168->172 170->168 174 2bd4180 171->174 172->171 173 2bd4177 172->173 173->171 174->174
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: \V[n
                                                          • API String ID: 0-1005319620
                                                          • Opcode ID: 9c7d6c3eccca11d7adf0fdeb6d1770faa1e06f1219ac6a161627291e4356217b
                                                          • Instruction ID: 6630e5b3418d704140d29a5b758d9a7330d075ae9373f99783341f423e914988
                                                          • Opcode Fuzzy Hash: 9c7d6c3eccca11d7adf0fdeb6d1770faa1e06f1219ac6a161627291e4356217b
                                                          • Instruction Fuzzy Hash: 1B914770E002498FDF14CFA9C9957DEBBF2EF88714F148169E419AB294EB749885CF81
                                                          Function 02BD4A98 Relevance: .3, Instructions: 266COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8213f84b2491026b00134f65849b9dacd4d257855d64bc6f7a2e7971b306bd42
                                                          • Instruction ID: c37a35c50525e49e8aef62621f0818818c8ce6b960be84d09b14c807c2a2a030
                                                          • Opcode Fuzzy Hash: 8213f84b2491026b00134f65849b9dacd4d257855d64bc6f7a2e7971b306bd42
                                                          • Instruction Fuzzy Hash: A5B15970E002098FDB14CFA9C8917EDBBF2EF88714F148569D819EB294EB749885CF81
                                                          Function 067BE950 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3387706019.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_67b0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9459f58551b0d9638b81654f6dc0762ad29ba8b5117a8a118a61d07604bc0ff7
                                                          • Instruction ID: fd7bf08b3f9b6c1da6c1e45db57bb72525a157f21a41bd0a86566b664d293941
                                                          • Opcode Fuzzy Hash: 9459f58551b0d9638b81654f6dc0762ad29ba8b5117a8a118a61d07604bc0ff7
                                                          • Instruction Fuzzy Hash: 8E412172D043899FDB14DF69D8043EEBBF5AF89310F05856ADA08E7341EB749844CBA1
                                                          Function 067BEA38 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 32 67bea38-67bea76 34 67bea7e-67beaac GlobalMemoryStatusEx 32->34 35 67beaae-67beab4 34->35 36 67beab5-67beadd 34->36 35->36
                                                          APIs
                                                          • GlobalMemoryStatusEx.KERNEL32 ref: 067BEA9F
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3387706019.00000000067B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_67b0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemoryStatus
                                                          • String ID:
                                                          • API String ID: 1890195054-0
                                                          • Opcode ID: d89471fc2d25d9bb9d8e6ccced4676c36fb9ba3a0a8940d418d2994772034b69
                                                          • Instruction ID: 7a31392ef1d1b5eb75d16aeab61e534932854278ffb2398eded426ac253b3109
                                                          • Opcode Fuzzy Hash: d89471fc2d25d9bb9d8e6ccced4676c36fb9ba3a0a8940d418d2994772034b69
                                                          • Instruction Fuzzy Hash: BA1114B1C0065A9BCB10CF9AC4447DEFBF4BF48720F10812AD918A7240D378A950CFA5
                                                          Function 02BD3E74 Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 39 2bd3e74-2bd3e7c 40 2bd3e7e-2bd3ee6 39->40 41 2bd3e20-2bd3e6a 39->41 45 2bd3ee8-2bd3ef3 40->45 46 2bd3f30-2bd3f32 40->46 45->46 48 2bd3ef5-2bd3f01 45->48 47 2bd3f34-2bd3f8c 46->47 57 2bd3f8e-2bd3f99 47->57 58 2bd3fd6-2bd3fd8 47->58 49 2bd3f24-2bd3f2e 48->49 50 2bd3f03-2bd3f0d 48->50 49->47 51 2bd3f0f 50->51 52 2bd3f11-2bd3f20 50->52 51->52 52->52 54 2bd3f22 52->54 54->49 57->58 60 2bd3f9b-2bd3fa7 57->60 59 2bd3fda-2bd3ff2 58->59 67 2bd403c-2bd403e 59->67 68 2bd3ff4-2bd3fff 59->68 61 2bd3fa9-2bd3fb3 60->61 62 2bd3fca-2bd3fd4 60->62 63 2bd3fb5 61->63 64 2bd3fb7-2bd3fc6 61->64 62->59 63->64 64->64 66 2bd3fc8 64->66 66->62 69 2bd4040-2bd4052 67->69 68->67 70 2bd4001-2bd400d 68->70 77 2bd4059-2bd408e 69->77 71 2bd400f-2bd4019 70->71 72 2bd4030-2bd403a 70->72 74 2bd401d-2bd402c 71->74 75 2bd401b 71->75 72->69 74->74 76 2bd402e 74->76 75->74 76->72 78 2bd4094-2bd40a2 77->78 79 2bd40ab-2bd410b 78->79 80 2bd40a4-2bd40aa 78->80 87 2bd410d-2bd4111 79->87 88 2bd411b-2bd411f 79->88 80->79 87->88 89 2bd4113 87->89 90 2bd412f-2bd4133 88->90 91 2bd4121-2bd4125 88->91 89->88 93 2bd4135-2bd4139 90->93 94 2bd4143-2bd4147 90->94 91->90 92 2bd4127-2bd412a call 2bd0ab8 91->92 92->90 93->94 95 2bd413b-2bd413e call 2bd0ab8 93->95 96 2bd4149-2bd414d 94->96 97 2bd4157-2bd415b 94->97 95->94 96->97 100 2bd414f-2bd4152 call 2bd0ab8 96->100 101 2bd415d-2bd4161 97->101 102 2bd416b-2bd416f 97->102 100->97 101->102 104 2bd4163 101->104 105 2bd417f 102->105 106 2bd4171-2bd4175 102->106 104->102 108 2bd4180 105->108 106->105 107 2bd4177 106->107 107->105 108->108
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: \V[n
                                                          • API String ID: 0-1005319620
                                                          • Opcode ID: b27a6ac76c3d25ed971e71e5519b10b3860b8f4a1e7e9f786a9b87c6f5776db7
