Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
A6AHI7Uk18.exe

Overview

General Information

Sample name:A6AHI7Uk18.exe
renamed because original name is a hash value
Original sample name:f564c332d78b12de556bd32e8368115f9375f37b00fe07741d8d6214bf6c3998.exe
Analysis ID:1588701
MD5:cbc2beed937b392582499a75e1d5c8d9
SHA1:014d4273b428704b44d238bd0750dd246133267c
SHA256:f564c332d78b12de556bd32e8368115f9375f37b00fe07741d8d6214bf6c3998
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to detect virtual machines (SGDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • A6AHI7Uk18.exe (PID: 4600 cmdline: "C:\Users\user\Desktop\A6AHI7Uk18.exe" MD5: CBC2BEED937B392582499A75E1D5C8D9)
    • powershell.exe (PID: 6208 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A6AHI7Uk18.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7564 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7208 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp43A7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • A6AHI7Uk18.exe (PID: 7400 cmdline: "C:\Users\user\Desktop\A6AHI7Uk18.exe" MD5: CBC2BEED937B392582499A75E1D5C8D9)
  • tAtOLFyXVhJq.exe (PID: 7548 cmdline: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe MD5: CBC2BEED937B392582499A75E1D5C8D9)
    • schtasks.exe (PID: 7720 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp5849.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tAtOLFyXVhJq.exe (PID: 7772 cmdline: "C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe" MD5: CBC2BEED937B392582499A75E1D5C8D9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.4193893855.0000000002A9C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000D.00000002.4192948416.0000000002C8C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000D.00000002.4192948416.0000000002C61000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000D.00000002.4192948416.0000000002C61000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000008.00000002.4193893855.0000000002A71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            13.2.tAtOLFyXVhJq.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
            • 0x334f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
            • 0x33569:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
            • 0x335f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
            • 0x33685:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
            • 0x336ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
            • 0x33761:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
            • 0x337f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
            • 0x33887:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
            0.2.A6AHI7Uk18.exe.45c1d30.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.A6AHI7Uk18.exe.45c1d30.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.2.A6AHI7Uk18.exe.45c1d30.0.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.A6AHI7Uk18.exe.45c1d30.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x131137:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x16bb57:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x1a6377:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x1311a9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x16bbc9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x1a63e9:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x131233:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x16bc53:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x1a6473:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x1312c5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x16bce5:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x1a6505:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x13132f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x16bd4f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x1a656f:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x1313a1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x16bdc1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x1a65e1:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x131437:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x16be57:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x1a6677:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A6AHI7Uk18.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A6AHI7Uk18.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\A6AHI7Uk18.exe", ParentImage: C:\Users\user\Desktop\A6AHI7Uk18.exe, ParentProcessId: 4600, ParentProcessName: A6AHI7Uk18.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A6AHI7Uk18.exe", ProcessId: 6208, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A6AHI7Uk18.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A6AHI7Uk18.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\A6AHI7Uk18.exe", ParentImage: C:\Users\user\Desktop\A6AHI7Uk18.exe, ParentProcessId: 4600, ParentProcessName: A6AHI7Uk18.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A6AHI7Uk18.exe", ProcessId: 6208, ProcessName: powershell.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp5849.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp5849.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe, ParentImage: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe, ParentProcessId: 7548, ParentProcessName: tAtOLFyXVhJq.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp5849.tmp", ProcessId: 7720, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\A6AHI7Uk18.exe, Initiated: true, ProcessId: 7400, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp43A7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp43A7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\A6AHI7Uk18.exe", ParentImage: C:\Users\user\Desktop\A6AHI7Uk18.exe, ParentProcessId: 4600, ParentProcessName: A6AHI7Uk18.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp43A7.tmp", ProcessId: 7208, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A6AHI7Uk18.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A6AHI7Uk18.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\A6AHI7Uk18.exe", ParentImage: C:\Users\user\Desktop\A6AHI7Uk18.exe, ParentProcessId: 4600, ParentProcessName: A6AHI7Uk18.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A6AHI7Uk18.exe", ProcessId: 6208, ProcessName: powershell.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp43A7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp43A7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\A6AHI7Uk18.exe", ParentImage: C:\Users\user\Desktop\A6AHI7Uk18.exe, ParentProcessId: 4600, ParentProcessName: A6AHI7Uk18.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp43A7.tmp", ProcessId: 7208, ProcessName: schtasks.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: powershell.exe.6208.2.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeReversingLabs: Detection: 63%
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeVirustotal: Detection: 76%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: A6AHI7Uk18.exeReversingLabs: Detection: 63%
                  Source: A6AHI7Uk18.exeVirustotal: Detection: 76%Perma Link
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: A6AHI7Uk18.exeJoe Sandbox ML: detected
                  Source: A6AHI7Uk18.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49737 version: TLS 1.2
                  Source: A6AHI7Uk18.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.2.A6AHI7Uk18.exe.45c1d30.0.raw.unpack, type: UNPACKEDPE
                  Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficTCP traffic: 192.168.2.4:49735 -> 46.175.148.58:25
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                  Source: tAtOLFyXVhJq.exe, 00000009.00000002.1812509524.0000000002A59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://localhost/arkanoid_server/requests.php
                  Source: A6AHI7Uk18.exe, 00000008.00000002.4193893855.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, tAtOLFyXVhJq.exe, 0000000D.00000002.4192948416.0000000002C8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1768602388.0000000002F09000.00000004.00000800.00020000.00000000.sdmp, A6AHI7Uk18.exe, 00000008.00000002.4193893855.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, tAtOLFyXVhJq.exe, 00000009.00000002.1812509524.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, tAtOLFyXVhJq.exe, 0000000D.00000002.4192948416.0000000002C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1770457595.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, A6AHI7Uk18.exe, 00000008.00000002.4188956005.0000000000436000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1770457595.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, A6AHI7Uk18.exe, 00000008.00000002.4188956005.0000000000429000.00000040.00000400.00020000.00000000.sdmp, A6AHI7Uk18.exe, 00000008.00000002.4193893855.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, tAtOLFyXVhJq.exe, 0000000D.00000002.4192948416.0000000002C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: A6AHI7Uk18.exe, 00000008.00000002.4193893855.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, tAtOLFyXVhJq.exe, 0000000D.00000002.4192948416.0000000002C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: A6AHI7Uk18.exe, 00000008.00000002.4193893855.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, tAtOLFyXVhJq.exe, 0000000D.00000002.4192948416.0000000002C11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49733 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49737 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Installs a global keyboard hook
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\A6AHI7Uk18.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeWindow created: window name: CLIPBRDWNDCLASS