                                                          • Instruction ID: 11db6eab980fb3553a6e5943e05a8b9e1adddabb68948d83813583069fbc4c1e
                                                          • Opcode Fuzzy Hash: b27a6ac76c3d25ed971e71e5519b10b3860b8f4a1e7e9f786a9b87c6f5776db7
                                                          • Instruction Fuzzy Hash: FEA14671E00249CFDB10CFA8D9857DEBBF2EF88714F148169E819A7294EB749885CF91
                                                          Function 02BD86C8 Relevance: .6, Instructions: 585COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1677 2bd86c8-2bd86d2 1679 2bd86da 1677->1679 1680 2bd86d4-2bd86d6 1677->1680 1681 2bd86dc 1679->1681 1682 2bd8712-2bd8737 1679->1682 1680->1679 1683 2bd86dd-2bd86f2 1681->1683 1684 2bd873c 1681->1684 1686 2bd8739 1682->1686 1695 2bd86fa-2bd86ff 1683->1695 1696 2bd86f4-2bd86f9 1683->1696 1687 2bd873e-2bd8764 1684->1687 1688 2bd8769-2bd876c 1684->1688 1686->1684 1687->1688 1690 2bd876e-2bd8794 1688->1690 1691 2bd8799-2bd879c 1688->1691 1690->1691 1692 2bd879e-2bd87c4 1691->1692 1693 2bd87c9-2bd87cc 1691->1693 1692->1693 1697 2bd87ce-2bd87f4 1693->1697 1698 2bd87f9-2bd87fc 1693->1698 1695->1682 1696->1695 1697->1698 1700 2bd87fe-2bd8824 1698->1700 1701 2bd8829-2bd882c 1698->1701 1700->1701 1705 2bd882e-2bd8854 1701->1705 1706 2bd8859-2bd885c 1701->1706 1705->1706 1709 2bd885e-2bd8884 1706->1709 1710 2bd8889-2bd888c 1706->1710 1709->1710 1715 2bd888e-2bd88b4 1710->1715 1716 2bd88b9-2bd88bc 1710->1716 1715->1716 1719 2bd88cd-2bd88d0 1716->1719 1720 2bd88be-2bd88c0 1716->1720 1725 2bd88fd-2bd8900 1719->1725 1726 2bd88d2-2bd88f8 1719->1726 1903 2bd88c2 call 2bd9f78 1720->1903 1904 2bd88c2 call 2bd9f68 1720->1904 1905 2bd88c2 call 2bda01b 1720->1905 1732 2bd892d-2bd8930 1725->1732 1733 2bd8902-2bd8928 1725->1733 1726->1725 1729 2bd88c8 1729->1719 1735 2bd895d-2bd8960 1732->1735 1736 2bd8932-2bd8958 1732->1736 1733->1732 1741 2bd898d-2bd8990 1735->1741 1742 2bd8962-2bd8988 1735->1742 1736->1735 1744 2bd89bd-2bd89c0 1741->1744 1745 2bd8992-2bd89b8 1741->1745 1742->1741 1750 2bd89ed-2bd89f0 1744->1750 1751 2bd89c2-2bd89e8 1744->1751 1745->1744 1752 2bd8a1d-2bd8a20 1750->1752 1753 2bd89f2-2bd8a18 1750->1753 1751->1750 1760 2bd8a4d-2bd8a50 1752->1760 1761 2bd8a22-2bd8a48 1752->1761 1753->1752 1762 2bd8a7d-2bd8a80 1760->1762 1763 2bd8a52-2bd8a78 1760->1763 1761->1760 1770 2bd8aad-2bd8ab0 1762->1770 1771 2bd8a82-2bd8aa8 1762->1771 1763->1762 1772 2bd8add-2bd8ae0 1770->1772 1773 2bd8ab2-2bd8ad8 1770->1773 1771->1770 1780 2bd8b0d-2bd8b10 1772->1780 1781 2bd8ae2-2bd8b08 1772->1781 1773->1772 1782 2bd8b3d-2bd8b40 1780->1782 1783 2bd8b12-2bd8b38 1780->1783 1781->1780 1790 2bd8b6d-2bd8b70 1782->1790 1791 2bd8b42-2bd8b68 1782->1791 1783->1782 1792 2bd8b9d-2bd8ba0 1790->1792 1793 2bd8b72-2bd8b98 1790->1793 1791->1790 1800 2bd8bcd-2bd8bd0 1792->1800 1801 2bd8ba2-2bd8bc8 1792->1801 1793->1792 1802 2bd8bed-2bd8bf0 1800->1802 1803 2bd8bd2-2bd8be8 1800->1803 1801->1800 1810 2bd8c1d-2bd8c20 1802->1810 1811 2bd8bf2-2bd8c18 1802->1811 1803->1802 1812 2bd8c4d-2bd8c50 1810->1812 1813 2bd8c22-2bd8c48 1810->1813 1811->1810 1819 2bd8c6b-2bd8c6e 1812->1819 1820 2bd8c52-2bd8c5e 1812->1820 1813->1812 1822 2bd8c9b-2bd8c9e 1819->1822 1823 2bd8c70-2bd8c96 1819->1823 1836 2bd8c66 1820->1836 1829 2bd8ccb-2bd8cce 1822->1829 1830 2bd8ca0-2bd8cc6 1822->1830 1823->1822 1832 2bd8cfb-2bd8cfe 1829->1832 1833 2bd8cd0-2bd8cf6 1829->1833 1830->1829 1838 2bd8d2b-2bd8d2e 1832->1838 1839 2bd8d00-2bd8d26 1832->1839 1833->1832 1836->1819 1841 2bd8d5b-2bd8d5e 1838->1841 1842 2bd8d30-2bd8d56 1838->1842 1839->1838 1846 2bd8d8b-2bd8d8e 1841->1846 1847 2bd8d60-2bd8d86 1841->1847 1842->1841 1850 2bd8dbb-2bd8dbe 1846->1850 1851 2bd8d90-2bd8db6 1846->1851 1847->1846 1856 2bd8deb-2bd8dee 1850->1856 1857 2bd8dc0-2bd8de6 1850->1857 1851->1850 1860 2bd8e1b-2bd8e1e 1856->1860 1861 2bd8df0-2bd8e16 1856->1861 1857->1856 1866 2bd8e2b-2bd8e2e 1860->1866 1867 2bd8e20 1860->1867 1861->1860 1873 2bd8e5b-2bd8e5e 1866->1873 1874 2bd8e30-2bd8e56 1866->1874 1878 2bd8e26 1867->1878 1876 2bd8e8b-2bd8e8e 1873->1876 1877 2bd8e60-2bd8e86 1873->1877 1874->1873 1883 2bd8ebb-2bd8ebe 1876->1883 1884 2bd8e90-2bd8eb6 1876->1884 1877->1876 1878->1866 1886 2bd8eeb-2bd8eed 1883->1886 1887 2bd8ec0-2bd8ee6 1883->1887 1884->1883 1892 2bd8eef 1886->1892 1893 2bd8ef4-2bd8ef7 1886->1893 1887->1886 1892->1893 1893->1686 1894 2bd8efd-2bd8f03 1893->1894 1903->1729 1904->1729 1905->1729
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e4fd26231aca5aa1016f907589b15d74823c2c4a1ca54345e63dbfbbd1ffe03b
                                                          • Instruction ID: 93aa5132fbecd0e592764ac7bdd3c0196bb4dc186e9a53cb6f6a933e01f28cad
                                                          • Opcode Fuzzy Hash: e4fd26231aca5aa1016f907589b15d74823c2c4a1ca54345e63dbfbbd1ffe03b
                                                          • Instruction Fuzzy Hash: 19229430701242DBDB29AB38E8453683B62EBC9319B21497DF116CB355EF79DC879B81
                                                          Function 02BD8720 Relevance: .6, Instructions: 554COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2196 2bd8720-2bd8737 2197 2bd8739-2bd873c 2196->2197 2199 2bd873e-2bd8764 2197->2199 2200 2bd8769-2bd876c 2197->2200 2199->2200 2201 2bd876e-2bd8794 2200->2201 2202 2bd8799-2bd879c 2200->2202 2201->2202 2203 2bd879e-2bd87c4 2202->2203 2204 2bd87c9-2bd87cc 2202->2204 2203->2204 2206 2bd87ce-2bd87f4 2204->2206 2207 2bd87f9-2bd87fc 2204->2207 2206->2207 2209 2bd87fe-2bd8824 2207->2209 2210 2bd8829-2bd882c 2207->2210 2209->2210 2213 2bd882e-2bd8854 2210->2213 2214 2bd8859-2bd885c 2210->2214 2213->2214 2217 2bd885e-2bd8884 2214->2217 2218 2bd8889-2bd888c 2214->2218 2217->2218 2223 2bd888e-2bd88b4 2218->2223 2224 2bd88b9-2bd88bc 2218->2224 2223->2224 2227 2bd88cd-2bd88d0 2224->2227 2228 2bd88be-2bd88c0 2224->2228 2233 2bd88fd-2bd8900 2227->2233 2234 2bd88d2-2bd88f8 2227->2234 2411 2bd88c2 call 2bd9f78 2228->2411 2412 2bd88c2 call 2bd9f68 2228->2412 2413 2bd88c2 call 2bda01b 2228->2413 2240 2bd892d-2bd8930 2233->2240 2241 2bd8902-2bd8928 2233->2241 2234->2233 2237 2bd88c8 2237->2227 2243 2bd895d-2bd8960 2240->2243 2244 2bd8932-2bd8958 2240->2244 2241->2240 2249 2bd898d-2bd8990 2243->2249 2250 2bd8962-2bd8988 2243->2250 2244->2243 2252 2bd89bd-2bd89c0 2249->2252 2253 2bd8992-2bd89b8 2249->2253 2250->2249 2258 2bd89ed-2bd89f0 2252->2258 2259 2bd89c2-2bd89e8 2252->2259 2253->2252 2260 2bd8a1d-2bd8a20 2258->2260 2261 2bd89f2-2bd8a18 2258->2261 2259->2258 2268 2bd8a4d-2bd8a50 2260->2268 2269 2bd8a22-2bd8a48 2260->2269 2261->2260 2270 2bd8a7d-2bd8a80 2268->2270 2271 2bd8a52-2bd8a78 2268->2271 2269->2268 2278 2bd8aad-2bd8ab0 2270->2278 2279 2bd8a82-2bd8aa8 2270->2279 2271->2270 2280 2bd8add-2bd8ae0 2278->2280 2281 2bd8ab2-2bd8ad8 2278->2281 2279->2278 2288 2bd8b0d-2bd8b10 2280->2288 2289 2bd8ae2-2bd8b08 2280->2289 2281->2280 2290 2bd8b3d-2bd8b40 2288->2290 2291 2bd8b12-2bd8b38 2288->2291 2289->2288 2298 2bd8b6d-2bd8b70 2290->2298 2299 2bd8b42-2bd8b68 2290->2299 2291->2290 2300 2bd8b9d-2bd8ba0 2298->2300 2301 2bd8b72-2bd8b98 2298->2301 2299->2298 2308 2bd8bcd-2bd8bd0 2300->2308 2309 2bd8ba2-2bd8bc8 2300->2309 2301->2300 2310 2bd8bed-2bd8bf0 2308->2310 2311 2bd8bd2-2bd8be8 2308->2311 2309->2308 2318 2bd8c1d-2bd8c20 2310->2318 2319 2bd8bf2-2bd8c18 2310->2319 2311->2310 2320 2bd8c4d-2bd8c50 2318->2320 2321 2bd8c22-2bd8c48 2318->2321 2319->2318 2327 2bd8c6b-2bd8c6e 2320->2327 2328 2bd8c52-2bd8c5e 2320->2328 2321->2320 2330 2bd8c9b-2bd8c9e 2327->2330 2331 2bd8c70-2bd8c96 2327->2331 2344 2bd8c66 2328->2344 2337 2bd8ccb-2bd8cce 2330->2337 2338 2bd8ca0-2bd8cc6 2330->2338 2331->2330 2340 2bd8cfb-2bd8cfe 2337->2340 2341 2bd8cd0-2bd8cf6 2337->2341 2338->2337 2346 2bd8d2b-2bd8d2e 2340->2346 2347 2bd8d00-2bd8d26 2340->2347 2341->2340 2344->2327 2349 2bd8d5b-2bd8d5e 2346->2349 2350 2bd8d30-2bd8d56 2346->2350 2347->2346 2354 2bd8d8b-2bd8d8e 2349->2354 2355 2bd8d60-2bd8d86 2349->2355 2350->2349 2358 2bd8dbb-2bd8dbe 2354->2358 2359 2bd8d90-2bd8db6 2354->2359 2355->2354 2364 2bd8deb-2bd8dee 2358->2364 2365 2bd8dc0-2bd8de6 2358->2365 2359->2358 2368 2bd8e1b-2bd8e1e 2364->2368 2369 2bd8df0-2bd8e16 2364->2369 2365->2364 2374 2bd8e2b-2bd8e2e 2368->2374 2375 2bd8e20 2368->2375 2369->2368 2381 2bd8e5b-2bd8e5e 2374->2381 2382 2bd8e30-2bd8e56 2374->2382 2386 2bd8e26 2375->2386 2384 2bd8e8b-2bd8e8e 2381->2384 2385 2bd8e60-2bd8e86 2381->2385 2382->2381 2391 2bd8ebb-2bd8ebe 2384->2391 2392 2bd8e90-2bd8eb6 2384->2392 2385->2384 2386->2374 2394 2bd8eeb-2bd8eed 2391->2394 2395 2bd8ec0-2bd8ee6 2391->2395 2392->2391 2400 2bd8eef 2394->2400 2401 2bd8ef4-2bd8ef7 2394->2401 2395->2394 2400->2401 2401->2197 2402 2bd8efd-2bd8f03 2401->2402 2411->2237 2412->2237 2413->2237
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6ba7f9a656096e67ab4602c4fa5beed779bca0dca76436279b08c010f8d44880
                                                          • Instruction ID: bebf9876f23e6493b025a87a307139a2a74f569a92fd9c4f947e1d7b46bfe632
                                                          • Opcode Fuzzy Hash: 6ba7f9a656096e67ab4602c4fa5beed779bca0dca76436279b08c010f8d44880
                                                          • Instruction Fuzzy Hash: F3124230701242DBDB29AB38E8493683792EBC9319B21493DF116DB355DF79EC879B81
                                                          Function 02BDA183 Relevance: .4, Instructions: 418COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2862 2bda183-2bda18c 2863 2bda18e 2862->2863 2864 2bda1b0 2862->2864 2865 2bda196-2bda1af 2863->2865 2866 2bda190-2bda195 2863->2866 2867 2bda1b1-2bda1b4 2864->2867 2865->2864 2866->2865 2868 2bda1c7-2bda1ca 2867->2868 2869 2bda1b6-2bda1c2 2867->2869 2870 2bda1cc-2bda1fa 2868->2870 2871 2bda1ff-2bda202 2868->2871 2869->2868 2870->2871 2872 2bda208-2bda20b 2871->2872 2873 2bda4c6-2bda4cf 2871->2873 2876 2bda20d-2bda216 2872->2876 2878 2bda228-2bda22b 2872->2878 2873->2876 2877 2bda4d5-2bda4df 2873->2877 2879 2bda21c-2bda223 2876->2879 2880 2bda4e2-2bda512 2876->2880 2881 2bda22d-2bda232 2878->2881 2882 2bda235-2bda238 2878->2882 2879->2878 2891 2bda514-2bda517 2880->2891 2881->2882 2884 2bda25b-2bda25e 2882->2884 2885 2bda23a-2bda256 2882->2885 2886 2bda27a-2bda27c 2884->2886 2887 2bda260-2bda26f 2884->2887 2885->2884 2889 2bda27e 2886->2889 2890 2bda283-2bda286 2886->2890 2898 2bda275 2887->2898 2899 2bda4c3 2887->2899 2889->2890 2890->2867 2894 2bda28c-2bda29a 2890->2894 2895 2bda519-2bda51c 2891->2895 2896 2bda566-2bda56f 2891->2896 3003 2bda29d call 2bda6c8 2894->3003 3004 2bda29d call 2bda6c5 2894->3004 2902 2bda53c-2bda53f 2895->2902 2903 2bda51e-2bda537 2895->2903 2900 2bda5fd-2bda606 2896->2900 2901 2bda575 2896->2901 2898->2886 2899->2873 2908 2bda60c-2bda610 2900->2908 2909 2bda6ab-2bda6c0 2900->2909 2906 2bda57a-2bda57d 2901->2906 2904 2bda561-2bda564 2902->2904 2905 2bda541-2bda55c 2902->2905 2903->2902 2904->2896 2904->2906 2905->2904 2910 2bda57f-2bda58d 2906->2910 2911 2bda598-2bda59b 2906->2911 2913 2bda615-2bda618 2908->2913 2923 2bda63c-2bda65e 2910->2923 2935 2bda593 2910->2935 2919 2bda5ad-2bda5b0 2911->2919 2920 2bda59d 2911->2920 2914 2bda61a-2bda632 2913->2914 2915 2bda637-2bda63a 2913->2915 2914->2915 2915->2923 2924 2bda65f-2bda662 2915->2924 2918 2bda2a3-2bda2bf call 