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 13.2.tAtOLFyXVhJq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.A6AHI7Uk18.exe.45c1d30.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 0_2_011474240_2_01147424
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 0_2_0114A5700_2_0114A570
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 0_2_011437590_2_01143759
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 0_2_011437680_2_01143768
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 0_2_093FF9800_2_093FF980
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 0_2_093F18000_2_093F1800
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 0_2_093F08E10_2_093F08E1
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 0_2_093F87100_2_093F8710
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 0_2_093F8B480_2_093F8B48
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 0_2_093F7EA00_2_093F7EA0
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 0_2_093FA33F0_2_093FA33F
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 0_2_093FA3500_2_093FA350
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 0_2_093F82D80_2_093F82D8
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 0_2_093F82C80_2_093F82C8
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 8_2_010241C88_2_010241C8
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 8_2_01024A988_2_01024A98
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 8_2_0102ADE28_2_0102ADE2
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 8_2_01023E808_2_01023E80
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 8_2_0102F8A58_2_0102F8A5
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 8_2_065235788_2_06523578
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 8_2_06525D308_2_06525D30
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 8_2_065245A08_2_065245A0
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 8_2_065210308_2_06521030
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 8_2_0652E0B98_2_0652E0B9
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 8_2_0652A1408_2_0652A140
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 8_2_065291E08_2_065291E0
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 8_2_065256508_2_06525650
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 8_2_06523C8F8_2_06523C8F
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 8_2_0652C3588_2_0652C358
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 8_2_065203288_2_06520328
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_02A174249_2_02A17424
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_02A1A5709_2_02A1A570
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_02A136289_2_02A13628
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_02A136389_2_02A13638
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_094C18009_2_094C1800
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_094CE8D89_2_094CE8D8
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_094C08E29_2_094C08E2
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_094C8B489_2_094C8B48
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_094C7EA09_2_094C7EA0
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_094CA3499_2_094CA349
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_094CA3509_2_094CA350
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_094C82C89_2_094C82C8
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_094C82D89_2_094C82D8
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_094C87109_2_094C8710
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 13_2_012A41C813_2_012A41C8
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 13_2_012A4A9813_2_012A4A98
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 13_2_012A3E8013_2_012A3E80
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 13_2_012AF8A513_2_012AF8A5
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 13_2_0678357813_2_06783578
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 13_2_06785D3013_2_06785D30
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 13_2_067845A013_2_067845A0
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 13_2_0678103013_2_06781030
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 13_2_0678E0B913_2_0678E0B9
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 13_2_0678A14013_2_0678A140
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 13_2_067891E013_2_067891E0
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 13_2_0678565013_2_06785650
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 13_2_0678C61813_2_0678C618
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 13_2_06783C8F13_2_06783C8F
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 13_2_0678032813_2_06780328
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1768602388.0000000002F09000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs A6AHI7Uk18.exe
                  Source: A6AHI7Uk18.exe, 00000000.00000000.1723932450.0000000000702000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepXmF.exe0 vs A6AHI7Uk18.exe
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1768602388.0000000002B79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs A6AHI7Uk18.exe
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1770457595.0000000004379000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs A6AHI7Uk18.exe
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1770457595.00000000043B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs A6AHI7Uk18.exe
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1770457595.00000000043B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs A6AHI7Uk18.exe
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1787255969.00000000080E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs A6AHI7Uk18.exe
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1761168921.0000000000CEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs A6AHI7Uk18.exe
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1789361303.0000000009C10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs A6AHI7Uk18.exe
                  Source: A6AHI7Uk18.exe, 00000000.00000002.1786864413.0000000007890000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs A6AHI7Uk18.exe
                  Source: A6AHI7Uk18.exe, 00000008.00000002.4189394514.0000000000AF9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs A6AHI7Uk18.exe
                  Source: A6AHI7Uk18.exeBinary or memory string: OriginalFilenamepXmF.exe0 vs A6AHI7Uk18.exe
                  Source: A6AHI7Uk18.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 13.2.tAtOLFyXVhJq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.A6AHI7Uk18.exe.45c1d30.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: A6AHI7Uk18.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: tAtOLFyXVhJq.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/15@2/2
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeFile created: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7200:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7228:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeFile created: C:\Users\user\AppData\Local\Temp\tmp43A7.tmpJump to behavior
                  Source: A6AHI7Uk18.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: A6AHI7Uk18.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: A6AHI7Uk18.exeReversingLabs: Detection: 63%
                  Source: A6AHI7Uk18.exeVirustotal: Detection: 76%
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeFile read: C:\Users\user\Desktop\A6AHI7Uk18.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\A6AHI7Uk18.exe "C:\Users\user\Desktop\A6AHI7Uk18.exe"
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A6AHI7Uk18.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp43A7.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess created: C:\Users\user\Desktop\A6AHI7Uk18.exe "C:\Users\user\Desktop\A6AHI7Uk18.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp5849.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess created: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe "C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe"
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A6AHI7Uk18.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp43A7.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess created: C:\Users\user\Desktop\A6AHI7Uk18.exe "C:\Users\user\Desktop\A6AHI7Uk18.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp5849.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess created: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe "C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: iconcodecservice.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: rasapi32.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: rasman.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: rtutils.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: ncryptsslp.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: vaultcli.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeSection loaded: edputil.dll
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: A6AHI7Uk18.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: A6AHI7Uk18.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 8_2_0102ACAF push esp; ret 8_2_0102ACB0
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_094CAAC1 push es; retf 000Ch9_2_094CAAC2
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_094CDDE0 push eax; retf 000Ch9_2_094CDDE1
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_094CBFC9 push cs; retf 000Ch9_2_094CBFCA
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_094CC7E9 push ss; retf 000Ch9_2_094CC7EA
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 9_2_094CC7B0 push ss; retf 000Ch9_2_094CC7B2
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeCode function: 13_2_012A0C55 push edi; retf 13_2_012A0C7A
                  Source: A6AHI7Uk18.exeStatic PE information: section name: .text entropy: 7.756871661499059
                  Source: tAtOLFyXVhJq.exe.0.drStatic PE information: section name: .text entropy: 7.756871661499059
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeFile created: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp43A7.tmp"

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: A6AHI7Uk18.exe PID: 4600, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: tAtOLFyXVhJq.exe PID: 7548, type: MEMORYSTR
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeMemory allocated: 1140000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeMemory allocated: 2B70000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeMemory allocated: 2970000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeMemory allocated: 5100000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeMemory allocated: 6100000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeMemory allocated: 6230000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeMemory allocated: 7230000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeMemory allocated: 9F30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeMemory allocated: AF30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeMemory allocated: B3C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeMemory allocated: C3C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeMemory allocated: 1020000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeMemory allocated: 2A20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeMemory allocated: 4A20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeMemory allocated: 2A10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeMemory allocated: 2A50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeMemory allocated: 4A50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeMemory allocated: 5120000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeMemory allocated: 6120000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeMemory allocated: 6250000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeMemory allocated: 7250000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeMemory allocated: 9810000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeMemory allocated: A810000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeMemory allocated: B810000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeMemory allocated: BCA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeMemory allocated: 12A0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeMemory allocated: 2C10000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeMemory allocated: 4C10000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeCode function: 0_2_01141128 sgdt fword ptr [eax]0_2_01141128
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8300Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1310Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8262Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1276Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeWindow / User API: threadDelayed 3982Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeWindow / User API: threadDelayed 5867Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeWindow / User API: threadDelayed 1699
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeWindow / User API: threadDelayed 8152
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 2132Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7420Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7432Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep count: 37 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -100000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7648Thread sleep count: 3982 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -99875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -99765s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -99654s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -99539s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -99437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7648Thread sleep count: 5867 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -99321s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -99219s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -99109s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -98988s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -98859s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -98750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -98640s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -98531s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -98422s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -98305s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -98200s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -98089s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -97984s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -97875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -97765s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -97656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -97547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -97437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -97328s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -97219s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -97109s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -97000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -96891s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -96766s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -96640s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -96531s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -96421s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -96312s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -96203s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -96094s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -95984s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -95875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -95766s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -95641s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -95516s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -95406s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -95297s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -95187s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -95078s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -94969s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -94859s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -94750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -94641s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exe TID: 7600Thread sleep time: -94516s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7616Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep count: 32 > 30
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -29514790517935264s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -100000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -99859s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7892Thread sleep count: 1699 > 30
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7892Thread sleep count: 8152 > 30
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -99733s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -99609s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -99500s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -99391s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -99266s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -99141s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -99022s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -98906s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -98797s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -98687s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -98578s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -98469s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -98359s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -98250s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -98141s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -98030s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -97906s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -97796s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -97654s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -97531s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -97422s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -97312s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -97203s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -97094s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -96953s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -96844s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -96703s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -96594s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -96484s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -96375s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -96234s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -96123s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -96015s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -95906s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -95797s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -95687s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -95578s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -95468s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -95359s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -95250s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -95141s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -95031s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -94922s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -94812s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -94703s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -94594s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -94484s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe TID: 7884Thread sleep time: -94375s >= -30000s
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 99875Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 99765Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 99654Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 99539Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 99437Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 99321Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 99219Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 99109Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 98988Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 98859Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 98750Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 98640Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 98531Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 98422Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 98305Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 98200Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 98089Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 97984Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 97875Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 97765Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 97656Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 97547Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 97437Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 97328Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 97219Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 97109Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 97000Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 96891Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 96766Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 96640Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 96531Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 96421Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 96312Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 96203Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 96094Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 95984Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 95875Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 95766Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 95641Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 95516Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 95406Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 95297Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 95187Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 95078Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 94969Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 94859Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 94750Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 94641Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeThread delayed: delay time: 94516Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 100000
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 99859
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 99733
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 99609
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 99500
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 99391
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 99266
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 99141
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 99022
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 98906
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 98797
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 98687
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 98578
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 98469
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 98359
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 98250
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 98141
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 98030
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 97906
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 97796
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 97654
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 97531
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 97422
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 97312
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 97203
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 97094
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 96953
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 96844
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 96703
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 96594
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 96484
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 96375
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 96234
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 96123
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 96015
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 95906
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 95797
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 95687
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 95578
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 95468
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 95359
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 95250
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 95141
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 95031
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 94922
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 94812
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 94703
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 94594
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 94484
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeThread delayed: delay time: 94375
                  Source: A6AHI7Uk18.exe, 00000008.00000002.4189555596.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, tAtOLFyXVhJq.exe, 0000000D.00000002.4189554013.0000000000F18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A6AHI7Uk18.exe"
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe"
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A6AHI7Uk18.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe"Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeMemory written: C:\Users\user\Desktop\A6AHI7Uk18.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeMemory written: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A6AHI7Uk18.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp43A7.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeProcess created: C:\Users\user\Desktop\A6AHI7Uk18.exe "C:\Users\user\Desktop\A6AHI7Uk18.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp5849.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeProcess created: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe "C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Users\user\Desktop\A6AHI7Uk18.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Users\user\Desktop\A6AHI7Uk18.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeQueries volume information: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeQueries volume information: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.A6AHI7Uk18.exe.45c1d30.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.4193893855.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.4192948416.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.4192948416.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4193893855.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1770457595.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: A6AHI7Uk18.exe PID: 4600, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: A6AHI7Uk18.exe PID: 7400, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: tAtOLFyXVhJq.exe PID: 7772, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeFile opened: C:\FTP Navigator\Ftplist.txt
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\A6AHI7Uk18.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                  Source: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: Yara matchFile source: 0.2.A6AHI7Uk18.exe.45c1d30.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0000000D.00000002.4192948416.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4193893855.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1770457595.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: A6AHI7Uk18.exe PID: 4600, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: A6AHI7Uk18.exe PID: 7400, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: tAtOLFyXVhJq.exe PID: 7772, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.A6AHI7Uk18.exe.45c1d30.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000002.4193893855.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.4192948416.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000D.00000002.4192948416.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.4193893855.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1770457595.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: A6AHI7Uk18.exe PID: 4600, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: A6AHI7Uk18.exe PID: 7400, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: tAtOLFyXVhJq.exe PID: 7772, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		111
                  Process Injection                  		2
                  Obfuscated Files or Information                  		11
                  Input Capture                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  Scheduled Task/Job                  		2
                  Software Packing                  		1
                  Credentials in Registry                  		1
                  Query Registry                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  DLL Side-Loading                  		NTDS211
                  Security Software Discovery                  		Distributed Component Object Model11
                  Input Capture                  		23
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Masquerading                  		LSA Secrets1
                  Process Discovery                  		SSH1
                  Clipboard Data                  		Fallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts151
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials151
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
                  Process Injection                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                  System Network Configuration Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588701 Sample: A6AHI7Uk18.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 46 mail.iaa-airferight.com 2->46 48 api.ipify.org 2->48 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 60 7 other signatures 2->60 8 A6AHI7Uk18.exe 7 2->8         started        12 tAtOLFyXVhJq.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\tAtOLFyXVhJq.exe, PE32 8->38 dropped 40 C:\Users\...\tAtOLFyXVhJq.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp43A7.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\A6AHI7Uk18.exe.log, ASCII 8->44 dropped 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 8->64 66 Adds a directory exclusion to Windows Defender 8->66 14 A6AHI7Uk18.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 72 Injects a PE file into a foreign processes 12->72 24 tAtOLFyXVhJq.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 50 api.ipify.org 172.67.74.152, 443, 49733, 49737 CLOUDFLARENETUS United States 14->50 52 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->52 74 Installs a global keyboard hook 14->74 76 Loading BitLocker PowerShell Module 18->76 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->78 80 Tries to steal Mail credentials (via file / registry access) 24->80 82 Tries to harvest and steal ftp login credentials 24->82 84 Tries to harvest and steal browser information (history, passwords, etc) 24->84 36 conhost.exe 26->36         started        signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  A6AHI7Uk18.exe63%ReversingLabsWin32.Trojan.Jalapeno
                  A6AHI7Uk18.exe76%VirustotalBrowse
                  A6AHI7Uk18.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe63%ReversingLabsWin32.Trojan.Jalapeno
                  C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe76%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  mail.iaa-airferight.com
                  		46.175.148.58
                  		truefalse
                    		high
                    api.ipify.org
                    		172.67.74.152
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.apache.org/licenses/LICENSE-2.0A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.comA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersGA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers/?A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/bTheA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://account.dyn.com/A6AHI7Uk18.exe, 00000000.00000002.1770457595.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, A6AHI7Uk18.exe, 00000008.00000002.4188956005.0000000000436000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers?A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://mail.iaa-airferight.comA6AHI7Uk18.exe, 00000008.00000002.4193893855.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, tAtOLFyXVhJq.exe, 0000000D.00000002.4192948416.0000000002C8C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.tiro.comA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designersA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.goodfont.co.krA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.ipify.org/tA6AHI7Uk18.exe, 00000008.00000002.4193893855.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, tAtOLFyXVhJq.exe, 0000000D.00000002.4192948416.0000000002C11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.carterandcone.comlA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.sajatypeworks.comA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.typography.netDA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers/cabarga.htmlNA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn/cTheA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.galapagosdesign.com/staff/dennis.htmA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://api.ipify.orgA6AHI7Uk18.exe, 00000000.00000002.1770457595.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, A6AHI7Uk18.exe, 00000008.00000002.4188956005.0000000000429000.00000040.00000400.00020000.00000000.sdmp, A6AHI7Uk18.exe, 00000008.00000002.4193893855.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, tAtOLFyXVhJq.exe, 0000000D.00000002.4192948416.0000000002C11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cnA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.fontbureau.com/designers/frere-user.htmlA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.jiyu-kobo.co.jp/A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.galapagosdesign.com/DPleaseA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.fontbureau.com/designers8A6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://localhost/arkanoid_server/requests.phptAtOLFyXVhJq.exe, 00000009.00000002.1812509524.0000000002A59000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.fonts.comA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.sandoll.co.krA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.urwpp.deDPleaseA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.zhongyicts.com.cnA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameA6AHI7Uk18.exe, 00000000.00000002.1768602388.0000000002F09000.00000004.00000800.00020000.00000000.sdmp, A6AHI7Uk18.exe, 00000008.00000002.4193893855.0000000002A21000.00000004.00000800.00020000.00000000.sdmp, tAtOLFyXVhJq.exe, 00000009.00000002.1812509524.0000000002DE9000.00000004.00000800.00020000.00000000.sdmp, tAtOLFyXVhJq.exe, 0000000D.00000002.4192948416.0000000002C11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.sakkal.comA6AHI7Uk18.exe, 00000000.00000002.1788157636.0000000009472000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      46.175.148.58
                                                                                      		mail.iaa-airferight.comUkraine
                                                                                      		56394ASLAGIDKOM-NETUAfalse
                                                                                      172.67.74.152
                                                                                      		api.ipify.orgUnited States
                                                                                      		13335CLOUDFLARENETUSfalse

                                                                                      General Information

                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                      Analysis ID:1588701
                                                                                      Start date and time:2025-01-11 04:23:19 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 9m 32s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:18
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:A6AHI7Uk18.exe
                                                                                      renamed because original name is a hash value
                                                                                      Original Sample Name:f564c332d78b12de556bd32e8368115f9375f37b00fe07741d8d6214bf6c3998.exe
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.spyw.evad.winEXE@19/15@2/2
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 97%
                                                                                      • Number of executed functions: 158
                                                                                      • Number of non-executed functions: 9
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .exe
                                                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 2.23.242.162, 172.202.163.200, 13.107.246.45
                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      03:24:21Task SchedulerRun new task: tAtOLFyXVhJq path: C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe
                                                                                      22:24:16API Interceptor8325282x Sleep call for process: A6AHI7Uk18.exe modified
                                                                                      22:24:18API Interceptor63x Sleep call for process: powershell.exe modified
                                                                                      22:24:22API Interceptor5609598x Sleep call for process: tAtOLFyXVhJq.exe modified

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      46.175.148.58MyzWeEOlqb.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                                                              HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                    OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          172.67.74.152jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                                                                                                          • api.ipify.org/?format=text
                                                                                                          malware.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                                                                          • api.ipify.org/
                                                                                                          Simple1.exeGet hashmaliciousUnknownBrowse
                                                                                                          • api.ipify.org/
                                                                                                          Simple2.exeGet hashmaliciousUnknownBrowse
                                                                                                          • api.ipify.org/
                                                                                                          systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                                                                                          • api.ipify.org/
                                                                                                          systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                                                                                          • api.ipify.org/
                                                                                                          2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                                                                          • api.ipify.org/
                                                                                                          Zc9eO57fgF.elfGet hashmaliciousUnknownBrowse
                                                                                                          • api.ipify.org/
                                                                                                          67065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                          • api.ipify.org/
                                                                                                          Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                                                                                          • api.ipify.org/

                                                                                                          Domains

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          mail.iaa-airferight.comMyzWeEOlqb.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          api.ipify.orgWru9ycO2MJ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 104.26.13.205
                                                                                                          iNFGd6bDZX.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 104.26.12.205
                                                                                                          MyzWeEOlqb.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 104.26.12.205
                                                                                                          5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 172.67.74.152
                                                                                                          ukBQ4ch2nE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 104.26.13.205
                                                                                                          ru52XOQ1p7.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 172.67.74.152
                                                                                                          xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 104.26.12.205
                                                                                                          jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 104.26.13.205
                                                                                                          HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 104.26.13.205
                                                                                                          https://glfbanks.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                          • 104.26.12.205