2bdde6a 2918->2899 2943 2bda2c5-2bda2ca 2918->2943 2921 2bda5d5-2bda5d8 2919->2921 2922 2bda5b2-2bda5ca 2919->2922 2928 2bda5a5-2bda5a8 2920->2928 2931 2bda5da-2bda5dd 2921->2931 2932 2bda5e2-2bda5e5 2921->2932 2934 2bda664-2bda667 2922->2934 2947 2bda5d0 2922->2947 2933 2bda66c-2bda66f 2924->2933 2924->2934 2928->2919 2931->2932 2939 2bda5ef-2bda5f2 2932->2939 2940 2bda5e7-2bda5ec 2932->2940 2941 2bda68e-2bda690 2933->2941 2942 2bda671-2bda689 2933->2942 2934->2933 2935->2911 2948 2bda5f8-2bda5fb 2939->2948 2949 2bda6a0-2bda6aa 2939->2949 2940->2939 2945 2bda697-2bda69a 2941->2945 2946 2bda692 2941->2946 2942->2941 2952 2bda2d2-2bda2d3 2943->2952 2945->2891 2945->2949 2946->2945 2947->2921 2948->2900 2948->2913 2952->2899 2954 2bda2d9-2bda336 2952->2954 2960 2bda33c-2bda38f 2954->2960 2961 2bda407-2bda421 2954->2961 2980 2bda3af-2bda3d2 call 2bd79d4 2960->2980 2981 2bda391-2bda3ad 2960->2981 2966 2bda423-2bda425 2961->2966 2968 2bda427-2bda431 2966->2968 2969 2bda433 2966->2969 2970 2bda438-2bda43a 2968->2970 2969->2970 2972 2bda43c-2bda440 2970->2972 2973 2bda4ab-2bda4bd 2970->2973 2974 2bda451 2972->2974 2975 2bda442-2bda44f 2972->2975 2973->2899 2973->2954 2976 2bda456-2bda458 2974->2976 2975->2976 2976->2973 2979 2bda45a-2bda45c 2976->2979 2979->2973 2982 2bda45e-2bda4a4 2979->2982 2992 2bda3d4-2bda405 2980->2992 2981->2992 2982->2973 2992->2966 3003->2918 3004->2918
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4facf9a7c822b2558eb7005b28c1a3fa96c3078689b60ae5b38769de11f0fba1
                                                          • Instruction ID: 6bc63d7aa2f8a3574fb0dce17907b7feef4d5bb08a05ae8eb0993a5a4ba22ccc
                                                          • Opcode Fuzzy Hash: 4facf9a7c822b2558eb7005b28c1a3fa96c3078689b60ae5b38769de11f0fba1
                                                          • Instruction Fuzzy Hash: 46E18F34B00205DFDB14DB68D894BADBBB2EF89314F2484A9E905D7395EB35ED42CB81
                                                          Function 02BD4A8F Relevance: .3, Instructions: 259COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9c4d49db35dfb780c780f100700f7c5479ed990a3e9b6d355276e5232f19331c
                                                          • Instruction ID: 3ae382d6544edc827a0c5776487426a7131f18a414f3788ae9332067a9515f2e
                                                          • Opcode Fuzzy Hash: 9c4d49db35dfb780c780f100700f7c5479ed990a3e9b6d355276e5232f19331c
                                                          • Instruction Fuzzy Hash: C2A15A70E002498FDB10CFA8C9857DDBBF2EF88714F248569D819EB294EB749885CF91
                                                          Function 02BD6ECF Relevance: .2, Instructions: 171COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 55796237df092b97fab997bcc1eeb5c6864a7ac4153d4c812027f3212db143ef
                                                          • Instruction ID: 04d3426ecac3c31fa1d5a96c8a955c1f771d812515123c2a1bd4faa5875592e2
                                                          • Opcode Fuzzy Hash: 55796237df092b97fab997bcc1eeb5c6864a7ac4153d4c812027f3212db143ef
                                                          • Instruction Fuzzy Hash: 58514A347002198FDB14EB68D558BAE7BB6EF89704F2044A9E406EB3A1EF759C41CB91
                                                          Function 02BDA6C8 Relevance: .1, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f0b2cbf20616345bce77646480ce9c9670e58178f94e24e3d2cdf026999429ec
                                                          • Instruction ID: 2cc5b6d66b2a4d8414c37b78af1e9ebe740a4a010d7d49b21f98f19e2989bb11
                                                          • Opcode Fuzzy Hash: f0b2cbf20616345bce77646480ce9c9670e58178f94e24e3d2cdf026999429ec
                                                          • Instruction Fuzzy Hash: 14516C71A00205DFDB04DF69E884799FBB2FF88310F14C2AAE9189B356E7B1D945CB90
                                                          Function 02BD6CD4 Relevance: .1, Instructions: 134COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bd3df45d587bbef3728d16971d700f0b3310cc88a37075b64bf92b313d087691
                                                          • Instruction ID: 445b3fcb50fb4ed5454a4a90e2895c8a209801a0f288333b042b4f31dca594b3
                                                          • Opcode Fuzzy Hash: bd3df45d587bbef3728d16971d700f0b3310cc88a37075b64bf92b313d087691
                                                          • Instruction Fuzzy Hash: 705123B0D002288FDB18CFA9E884BDDBBB5FF48314F14856AE815AB351E774A844CF94
                                                          Function 02BD6CE0 Relevance: .1, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4d751d30f8e3218ac6e561eb818b6335c2d2229f630187aa09ee2b65801f349b
                                                          • Instruction ID: bba4e7bd38937be4510c68f96bc59bf6c5b598b28f9c2d149a7f399ae75ccb7c
                                                          • Opcode Fuzzy Hash: 4d751d30f8e3218ac6e561eb818b6335c2d2229f630187aa09ee2b65801f349b
                                                          • Instruction Fuzzy Hash: 8251F3B0D002588FDB18CFA9E884BDDBBB5FF48314F14856AE819AB351E774A844CF95
                                                          Function 02BD1128 Relevance: .1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 951fe74d4fa31236005d9d4b196bc485c3683d53d43b94d23621519d1d924d2f
                                                          • Instruction ID: 44606c9cc19050c45a4c7dbfbd6e9d4a72e2a5a3a376b8a9159ddfeff87d5e3c