                                                                                                          ASNs

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          ASLAGIDKOM-NETUAMyzWeEOlqb.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 46.175.148.58
                                                                                                          CLOUDFLARENETUSWru9ycO2MJ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 104.26.13.205
                                                                                                          iNFGd6bDZX.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 104.26.12.205
                                                                                                          n2pGr8w21V.exeGet hashmaliciousFormBookBrowse
                                                                                                          • 104.18.73.116
                                                                                                          tNXl4XhgmV.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                          • 104.21.48.1
                                                                                                          MyzWeEOlqb.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 104.26.12.205
                                                                                                          02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                          • 172.67.167.146
                                                                                                          5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 172.67.74.152
                                                                                                          MBOaS3GRtF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                          • 104.21.64.1
                                                                                                          https://freesourcecodes70738.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuW-242imNXGet hashmaliciousUnknownBrowse
                                                                                                          • 104.17.205.31
                                                                                                          https://youtube.com0x360x380x370x340x370x340x370x300x370x330x330x610x320x660x320x660x360x310x360x640x360x360x370x320x320x650x370x320x370x350x320x660x370x320x360x620x320x650x370x300x360x380x370x300x330x660x360x390x360x340x330x640x330x320x330x300x330x300x320x360x370x330x360x390x370x340x360x350x350x660x360x390x360x340x330x640x370x330x330x310x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x320x360x310x360x650x360x650x360x350x370x320x320x360x360x350x370x360x360x350x360x650x370x340x330x320x330x640x360x330x360x630x360x390x360x330x360x620x320x360x360x350x370x360x360x350x360x650x370x340x330x330x330x640x330x310x320x620x320x350x330x320x340x360x320x620x320x350x330x350x340x320x330x320x330x350x330x300x320x350x330x350x340x340x320x620x320x350x330x350x340x320x360x390x360x650x360x340x360x350x370x380x350x660x360x320x350x660x360x330x320x350x330x350x340x340x320x620x320x350x340x340x330x300x320x350x330x390x330x330x320x350x340x340x330x300x320x350x340x320x340x320x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x300x320x350x340x320x330x320x320x350x340x340x330x300x320x350x340x320x340x340x320x350x340x340x330x300x320x350x340x320x330x300x320x350x340x340x330x310x320x350x330x380x340x360x320x620x320x350x340x340x330x310x320x350x330x380x330x310x320x350x340x340x330x310x320x350x330x380x330x320x320x350x340x340x330x340x370x380x360x340x390x320x390x330x370x320x330x300x390x340x370x330x340x300x330x340x2d0x380x380x340x330x340x370x330x340x300x340x390x300x350x370x330x370x340x330x300x340x300x330x340x380x320x2d0x340x300x390x340x380x2d0x320x2d0x340x380x380x320x2d0x330x320x380x380x340x370x370x320x390x390x320x380x380x380x340x370x340x370x320x390x300x340x390x340x370x320x340x300x380x320x340x370x340x370x320x620x320x640x320x620x320x350x340x340x330x300x320x350x330x390x330x340x320x350x340x340x330x300x320x350x340x320x330x350x320x350x340x340x330x300x320x350x340x320x340x330x320x350x340x340x330x300x320x350x340x320x330x380x320x350x340x340x330x300x320x350x340x320x340x310x320x350x340x340x330Get hashmaliciousUnknownBrowse
                                                                                                          • 172.64.41.3

                                                                                                          JA3 Fingerprints

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                          3b5074b1b5d032e5620f69f9f700ff0eWru9ycO2MJ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 172.67.74.152
                                                                                                          iNFGd6bDZX.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 172.67.74.152
                                                                                                          MyzWeEOlqb.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 172.67.74.152
                                                                                                          5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          • 172.67.74.152
                                                                                                          AJ5zYYsisA.exeGet hashmaliciousUnknownBrowse
                                                                                                          • 172.67.74.152
                                                                                                          AJ5zYYsisA.exeGet hashmaliciousUnknownBrowse
                                                                                                          • 172.67.74.152
                                                                                                          4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                          • 172.67.74.152
                                                                                                          n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                          • 172.67.74.152
                                                                                                          njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                          • 172.67.74.152
                                                                                                          KtPCqWWnqM.exeGet hashmaliciousUnknownBrowse
                                                                                                          • 172.67.74.152

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\A6AHI7Uk18.exe.log

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\A6AHI7Uk18.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1216
                                                                                                          Entropy (8bit):5.34331486778365
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                          Malicious:true
                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tAtOLFyXVhJq.exe.log

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1216
                                                                                                          Entropy (8bit):5.34331486778365
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                          Malicious:false
                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:modified
                                                                                                          Size (bytes):2232
                                                                                                          Entropy (8bit):5.380285623575084
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:+WSU4xympjgs4Rc9tEoUl8NPZHUl7u1iMuge//ZM0UyuVws:+LHxvCsIcnSKRHmOugr1Vws
                                                                                                          MD5:EBD18A968A3F9F57174C227FDC39D70F
                                                                                                          SHA1:3358783119190A194E8C5CD8022F9E231F891476
                                                                                                          SHA-256:8F9089CF5E93A18B6783F44FAC71D6FE2CE8D3215704284014A6276D9B3333B2
                                                                                                          SHA-512:E24E35618CDBF81B62A632216BF56AE7CDB1CF78A02E1B80B17E3DCC3992E6E1236FEF88D2DD71FFAE363F69950225F3B774838196D37E272C71E7E6FF73E8B8
                                                                                                          Malicious:false
                                                                                                          Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............V.}...@...i...........System.Transactions.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0vaxkxwn.oua.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_agr0uk23.uh0.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bba3ubnz.lfr.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqqah3le.5wx.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jsa2uh2c.kln.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_raxvuqfm.j3n.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xxhlyj2c.h2e.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zlattzc5.tyi.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\tmp43A7.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\A6AHI7Uk18.exe
                                                                                                          File Type:XML 1.0 document, ASCII text
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1578
                                                                                                          Entropy (8bit):5.123095447676354
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaGOxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTYv
                                                                                                          MD5:37E4D7BE9A2FC8E6DFCD655D3C00C667
                                                                                                          SHA1:AD7175C8B10B2B0F4A14E0890E3959ECA830145C
                                                                                                          SHA-256:01C6965EE9AE5745E73613A8C9C3877F48D097F83D518759057834EB6A3BF754
                                                                                                          SHA-512:A5ED88FA8E52F42960CA9F75B76121177AF074AE42AE346E9DBDAB10DFDB3CF9931475E87DCF10246D578458F36826FF4474F7CF5FA02925AA89E63027472DA9
                                                                                                          Malicious:true
                                                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                          C:\Users\user\AppData\Local\Temp\tmp5849.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe
                                                                                                          File Type:XML 1.0 document, ASCII text
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1578
                                                                                                          Entropy (8bit):5.123095447676354
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaGOxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTYv
                                                                                                          MD5:37E4D7BE9A2FC8E6DFCD655D3C00C667
                                                                                                          SHA1:AD7175C8B10B2B0F4A14E0890E3959ECA830145C
                                                                                                          SHA-256:01C6965EE9AE5745E73613A8C9C3877F48D097F83D518759057834EB6A3BF754
                                                                                                          SHA-512:A5ED88FA8E52F42960CA9F75B76121177AF074AE42AE346E9DBDAB10DFDB3CF9931475E87DCF10246D578458F36826FF4474F7CF5FA02925AA89E63027472DA9
                                                                                                          Malicious:false
                                                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                          C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\A6AHI7Uk18.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):975872
                                                                                                          Entropy (8bit):7.32860395784415
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24576:0jIeepZEF8VuoBocveV7xiyMPW6yAtlhugaJco:YBeDE8rveV7xoPW6j61
                                                                                                          MD5:CBC2BEED937B392582499A75E1D5C8D9
                                                                                                          SHA1:014D4273B428704B44D238BD0750DD246133267C
                                                                                                          SHA-256:F564C332D78B12DE556BD32E8368115F9375F37B00FE07741D8D6214BF6C3998
                                                                                                          SHA-512:0C066D80035AAD6667CF08B8234C95279E2F750B5BA337C2CB2A97AA1B0777B3B3C55B8036281F8984D08721C10471C65E122820D3D9E326CEB413BE9A4ABEFB
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          • Antivirus: ReversingLabs, Detection: 63%
                                                                                                          • Antivirus: Virustotal, Detection: 76%, Browse
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.Ng..............0..^..........^}... ........@.. .......................@............@..................................}..W........................... ....................................................... ............... ..H............text...d]... ...^.................. ..`.rsrc...............`..............@..@.reloc....... ......................@..B................@}......H............................^............................................@......U...F ..:..xk6a..2!4|...l}.....VN.\lr.e.....Q.pGR..eAj..v.e.j.k.s..9...^.?.{;..-...;`]...!z.....(C..e...uj..7?}r`...bxE'.e...J9... .g......'x..O(,V;..y.hdO.{f,.MP$.n...V.9or5wo...Q.w(1.E.....rs...,b.x..\...._*...f$.]....,D....1.)/{4...d..h.5(....N.jrw.!D.....BET.w$A..{...d..%.|]..|.qN^.~m.0.6r.......:O=vZ2Ms..{..^js./..o0E...H+.........5...2...^.~m.0.6r..0..........(....*...0..

                                                                                                          C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe:Zone.Identifier

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\A6AHI7Uk18.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):26
                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                          Malicious:true
                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Entropy (8bit):7.32860395784415
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                          File name:A6AHI7Uk18.exe
                                                                                                          File size:975'872 bytes
                                                                                                          MD5:cbc2beed937b392582499a75e1d5c8d9
                                                                                                          SHA1:014d4273b428704b44d238bd0750dd246133267c
                                                                                                          SHA256:f564c332d78b12de556bd32e8368115f9375f37b00fe07741d8d6214bf6c3998
                                                                                                          SHA512:0c066d80035aad6667cf08b8234c95279e2f750b5ba337c2cb2a97aa1b0777b3b3c55b8036281f8984d08721c10471c65e122820d3d9e326ceb413be9a4abefb
                                                                                                          SSDEEP:24576:0jIeepZEF8VuoBocveV7xiyMPW6yAtlhugaJco:YBeDE8rveV7xoPW6j61
                                                                                                          TLSH:8A25E089B500B16ECD0AC7304E32DD3457153DBEAA36D21E65EB3DAF7B7E9978804062
                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.Ng..............0..^..........^}... ........@.. .......................@............@................................

                                                                                                          File Icon

                                                                                                          Icon Hash:c5949296969e8473

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x4b7d5e
                                                                                                          Entrypoint Section:.text
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0x674EAC76 [Tue Dec 3 07:00:06 2024 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:4
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:4
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:4
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          jmp dword ptr [00402000h]
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al
                                                                                                          add byte ptr [eax], al

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb7d040x57.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x380d0.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xf20000xc.reloc
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          .text0x20000xb5d640xb5e00cad82c5946a2ef75881f18a174ee322fFalse0.9031706400343643data7.756871661499059IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0xb80000x380d00x3820065fb97132472de361b356fcb63c434caFalse0.3078760091870824data5.197157528321747IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0xf20000xc0x200d4ffcb7969d43a8199de11a2a081783bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                          RT_ICON0xb84900x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.38353658536585367
                                                                                                          RT_ICON0xb8af80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.48655913978494625
                                                                                                          RT_ICON0xb8de00x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.5286885245901639
                                                                                                          RT_ICON0xb8fc80x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.5878378378378378
                                                                                                          RT_ICON0xb90f00x6739PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9933017975402081
                                                                                                          RT_ICON0xbf82c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.5578358208955224
                                                                                                          RT_ICON0xc06d40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.6367328519855595
                                                                                                          RT_ICON0xc0f7c0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.6497695852534562
                                                                                                          RT_ICON0xc16440x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.47760115606936415
                                                                                                          RT_ICON0xc1bac0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.125
                                                                                                          RT_ICON0xd23d40x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.21113622030691612
                                                                                                          RT_ICON0xdb87c0x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 265600.21157894736842106
                                                                                                          RT_ICON0xe20640x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.24269870609981517
                                                                                                          RT_ICON0xe74ec0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.22325224374114314
                                                                                                          RT_ICON0xeb7140x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.3196058091286307
                                                                                                          RT_ICON0xedcbc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.3642120075046904
                                                                                                          RT_ICON0xeed640x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.5086065573770492
                                                                                                          RT_ICON0xef6ec0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5735815602836879
                                                                                                          RT_GROUP_ICON0xefb540x102data0.5697674418604651
                                                                                                          RT_GROUP_ICON0xefc580x14data1.05
                                                                                                          RT_VERSION0xefc6c0x278data0.4699367088607595
                                                                                                          RT_MANIFEST0xefee40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          mscoree.dll_CorExeMain

                                                                                                          Network Behavior

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 11, 2025 04:24:19.896922112 CET49733443192.168.2.4172.67.74.152
                                                                                                          Jan 11, 2025 04:24:19.896960974 CET44349733172.67.74.152192.168.2.4
                                                                                                          Jan 11, 2025 04:24:19.897042036 CET49733443192.168.2.4172.67.74.152
                                                                                                          Jan 11, 2025 04:24:19.904680014 CET49733443192.168.2.4172.67.74.152
                                                                                                          Jan 11, 2025 04:24:19.904721022 CET44349733172.67.74.152192.168.2.4
                                                                                                          Jan 11, 2025 04:24:20.398241043 CET44349733172.67.74.152192.168.2.4
                                                                                                          Jan 11, 2025 04:24:20.398334026 CET49733443192.168.2.4172.67.74.152
                                                                                                          Jan 11, 2025 04:24:20.402838945 CET49733443192.168.2.4172.67.74.152
                                                                                                          Jan 11, 2025 04:24:20.402851105 CET44349733172.67.74.152192.168.2.4
                                                                                                          Jan 11, 2025 04:24:20.403162003 CET44349733172.67.74.152192.168.2.4
                                                                                                          Jan 11, 2025 04:24:20.505120039 CET49733443192.168.2.4172.67.74.152
                                                                                                          Jan 11, 2025 04:24:20.547339916 CET44349733172.67.74.152192.168.2.4
                                                                                                          Jan 11, 2025 04:24:20.625684977 CET44349733172.67.74.152192.168.2.4
                                                                                                          Jan 11, 2025 04:24:20.625852108 CET44349733172.67.74.152192.168.2.4
                                                                                                          Jan 11, 2025 04:24:20.625921011 CET49733443192.168.2.4172.67.74.152
                                                                                                          Jan 11, 2025 04:24:20.634407997 CET49733443192.168.2.4172.67.74.152
                                                                                                          Jan 11, 2025 04:24:21.999048948 CET4973525192.168.2.446.175.148.58
                                                                                                          Jan 11, 2025 04:24:23.048610926 CET4973525192.168.2.446.175.148.58
                                                                                                          Jan 11, 2025 04:24:24.522974014 CET49737443192.168.2.4172.67.74.152
                                                                                                          Jan 11, 2025 04:24:24.523025036 CET44349737172.67.74.152192.168.2.4
                                                                                                          Jan 11, 2025 04:24:24.523092985 CET49737443192.168.2.4172.67.74.152
                                                                                                          Jan 11, 2025 04:24:24.525878906 CET49737443192.168.2.4172.67.74.152
                                                                                                          Jan 11, 2025 04:24:24.525892973 CET44349737172.67.74.152192.168.2.4
                                                                                                          Jan 11, 2025 04:24:25.010715008 CET44349737172.67.74.152192.168.2.4
                                                                                                          Jan 11, 2025 04:24:25.010808945 CET49737443192.168.2.4172.67.74.152
                                                                                                          Jan 11, 2025 04:24:25.012866020 CET49737443192.168.2.4172.67.74.152
                                                                                                          Jan 11, 2025 04:24:25.012882948 CET44349737172.67.74.152192.168.2.4
                                                                                                          Jan 11, 2025 04:24:25.013114929 CET44349737172.67.74.152192.168.2.4
                                                                                                          Jan 11, 2025 04:24:25.048630953 CET4973525192.168.2.446.175.148.58
                                                                                                          Jan 11, 2025 04:24:25.070846081 CET49737443192.168.2.4172.67.74.152
                                                                                                          Jan 11, 2025 04:24:25.111332893 CET44349737172.67.74.152192.168.2.4
                                                                                                          Jan 11, 2025 04:24:25.180195093 CET44349737172.67.74.152192.168.2.4
                                                                                                          Jan 11, 2025 04:24:25.180270910 CET44349737172.67.74.152192.168.2.4
                                                                                                          Jan 11, 2025 04:24:25.180380106 CET49737443192.168.2.4172.67.74.152
                                                                                                          Jan 11, 2025 04:24:25.182909012 CET49737443192.168.2.4172.67.74.152
                                                                                                          Jan 11, 2025 04:24:25.783328056 CET4973825192.168.2.446.175.148.58
                                                                                                          Jan 11, 2025 04:24:26.939193010 CET4973825192.168.2.446.175.148.58
                                                                                                          Jan 11, 2025 04:24:28.939222097 CET4973825192.168.2.446.175.148.58
                                                                                                          Jan 11, 2025 04:24:29.048614979 CET4973525192.168.2.446.175.148.58
                                                                                                          Jan 11, 2025 04:24:32.939248085 CET4973825192.168.2.446.175.148.58
                                                                                                          Jan 11, 2025 04:24:37.048604965 CET4973525192.168.2.446.175.148.58
                                                                                                          Jan 11, 2025 04:24:40.954910994 CET4973825192.168.2.446.175.148.58

                                                                                                          UDP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Jan 11, 2025 04:24:19.881473064 CET5475953192.168.2.41.1.1.1
                                                                                                          Jan 11, 2025 04:24:19.888083935 CET53547591.1.1.1192.168.2.4
                                                                                                          Jan 11, 2025 04:24:21.984591961 CET6451753192.168.2.41.1.1.1
                                                                                                          Jan 11, 2025 04:24:21.998143911 CET53645171.1.1.1192.168.2.4

                                                                                                          DNS Queries

                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                          Jan 11, 2025 04:24:19.881473064 CET192.168.2.41.1.1.10xbc44Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 04:24:21.984591961 CET192.168.2.41.1.1.10x60d0Standard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                                                                                          DNS Answers