                                                          • Opcode Fuzzy Hash: 951fe74d4fa31236005d9d4b196bc485c3683d53d43b94d23621519d1d924d2f
                                                          • Instruction Fuzzy Hash: FD51D8302151C6CFD719FF78F884BA53FA9FB91309706A96AD1049B27ADA602D05DF80
                                                          Function 02BD1138 Relevance: .1, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 828a2f2db6eaa2fd3aea1ee885c4b702d0dae319c3d37d02650d85bfe412aceb
                                                          • Instruction ID: ff733a53a581865ec322d81b782a3a7e4958f55255412011501afa8bf50cc6af
                                                          • Opcode Fuzzy Hash: 828a2f2db6eaa2fd3aea1ee885c4b702d0dae319c3d37d02650d85bfe412aceb
                                                          • Instruction Fuzzy Hash: 1351E7302151C6CFC61AFF78F884B653FA9FB91309706A96AD104DB27ADA603D05DF80
                                                          Function 02BDDE6A Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6e78a8fdbc1c16188fad7036e737f6b71d1221069d8c017cc3e4a74c263a49b4
                                                          • Instruction ID: 96a1d72f2225cb0a026bc603401d60811675f2126c9b9f31388d3e60f8598f99
                                                          • Opcode Fuzzy Hash: 6e78a8fdbc1c16188fad7036e737f6b71d1221069d8c017cc3e4a74c263a49b4
                                                          • Instruction Fuzzy Hash: 72316C75B00616EFD705DB68C880E7AB77AFBC8300F55C169E9418B29ACB31EC42CB90
                                                          Function 02BD7D90 Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 58b687c2fdb1afabbb9288ec1a04095f29649f736017f000a3df2939e69b2868
                                                          • Instruction ID: 024f8e4eaff1dd4768c96267743536d67931728b12bac57b6b94aebe808d7c76
                                                          • Opcode Fuzzy Hash: 58b687c2fdb1afabbb9288ec1a04095f29649f736017f000a3df2939e69b2868
                                                          • Instruction Fuzzy Hash: 23316E31E0025A9BDB24DF65C4447EEF7B6EF89300F608569E806EB280EB70A942DB50
                                                          Function 02BD26DC Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 772d30bf7f411fb4b51ad41f433880d3fdab4c77e30b8bbb39d7ad048c4dfe68
                                                          • Instruction ID: 55718104b5106b7acc40bea3e48acda1b0fddbd0f9a55e7150262f8a0bee79cd
                                                          • Opcode Fuzzy Hash: 772d30bf7f411fb4b51ad41f433880d3fdab4c77e30b8bbb39d7ad048c4dfe68
                                                          • Instruction Fuzzy Hash: 2041F1B5D00349DFDB10CFA9C580ADEBBB1FF48314F148069E809AB254EB75A945CF90
                                                          Function 02BD7D80 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b52fa71d76ad7096a407e906d5c99e56899530a422bf481431d4c3d3cc60be76
                                                          • Instruction ID: e6e3970acdc89560aa6f83fe00806f3ddb828c7aec177310cc51a6db1fe5fb18
                                                          • Opcode Fuzzy Hash: b52fa71d76ad7096a407e906d5c99e56899530a422bf481431d4c3d3cc60be76
                                                          • Instruction Fuzzy Hash: 41314C74E1025ADBEB25DF74C8457EEB7B6EF49300F608469E805FB280EB749842DB50
                                                          Function 02BD26E8 Relevance: .1, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7705df749ed855b37dfa09a00cd654dbc4e3b64ad0dc19e8752fb1590cd986a0
                                                          • Instruction ID: 234c0740f426a778abd73128b08ee92b65083691debdee62172ffa6656c938c6
                                                          • Opcode Fuzzy Hash: 7705df749ed855b37dfa09a00cd654dbc4e3b64ad0dc19e8752fb1590cd986a0
                                                          • Instruction Fuzzy Hash: 1841EFB0D00349DFEB10CFA9C580ADEBBB5FF48714F148069E809AB254EB75A945CB90
                                                          Function 02BD50A8 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0456546f289eecffab751f35d28848894724ee78ed299630c4f85e966d0148fe
                                                          • Instruction ID: bea7da2538dd6083d4a85c97045d149ee7e27da812e0cc197fbb9531646eb8bd
                                                          • Opcode Fuzzy Hash: 0456546f289eecffab751f35d28848894724ee78ed299630c4f85e966d0148fe
                                                          • Instruction Fuzzy Hash: 03310634600255CFDB28EB78C9546EE77FAEF88344F9008A9D505EB3A4EB369C41CB95
                                                          Function 02BD5097 Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c1fbae471ddce109a1e3104bef83c1403ce1daa808f271f0e2249f0eb072ff8a
                                                          • Instruction ID: 815793d90e93b8e7418590f060b8f016793e0dce5356172feb406231048c58d2
                                                          • Opcode Fuzzy Hash: c1fbae471ddce109a1e3104bef83c1403ce1daa808f271f0e2249f0eb072ff8a
                                                          • Instruction Fuzzy Hash: 91313534600255CFDB28EB78C5547ED77B6EF48348B9008A9C905AB3A4EB369C81CB95
                                                          Function 02BDA068 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c33dcdabbdc4d1862d535fdc3a7b91f57d6ae42b7b1689998acb5959f4981c99