                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                          Jan 11, 2025 04:24:19.888083935 CET1.1.1.1192.168.2.40xbc44No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 04:24:19.888083935 CET1.1.1.1192.168.2.40xbc44No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 04:24:19.888083935 CET1.1.1.1192.168.2.40xbc44No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                          Jan 11, 2025 04:24:21.998143911 CET1.1.1.1192.168.2.40x60d0No error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • api.ipify.org

                                                                                                          HTTPS Proxied Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.449733172.67.74.1524437400C:\Users\user\Desktop\A6AHI7Uk18.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 03:24:20 UTC155OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                          Host: api.ipify.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 03:24:20 UTC424INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 03:24:20 GMT
                                                                                                          Content-Type: text/plain
                                                                                                          Content-Length: 12
                                                                                                          Connection: close
                                                                                                          Vary: Origin
                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 9001cb147ec2434f-EWR
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2438&min_rtt=2437&rtt_var=917&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1190864&cwnd=209&unsent_bytes=0&cid=f47e8d7cbd54a673&ts=240&x=0"
                                                                                                          2025-01-11 03:24:20 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                                                          Data Ascii: 8.46.123.189


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.449737172.67.74.1524437772C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2025-01-11 03:24:25 UTC155OUTGET / HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                                                          Host: api.ipify.org
                                                                                                          Connection: Keep-Alive
                                                                                                          2025-01-11 03:24:25 UTC424INHTTP/1.1 200 OK
                                                                                                          Date: Sat, 11 Jan 2025 03:24:25 GMT
                                                                                                          Content-Type: text/plain
                                                                                                          Content-Length: 12
                                                                                                          Connection: close
                                                                                                          Vary: Origin
                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                          Server: cloudflare
                                                                                                          CF-RAY: 9001cb30fa0943ef-EWR
                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2214&min_rtt=2187&rtt_var=839&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1335162&cwnd=237&unsent_bytes=0&cid=b88c31eacfac5533&ts=174&x=0"
                                                                                                          2025-01-11 03:24:25 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                                                                          Data Ascii: 8.46.123.189


                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:0
                                                                                                          Start time:22:24:15
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Users\user\Desktop\A6AHI7Uk18.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\A6AHI7Uk18.exe"
                                                                                                          Imagebase:0x700000
                                                                                                          File size:975'872 bytes
                                                                                                          MD5 hash:CBC2BEED937B392582499A75E1D5C8D9
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1770457595.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1770457595.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:2
                                                                                                          Start time:22:24:16
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\A6AHI7Uk18.exe"
                                                                                                          Imagebase:0xbd0000
                                                                                                          File size:433'152 bytes
                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:3
                                                                                                          Start time:22:24:17
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:4
                                                                                                          Start time:22:24:17
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe"
                                                                                                          Imagebase:0xbd0000
                                                                                                          File size:433'152 bytes
                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:5
                                                                                                          Start time:22:24:17
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:6
                                                                                                          Start time:22:24:17
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp43A7.tmp"
                                                                                                          Imagebase:0x620000
                                                                                                          File size:187'904 bytes
                                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:7
                                                                                                          Start time:22:24:17
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:8
                                                                                                          Start time:22:24:18
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Users\user\Desktop\A6AHI7Uk18.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\A6AHI7Uk18.exe"
                                                                                                          Imagebase:0x600000
                                                                                                          File size:975'872 bytes
                                                                                                          MD5 hash:CBC2BEED937B392582499A75E1D5C8D9
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4193893855.0000000002A9C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4193893855.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4193893855.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Reputation:low
                                                                                                          Has exited:false

                                                                                                          General

                                                                                                          Target ID:9
                                                                                                          Start time:22:24:21
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe
                                                                                                          Imagebase:0x6d0000
                                                                                                          File size:975'872 bytes
                                                                                                          MD5 hash:CBC2BEED937B392582499A75E1D5C8D9
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          • Detection: 63%, ReversingLabs
                                                                                                          • Detection: 76%, Virustotal, Browse
                                                                                                          Reputation:low
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:10
                                                                                                          Start time:22:24:21
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                          Imagebase:0x7ff693ab0000
                                                                                                          File size:496'640 bytes
                                                                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:11
                                                                                                          Start time:22:24:23
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tAtOLFyXVhJq" /XML "C:\Users\user\AppData\Local\Temp\tmp5849.tmp"
                                                                                                          Imagebase:0x620000
                                                                                                          File size:187'904 bytes
                                                                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:12
                                                                                                          Start time:22:24:23
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                          Wow64 process (32bit):false
                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                          File size:862'208 bytes
                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:high
                                                                                                          Has exited:true

                                                                                                          General

                                                                                                          Target ID:13
                                                                                                          Start time:22:24:23
                                                                                                          Start date:10/01/2025
                                                                                                          Path:C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\tAtOLFyXVhJq.exe"
                                                                                                          Imagebase:0x860000
                                                                                                          File size:975'872 bytes
                                                                                                          MD5 hash:CBC2BEED937B392582499A75E1D5C8D9
                                                                                                          Has elevated privileges:false
                                                                                                          Has administrator privileges:false
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4192948416.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.4192948416.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4192948416.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Has exited:false

                                                                                                          Disassembly

                                                                                                          Reset < >

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:13.4%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:151
                                                                                                            Total number of Limit Nodes:11
                                                                                                            execution_graph 18804 93ff0d8 18805 93ff263 18804->18805 18807 93ff0fe 18804->18807 18807->18805 18808 93fb0f0 18807->18808 18809 93ff358 PostMessageW 18808->18809 18810 93ff3c4 18809->18810 18810->18807 18811 93fbad6 18812 93fbadc 18811->18812 18813 93fba03 18812->18813 18815 93fdf28 18812->18815 18816 93fdf3d 18815->18816 18820 93fdfce 18816->18820 18839 93fdf68 18816->18839 18817 93fdf4f 18817->18813 18821 93fdf5c 18820->18821 18822 93fdfd1 18820->18822 18832 93fdf8a 18821->18832 18857 93fe63f 18821->18857 18862 93fe9c1 18821->18862 18868 93fe5a1 18821->18868 18872 93fe621 18821->18872 18877 93fe781 18821->18877 18882 93fe442 18821->18882 18887 93fe502 18821->18887 18895 93fe606 18821->18895 18900 93fe467 18821->18900 18904 93fe3e8 18821->18904 18911 93fe6aa 18821->18911 18916 93fe7ab 18821->18916 18921 93fe7ef 18821->18921 18926 93fe619 18821->18926 18931 93fe839 18821->18931 18822->18817 18832->18817 18840 93fdf82 18839->18840 18841 93fdf8a 18840->18841 18842 93fe63f 2 API calls 18840->18842 18843 93fe839 2 API calls 18840->18843 18844 93fe619 2 API calls 18840->18844 18845 93fe7ef 2 API calls 18840->18845 18846 93fe7ab 2 API calls 18840->18846 18847 93fe6aa 2 API calls 18840->18847 18848 93fe3e8 4 API calls 18840->18848 18849 93fe467 2 API calls 18840->18849 18850 93fe606 2 API calls 18840->18850 18851 93fe502 4 API calls 18840->18851 18852 93fe442 2 API calls 18840->18852 18853 93fe781 2 API calls 18840->18853 18854 93fe621 2 API calls 18840->18854 18855 93fe5a1 2 API calls 18840->18855 18856 93fe9c1 2 API calls 18840->18856 18841->18817 18842->18841 18843->18841 18844->18841 18845->18841 18846->18841 18847->18841 18848->18841 18849->18841 18850->18841 18851->18841 18852->18841 18853->18841 18854->18841 18855->18841 18856->18841 18858 93fe645 18857->18858 18859 93fe4bd 18858->18859 18936 93fadb9 18858->18936 18940 93fadc0 18858->18940 18863 93fe9ce 18862->18863 18864 93fe656 18862->18864 18864->18862 18865 93fe4bd 18864->18865 18866 93fadb9 WriteProcessMemory 18864->18866 18867 93fadc0 WriteProcessMemory 18864->18867 18866->18864 18867->18864 18944 93faea8 18868->18944 18948 93faeb0 18868->18948 18869 93fe5da 18869->18832 18873 93fec8d 18872->18873 18952 93facf9 18873->18952 18956 93fad00 18873->18956 18874 93fecab 18878 93fe796 18877->18878 18880 93fadb9 WriteProcessMemory 18878->18880 18881 93fadc0 WriteProcessMemory 18878->18881 18879 93fea2e 18880->18879 18881->18879 18884 93fe44e 18882->18884 18883 93fe6fd 18883->18832 18884->18883 18960 93fab78 18884->18960 18964 93fab71 18884->18964 18888 93fe8c0 18887->18888 18890 93fe44e 18887->18890 18968 93fac28 18888->18968 18972 93fac20 18888->18972 18889 93fe6fd 18889->18832 18890->18889 18891 93fab78 ResumeThread 18890->18891 18892 93fab71 ResumeThread 18890->18892 18891->18890 18892->18890 18896 93fe44e 18895->18896 18896->18832 18897 93fe6fd 18896->18897 18898 93fab78 ResumeThread 18896->18898 18899 93fab71 ResumeThread 18896->18899 18897->18832 18898->18896 18899->18896 18902 93fac28 Wow64SetThreadContext 18900->18902 18903 93fac20 Wow64SetThreadContext 18900->18903 18901 93fe481 18901->18832 18902->18901 18903->18901 18976 93fb43d 18904->18976 18980 93fb448 18904->18980 18912 93fe785 18911->18912 18914 93fadb9 WriteProcessMemory 18912->18914 18915 93fadc0 WriteProcessMemory 18912->18915 18913 93fea2e 18914->18913 18915->18913 18918 93fe44e 18916->18918 18917 93fe6fd 18917->18832 18918->18917 18919 93fab78 ResumeThread 18918->18919 18920 93fab71 ResumeThread 18918->18920 18919->18918 18920->18918 18922 93fe7f8 18921->18922 18924 93fadb9 WriteProcessMemory 18922->18924 18925 93fadc0 WriteProcessMemory 18922->18925 18923 93fe4ce 18923->18832 18924->18923 18925->18923 18927 93fe5b8 18926->18927 18928 93fe5da 18926->18928 18927->18928 18929 93faea8 ReadProcessMemory 18927->18929 18930 93faeb0 ReadProcessMemory 18927->18930 18928->18832 18929->18928 18930->18928 18932 93fe846 18931->18932 18933 93fe6fd 18932->18933 18934 93fab78 ResumeThread 18932->18934 18935 93fab71 ResumeThread 18932->18935 18933->18832 18934->18932 18935->18932 18937 93fadc0 WriteProcessMemory 18936->18937 18939 93fae5f 18937->18939 18939->18858 18941 93fae08 WriteProcessMemory 18940->18941 18943 93fae5f 18941->18943 18943->18858 18945 93faeb0 ReadProcessMemory 18944->18945 18947 93faf3f 18945->18947 18947->18869 18949 93faefb ReadProcessMemory 18948->18949 18951 93faf3f 18949->18951 18951->18869 18953 93fad40 VirtualAllocEx 18952->18953 18955 93fad7d 18953->18955 18955->18874 18957 93fad40 VirtualAllocEx 18956->18957 18959 93fad7d 18957->18959 18959->18874 18961 93fabb8 ResumeThread 18960->18961 18963 93fabe9 18961->18963 18963->18884 18965 93fabb8 ResumeThread 18964->18965 18967 93fabe9 18965->18967 18967->18884 18969 93fac6d Wow64SetThreadContext 18968->18969 18971 93facb5 18969->18971 18971->18890 18973 93fac28 Wow64SetThreadContext 18972->18973 18975 93facb5 18973->18975 18975->18890 18977 93fb4d1 CreateProcessA 18976->18977 18979 93fb693 18977->18979 18981 93fb4d1 CreateProcessA 18980->18981 18983 93fb693 18981->18983 18784 1147858 18785 1147862 18784->18785 18787 1147d50 18784->18787 18788 1147d75 18787->18788 18792 1147e60 18788->18792 18796 1147e4f 18788->18796 18793 1147e87 18792->18793 18794 1147f64 18793->18794 18800 1147a8c 18793->18800 18798 1147e60 18796->18798 18797 1147f64 18797->18797 18798->18797 18799 1147a8c CreateActCtxA 18798->18799 18799->18797 18801 1148ef0 CreateActCtxA 18800->18801 18803 1148fb3 18801->18803 18984 114e7b8 18985 114e800 GetModuleHandleW 18984->18985 18986 114e7fa 18984->18986 18987 114e82d 18985->18987 18986->18985

                                                                                                            Executed Functions

                                                                                                            Function 093FF980 Relevance: 1.9, Strings: 1, Instructions: 601COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 820 93ff980-93ff99b 821 93ff9a0-93ff9a3 820->821 822 93ff9ac-93ff9b1 821->822 823 93ff9a5 821->823 828 93ff9ba-93ff9c1 822->828 829 93ff9b3 822->829 823->822 824 93ffa46-93ffa49 823->824 825 93ff9d4-93ff9e1 823->825 826 93ff9e3 823->826 827 93ffa30-93ffa41 823->827 945 93ffa4b call 93ffa98 824->945 946 93ffa4b call 93ffa88 824->946 947 93ffa4b call 93ff980 824->947 833 93ff9e5-93ff9f2 825->833 826->833 827->821 831 93ffa57-93ffaba 828->831 832 93ff9c7-93ff9d2 828->832 830 93ff9b8 829->830 830->821 839 93ffe6a-93ffe6f 831->839 840 93ffac0-93ffafb call 93fb2c8 call 93fb2d8 call 93fb2e8 831->840 832->830 833->831 836 93ff9f4-93ff9fb 833->836 835 93ffa51-93ffa56 836->831 838 93ff9fd-93ffa0a 836->838 841 93ffa0c-93ffa16 838->841 842 93ffa29-93ffa2e 838->842 846 93ffe79-93ffe7c 839->846 847 93ffe71-93ffe73 839->847 856 93ffb0e-93ffb2e 840->856 857 93ffafd-93ffb07 840->857 841->831 845 93ffa18-93ffa1f 841->845 843 93ffa24 842->843 843->821 845->843 849 93ffe84-93ffe8c 846->849 847->846 851 93ffe92-93ffe99 849->851 859 93ffb41-93ffb61 856->859 860 93ffb30-93ffb3a 856->860 857->856 862 93ffb74-93ffb94 859->862 863 93ffb63-93ffb6d 859->863 860->859 865 93ffba7-93ffbb0 call 93fb2f8 862->865 866 93ffb96-93ffba0 862->866 863->862 869 93ffbd4-93ffbdd call 93fb308 865->869 870 93ffbb2-93ffbcd call 93fb2f8 865->870 866->865 875 93ffbdf-93ffbfa call 93fb308 869->875 876 93ffc01-93ffc0a call 93fb318 869->876 870->869 875->876 882 93ffc0c-93ffc10 call 93fb328 876->882 883 93ffc15-93ffc31 876->883 882->883 887 93ffc49-93ffc4d 883->887 888 93ffc33-93ffc39 883->888 889 93ffc4f-93ffc60 call 93fb338 887->889 890 93ffc67-93ffcaf 887->890 891 93ffc3d-93ffc3f 888->891 892 93ffc3b 888->892 889->890 898 93ffcd3-93ffcda 890->898 899 93ffcb1 890->899 891->887 892->887 900 93ffcdc-93ffceb 898->900 901 93ffcf1-93ffcff call 93fb348 898->901 902 93ffcb4-93ffcba 899->902 900->901 911 93ffd09-93ffd33 901->911 912 93ffd01-93ffd03 901->912 904 93ffe9a-93ffea0 902->904 905 93ffcc0-93ffcc6 902->905 906 93ffcc8-93ffcca 905->906 907 93ffcd0-93ffcd1 905->907 906->907 907->898 907->902 915 93ffd35-93ffd43 911->915 916 93ffd60-93ffd7c 911->916 912->911 915->916 919 93ffd45-93ffd59 915->919 920 93ffd8f-93ffdb6 call 93fb358 916->920 921 93ffd7e-93ffd88 916->921 919->916 926 93ffdce-93ffdd2 920->926 927 93ffdb8-93ffdbe 920->927 921->920 930 93ffded-93ffe09 926->930 931 93ffdd4-93ffde6 926->931 928 93ffdc2-93ffdc4 927->928 929 93ffdc0 927->929 928->926 929->926 934 93ffe0b-93ffe11 930->934 935 93ffe21-93ffe25 930->935 931->930 937 93ffe15-93ffe17 934->937 938 93ffe13 934->938 935->851 936 93ffe27-93ffe35 935->936 940 93ffe47-93ffe4b 936->940 941 93ffe37-93ffe45 936->941 937->935 938->935 943 93ffe51-93ffe69 940->943 941->940 941->943 945->835 946->835 947->835
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: vNB
                                                                                                            • API String ID: 0-2928088501
                                                                                                            • Opcode ID: e337190f2477cd510caed8c8208e73e81f8b7ed7dd91b09478bb30d7b1d22c0f
                                                                                                            • Instruction ID: b0841ce078df5bd2dbd49bb7af99339dcec2d909c27dc46a3229a8ba5215f8e4
                                                                                                            • Opcode Fuzzy Hash: e337190f2477cd510caed8c8208e73e81f8b7ed7dd91b09478bb30d7b1d22c0f
                                                                                                            • Instruction Fuzzy Hash: E0E1CC717007118FDB29DFB5D460B6EB7F6AF89704F14846AE64ACB6A1CB34E802CB51
                                                                                                            Function 0114A570 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1766626672.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1140000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: N~G
                                                                                                            • API String ID: 0-2961317454
                                                                                                            • Opcode ID: 49bdd3f45edbba2f6a52388dd90334efa4cdb5f6326d0425c700fc69989d2297
                                                                                                            • Instruction ID: b4b48c27df385ebe54e45e014e2a9d089cbae2f170f678fc8f3eaa3914e737ab
                                                                                                            • Opcode Fuzzy Hash: 49bdd3f45edbba2f6a52388dd90334efa4cdb5f6326d0425c700fc69989d2297
                                                                                                            • Instruction Fuzzy Hash: 8D61C4707402064FCB1DEB78965566FBBEBAFC8614B12892A910BCF3A5CF34DD458B81
                                                                                                            Function 01147424 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1766626672.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1140000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: N~G
                                                                                                            • API String ID: 0-2961317454
                                                                                                            • Opcode ID: 033730224d2df7634eba31442bfdbef496c1e0c05fd83671a2c3f05610ab03fd
                                                                                                            • Instruction ID: fe5cc3c76117a22c61583e2e9c10c3c5ebd055c75375337069f49e366bdf3adc
                                                                                                            • Opcode Fuzzy Hash: 033730224d2df7634eba31442bfdbef496c1e0c05fd83671a2c3f05610ab03fd
                                                                                                            • Instruction Fuzzy Hash: F861B3707402064FCB1DEB78965566FBAEBAFC8604F12892A910B8F399DF34DD454B81
                                                                                                            Function 093F08E1 Relevance: .4, Instructions: 401COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 648f889d83d5195c605cadc28a4ba1f4e5f2804146fb60153fd123254258545b
                                                                                                            • Instruction ID: 63f8d681c233c9d16e42144ecee37c4be9911ea5cc9ed6091b8bf3910b72175a
                                                                                                            • Opcode Fuzzy Hash: 648f889d83d5195c605cadc28a4ba1f4e5f2804146fb60153fd123254258545b