                                                          • Instruction ID: 8b1eef2cfd41d4721a4e0d78edf561c12aaff68e6e0fe7b57f3a8b9c3bc88d3e
                                                          • Opcode Fuzzy Hash: c33dcdabbdc4d1862d535fdc3a7b91f57d6ae42b7b1689998acb5959f4981c99
                                                          • Instruction Fuzzy Hash: 3031A430E002459BDB15CFA4D8547DEFBB2EF8A304F14C659E805EB241EB71A886CB50
                                                          Function 02BD169F Relevance: .1, Instructions: 81COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 281f51d5cfdbdc84393d1c85d99a9b26d2e2c9b4e0dd3c69339ee9db69a8ebe1
                                                          • Instruction ID: 5848d08ddf9977f38b4ab4e6acb9ae416045e73c0aa61d35d00fb310cb453598
                                                          • Opcode Fuzzy Hash: 281f51d5cfdbdc84393d1c85d99a9b26d2e2c9b4e0dd3c69339ee9db69a8ebe1
                                                          • Instruction Fuzzy Hash: 0521D8786201819BEF22F7B8E8447A93B56E784308F5159A9E00AC73A5FF64DC418B81
                                                          Function 00F8D005 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3374021962.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_f8d000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f2fae259c07e5933ad6e3f8ff5ac0589c47c2f12bba9d5850fa6b192f1e980c3
                                                          • Instruction ID: dac62ec1cfd04863f0162735eba5dc6d433598e63ce3606332f9dcef032785dd
                                                          • Opcode Fuzzy Hash: f2fae259c07e5933ad6e3f8ff5ac0589c47c2f12bba9d5850fa6b192f1e980c3
                                                          • Instruction Fuzzy Hash: BA316B7550D3C49FCB03DB24C994751BF71AF46214F29C5EBD8898F2A7C23A980ACB62
                                                          Function 02BDA078 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4328b58f204163d4d4c2e30c26b0d8f494f0791ae1ba14a137a607e5d91ec254
                                                          • Instruction ID: 60a647f6d9b0270a1c8284a5eab4180686f5ea9366986421cff6443f94eab43a
                                                          • Opcode Fuzzy Hash: 4328b58f204163d4d4c2e30c26b0d8f494f0791ae1ba14a137a607e5d91ec254
                                                          • Instruction Fuzzy Hash: E6217E30E0024A9BDB19DF64C8507DEF7B2FF89300F54C66AE815EB241EB719882CB90
                                                          Function 02BDA853 Relevance: .1, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 151f1c2e388f614ede025fa6fef9250ba9d61cc8f4b4a22f26db06977056b4fe
                                                          • Instruction ID: a580f0be5add87b7dada2b40aad7f873e749c8b7f035798148abd04b782953f9
                                                          • Opcode Fuzzy Hash: 151f1c2e388f614ede025fa6fef9250ba9d61cc8f4b4a22f26db06977056b4fe
                                                          • Instruction Fuzzy Hash: 7421AE31A001048FEB149B79C854BEE7BF6EF88724F1181A5E505EB3A0EA75DD018B91
                                                          Function 02BD9F68 Relevance: .1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 55ada1457ec0240e0ccec762f45e988038e82b094bccceda8b1ea8fcfc62be8c
                                                          • Instruction ID: 9fa932bd3befd0f659891e7b8421c50baf5f8db6deeabbbbf8e4441919dabe31
                                                          • Opcode Fuzzy Hash: 55ada1457ec0240e0ccec762f45e988038e82b094bccceda8b1ea8fcfc62be8c
                                                          • Instruction Fuzzy Hash: D521AF31E007098BDB18CFA4D4506DEB7B2EF89300F60866AE816BB780EB70A945CB51
                                                          Function 00F8D030 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3374021962.0000000000F8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F8D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_f8d000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 10b3446c58f9a42d923866a3f98743d6fa3aeb9caa3c9d9bd891a9ca3556d0e9
                                                          • Instruction ID: 3d82188c59890eab79910fff483a25fc50c447fd14c8babadc43364d2664408f
                                                          • Opcode Fuzzy Hash: 10b3446c58f9a42d923866a3f98743d6fa3aeb9caa3c9d9bd891a9ca3556d0e9
                                                          • Instruction Fuzzy Hash: BC212572504204DFDB14EF14D9C0B66BB61FF84324F20C56DD90A4B29AC376D846DB62
                                                          Function 02BD1383 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c584a3d048c8774de0ca9a6ba38e840efc24981579f1f45c8c8350521f030092
                                                          • Instruction ID: 6f6559824c698798941a1a4cc01f53511698562b895682516898ca09fdd99c62
                                                          • Opcode Fuzzy Hash: c584a3d048c8774de0ca9a6ba38e840efc24981579f1f45c8c8350521f030092
                                                          • Instruction Fuzzy Hash: 0821A5746202419BEF35676CD8853F83A66E702329F5448AAF40ED73D1EF29DC85CB52
                                                          Function 02BD4F8B Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7f94dd3ebfd5c62aa78ed5b2554563b519bb54878ca74befe1539b998f788170
                                                          • Instruction ID: 2a5c438c51f890cc204884b7b3e45ef8955c41236c75c83c17168ce84c8a1af6
                                                          • Opcode Fuzzy Hash: 7f94dd3ebfd5c62aa78ed5b2554563b519bb54878ca74befe1539b998f788170
                                                          • Instruction Fuzzy Hash: 86210A34600209CFDB64EB78D958BAD77F5EF49204B5004A9E506EB360EB369D01DB91
                                                          Function 02BD1878 Relevance: .1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5820cb3454e29bd3a0560452bd73e8bab3379a5fb4767dca9c6fed0859c1524f
                                                          • Instruction ID: ae508e880f6056334c70573b6d036b5c3a97b9857c3313d888ee4fe4c360e082
                                                          • Opcode Fuzzy Hash: 5820cb3454e29bd3a0560452bd73e8bab3379a5fb4767dca9c6fed0859c1524f
                                                          • Instruction Fuzzy Hash: B3210730A10245CFDB64EB78C6547AD77F6EF49205F2008A9D10AEB260EB3A9D42CB65
                                                          Function 02BD1888 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 239343c8fd7b8148974daff9258325e671e2421b7c54ab19b495608126186060
                                                          • Instruction ID: 1768db93db54b5e071c050be64dbfabac5a279d97a2a935cb148a3030ae4832c
                                                          • Opcode Fuzzy Hash: 239343c8fd7b8148974daff9258325e671e2421b7c54ab19b495608126186060
                                                          • Instruction Fuzzy Hash: CE211930B10245CFDB64EB78C5187EE77F6EF49205F1004A9D20AEB260EB369D42CBA5
                                                          Function 02BD9F78 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f89d994737f73480b763d3c55b715bf81b569d62ecd50c809387f0b1e9af70d6
                                                          • Instruction ID: 8b6ba6912251e517b42c3618908d3693e52a4a0e90308e46cd7eb018d0ee8159
                                                          • Opcode Fuzzy Hash: f89d994737f73480b763d3c55b715bf81b569d62ecd50c809387f0b1e9af70d6
                                                          • Instruction Fuzzy Hash: 6E215031E006199BDB19CF64C4546DEF7B6EF89300F50866AE816BB350EB70A845CB51
                                                          Function 02BD16B0 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: af259d5b28337605743bf2d01240c0a936f9a8b557a78c3afe55a063a603d6d2
                                                          • Instruction ID: fb8c36f881a2da43d42f1c06faa47a8e6ec3dc30ef9efb1a2575751fedeba533
                                                          • Opcode Fuzzy Hash: af259d5b28337605743bf2d01240c0a936f9a8b557a78c3afe55a063a603d6d2
                                                          • Instruction Fuzzy Hash: 7621EB746201819FEF21F7BCE8447693B16E784308F115969E00AC7275EF74DC40CB91
                                                          Function 02BD4F98 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 13574acfac9c1ea5233e102aab90d50113aa03bed88183fd5cceb05067e571bf
                                                          • Instruction ID: acdb751f4e891de9c455206108559d3642981c9d39410739b7237b3cc9d8fdbd
                                                          • Opcode Fuzzy Hash: 13574acfac9c1ea5233e102aab90d50113aa03bed88183fd5cceb05067e571bf
                                                          • Instruction Fuzzy Hash: 0A21E934600209CFDB64EB78D958BAD77F6EF49204F5004A9E506EB360EB769D01DB91
                                                          Function 02BD0848 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 72362948fd96c792db533bc50f7cf2d0e0ebd7e86b63c1c286b5fed5c943ac02
                                                          • Instruction ID: 6b1c9b591ffc3d9aacf6d75d4af9005cc3d415b6765b47ffa775cf062097241f
                                                          • Opcode Fuzzy Hash: 72362948fd96c792db533bc50f7cf2d0e0ebd7e86b63c1c286b5fed5c943ac02
                                                          • Instruction Fuzzy Hash: 0211A330B402098BEF24BBB9D8047AE3691FB85714F204CB9D106CF295FB66DC819BD1
                                                          Function 02BD1488 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fb077b5741d76c01ef9c2b6df6ad0c25b2a0c86773d039878f8d25561bf7e774
                                                          • Instruction ID: 778582426f6786a669c84df40b4d7b85f400d583e47a49f3ab95258b972016e9
                                                          • Opcode Fuzzy Hash: fb077b5741d76c01ef9c2b6df6ad0c25b2a0c86773d039878f8d25561bf7e774
                                                          • Instruction Fuzzy Hash: 20119032E112558FCB11AFB885902ED7BB6EF05314F2544EAD806EB242F739D941CF91
                                                          Function 02BD0838 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 87caec361438588280acbe0e8a9c995903a6c23fec365ed39a64e5f1fec7a5f3
                                                          • Instruction ID: a376c9e48512531cd67bb9a7e8fcbe30588e32400a0faefe62009cad11da48ec
                                                          • Opcode Fuzzy Hash: 87caec361438588280acbe0e8a9c995903a6c23fec365ed39a64e5f1fec7a5f3
                                                          • Instruction Fuzzy Hash: D011C230A403098BEF24B6B498043FE3651EB81318F208DBAD406CF295FB66DD859BD2
                                                          Function 02BD17C0 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dbfd1f4ac624d2ea44145cad03812286c5978ffc22106d054c0af24d9ba47500
                                                          • Instruction ID: a7d3e3087309e7a306e37c135bbb969dfc54775d71c7a591e240abe2f9965996
                                                          • Opcode Fuzzy Hash: dbfd1f4ac624d2ea44145cad03812286c5978ffc22106d054c0af24d9ba47500
                                                          • Instruction Fuzzy Hash: 2E110276F112516FDB20EBB998083AE7BEAFB48254F100865F90AD3344FB34D9418B81
                                                          Function 02BD1498 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 60e41b4a28ce581f082cb2fda62957ce20b6495dab9400d6171342e6a29a2124
                                                          • Instruction ID: 98964e2c09ad73386705077ac06b413ce6d162cdf3dec98532354e6c60ff58b3
                                                          • Opcode Fuzzy Hash: 60e41b4a28ce581f082cb2fda62957ce20b6495dab9400d6171342e6a29a2124
                                                          • Instruction Fuzzy Hash: 4F012931A116159BCB21EFB894502EEBBE6EB48324B2444BAD80AEB301F735D941CF95
                                                          Function 02BD6B98 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 48a08474b9e9069e2218e3232b2ede3a7cc5e32bb3c6e948366cdd3fd504aa91
                                                          • Instruction ID: b7bbc883ce481bfaef076daf81b6bf5a390121bebb19d9a84c1545898caef3c6
                                                          • Opcode Fuzzy Hash: 48a08474b9e9069e2218e3232b2ede3a7cc5e32bb3c6e948366cdd3fd504aa91
                                                          • Instruction Fuzzy Hash: 1D01D2317042509FD325AB7894113AE7BA7EF89710F5488AFD156C7391EB7A8885CB82
                                                          Function 02BDA6C5 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 35b798270bd34e81b92fe8da1b62c653c4731be17247aaae96bc66b230f2891f
                                                          • Instruction ID: 034f6610d282e675ef789e4fa22834735d2afc495d4650e4a894e4e50940e154
                                                          • Opcode Fuzzy Hash: 35b798270bd34e81b92fe8da1b62c653c4731be17247aaae96bc66b230f2891f
                                                          • Instruction Fuzzy Hash: CB019231A001058BDB04DF95D84479ABB76FFC4310F64C268D90C6B296EBB4A905CBA1
                                                          Function 02BD1524 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4cb8b2dd2186ebc076540ad7c3f6ad285a459528b836916c5e2d10d1cd1af581
                                                          • Instruction ID: 6e5c7a307ff16a3fab24fc7f71db76e3c95fcc1219d3283e304f97d0cc0aaa10
                                                          • Opcode Fuzzy Hash: 4cb8b2dd2186ebc076540ad7c3f6ad285a459528b836916c5e2d10d1cd1af581
                                                          • Instruction Fuzzy Hash: FCF0F637A14150DBCB229BA894A02EC7B71EB5422576900D7D80ADB212E729E542CF51
                                                          Function 02BD8F08 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a8d7a85eb6ba9b0c2388685e163ec4ffb27fac17fb28b4587494d2d3ba7c313a
                                                          • Instruction ID: ef95cee356c116803ff7d90a703c38fbd548b072b50b47ab362636fd26133ac7
                                                          • Opcode Fuzzy Hash: a8d7a85eb6ba9b0c2388685e163ec4ffb27fac17fb28b4587494d2d3ba7c313a
                                                          • Instruction Fuzzy Hash: A501D6305001CADBEB0AFBA8F84078D7B71EF80308F4057ACC1159B2A6DE751E01D782
                                                          Function 02BD7EA8 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 483f9eeefd05b6a18a458542afab16806e901603fd925599fa3e7bd9f32aab6a
                                                          • Instruction ID: efc88d0a106fdbb9042bb6742ec3d54565c9a76db144eaf1db6c60597566d700
                                                          • Opcode Fuzzy Hash: 483f9eeefd05b6a18a458542afab16806e901603fd925599fa3e7bd9f32aab6a
                                                          • Instruction Fuzzy Hash: A3F0C435B40504CFD714EB74E5A8BAC77B2EF89215F6144A8E5069B3A4DF31AD82CF40
                                                          Function 02BD8F18 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4230662193e7260c2eba10e5c8f0d96a31af9e079d732bf229d30457b1eb01f3
                                                          • Instruction ID: 1123dff520f1b4b9edb9a7415759bf31616e6e360ef1f55f601b48ddd9243d74
                                                          • Opcode Fuzzy Hash: 4230662193e7260c2eba10e5c8f0d96a31af9e079d732bf229d30457b1eb01f3
                                                          • Instruction Fuzzy Hash: F5F04434900189EFEB45FBE4F85069D7BB5EF80304F50566DC105A7264EE712E049B81
                                                          Function 02BDA957 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000E.00000002.3375778313.0000000002BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BD0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_14_2_2bd0000_uGbdmwuUS.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bf17dc961426f3c94463e03c396c349052da72a1d3ca9ee6177ea7386a33cae4
                                                          • Instruction ID: 2071e584e011ff419520821196785de1c91d86bdd731bbcf575361c43cfddc3f
                                                          • Opcode Fuzzy Hash: bf17dc961426f3c94463e03c396c349052da72a1d3ca9ee6177ea7386a33cae4
                                                          • Instruction Fuzzy Hash: C9B0123080D3C00EC30356302C203823F62EFC3200F2901EF94C085043E300021ACF03