                                                                                                            • Instruction Fuzzy Hash: 99E1DD31A05205CFD718DFBDC8A16AABBF1FF44300F10856AE696DB692D7349942CF92
                                                                                                            Function 093F1800 Relevance: .3, Instructions: 317COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e19170075f84fa89eaaf673e1e16761f58a272ac2915ad41b52112aa38b91440
                                                                                                            • Instruction ID: 12def931f3d7c9e1a977d598e56ce5f88dbd27954896cc896e2b17167bc7a8b0
                                                                                                            • Opcode Fuzzy Hash: e19170075f84fa89eaaf673e1e16761f58a272ac2915ad41b52112aa38b91440
                                                                                                            • Instruction Fuzzy Hash: 05C10531E0C255CFC7048FA9E8617BABBB6FF81750F1481A6E691DB292D7348845CF92
                                                                                                            Function 093F8710 Relevance: .3, Instructions: 312COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: e767c546845c88142763e7528b2ba32cc9d3c4948e99ee127ea99d7379b6f7e4
                                                                                                            • Instruction ID: f99d643f951072f41e361d9f8560f757aa1ccf46cdb661d227e2cbaa2ca21a7f
                                                                                                            • Opcode Fuzzy Hash: e767c546845c88142763e7528b2ba32cc9d3c4948e99ee127ea99d7379b6f7e4
                                                                                                            • Instruction Fuzzy Hash: 57E11774E002198FDB14DFA9C5909AEFBB2FF88304F249169E515AB356D730AD42CFA1
                                                                                                            Function 093FB43D Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 948 93fb43d-93fb4dd 950 93fb4df-93fb4e9 948->950 951 93fb516-93fb536 948->951 950->951 952 93fb4eb-93fb4ed 950->952 958 93fb56f-93fb59e 951->958 959 93fb538-93fb542 951->959 953 93fb4ef-93fb4f9 952->953 954 93fb510-93fb513 952->954 956 93fb4fd-93fb50c 953->956 957 93fb4fb 953->957 954->951 956->956 961 93fb50e 956->961 957->956 967 93fb5d7-93fb691 CreateProcessA 958->967 968 93fb5a0-93fb5aa 958->968 959->958 960 93fb544-93fb546 959->960 962 93fb569-93fb56c 960->962 963 93fb548-93fb552 960->963 961->954 962->958 965 93fb556-93fb565 963->965 966 93fb554 963->966 965->965 969 93fb567 965->969 966->965 979 93fb69a-93fb720 967->979 980 93fb693-93fb699 967->980 968->967 970 93fb5ac-93fb5ae 968->970 969->962 972 93fb5d1-93fb5d4 970->972 973 93fb5b0-93fb5ba 970->973 972->967 974 93fb5be-93fb5cd 973->974 975 93fb5bc 973->975 974->974 977 93fb5cf 974->977 975->974 977->972 990 93fb722-93fb726 979->990 991 93fb730-93fb734 979->991 980->979 990->991 992 93fb728 990->992 993 93fb736-93fb73a 991->993 994 93fb744-93fb748 991->994 992->991 993->994 997 93fb73c 993->997 995 93fb74a-93fb74e 994->995 996 93fb758-93fb75c 994->996 995->996 998 93fb750 995->998 999 93fb76e-93fb775 996->999 1000 93fb75e-93fb764 996->1000 997->994 998->996 1001 93fb78c 999->1001 1002 93fb777-93fb786 999->1002 1000->999 1004 93fb78d 1001->1004 1002->1001 1004->1004
                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 093FB67E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 963392458-0
                                                                                                            • Opcode ID: a05d925997701125702d4677d9cb2cec2cf11ceaf6dc70b4680bdd863fe8a40d
                                                                                                            • Instruction ID: 410f4618bc769e29ea6bcbe1e3313b58149fc70bed2d13d9b8e1684d2729650d
                                                                                                            • Opcode Fuzzy Hash: a05d925997701125702d4677d9cb2cec2cf11ceaf6dc70b4680bdd863fe8a40d
                                                                                                            • Instruction Fuzzy Hash: 44A17AB1D00219DFDB24CF68C851BEEFBB2BF48314F1485AAE909A7250DB749985CF91
                                                                                                            Function 093FB448 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1005 93fb448-93fb4dd 1007 93fb4df-93fb4e9 1005->1007 1008 93fb516-93fb536 1005->1008 1007->1008 1009 93fb4eb-93fb4ed 1007->1009 1015 93fb56f-93fb59e 1008->1015 1016 93fb538-93fb542 1008->1016 1010 93fb4ef-93fb4f9 1009->1010 1011 93fb510-93fb513 1009->1011 1013 93fb4fd-93fb50c 1010->1013 1014 93fb4fb 1010->1014 1011->1008 1013->1013 1018 93fb50e 1013->1018 1014->1013 1024 93fb5d7-93fb691 CreateProcessA 1015->1024 1025 93fb5a0-93fb5aa 1015->1025 1016->1015 1017 93fb544-93fb546 1016->1017 1019 93fb569-93fb56c 1017->1019 1020 93fb548-93fb552 1017->1020 1018->1011 1019->1015 1022 93fb556-93fb565 1020->1022 1023 93fb554 1020->1023 1022->1022 1026 93fb567 1022->1026 1023->1022 1036 93fb69a-93fb720 1024->1036 1037 93fb693-93fb699 1024->1037 1025->1024 1027 93fb5ac-93fb5ae 1025->1027 1026->1019 1029 93fb5d1-93fb5d4 1027->1029 1030 93fb5b0-93fb5ba 1027->1030 1029->1024 1031 93fb5be-93fb5cd 1030->1031 1032 93fb5bc 1030->1032 1031->1031 1034 93fb5cf 1031->1034 1032->1031 1034->1029 1047 93fb722-93fb726 1036->1047 1048 93fb730-93fb734 1036->1048 1037->1036 1047->1048 1049 93fb728 1047->1049 1050 93fb736-93fb73a 1048->1050 1051 93fb744-93fb748 1048->1051 1049->1048 1050->1051 1054 93fb73c 1050->1054 1052 93fb74a-93fb74e 1051->1052 1053 93fb758-93fb75c 1051->1053 1052->1053 1055 93fb750 1052->1055 1056 93fb76e-93fb775 1053->1056 1057 93fb75e-93fb764 1053->1057 1054->1051 1055->1053 1058 93fb78c 1056->1058 1059 93fb777-93fb786 1056->1059 1057->1056 1061 93fb78d 1058->1061 1059->1058 1061->1061
                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 093FB67E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 963392458-0
                                                                                                            • Opcode ID: 77bb7b003c8c9162960e2c859bfcb60ac029a45971a0d57e894359a7f2e68d01
                                                                                                            • Instruction ID: 682216203e7c5ecfe1580bb70ea19bc2cbea7e357f489a0085318d2f91c12e6a
                                                                                                            • Opcode Fuzzy Hash: 77bb7b003c8c9162960e2c859bfcb60ac029a45971a0d57e894359a7f2e68d01
                                                                                                            • Instruction Fuzzy Hash: 6B9158B1D00219DFDB20CFA8C851BEEFBB2BF48314F1485A9E908A7250DB749985CF91
                                                                                                            Function 01148EE4 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1062 1148ee4-1148eef 1063 1148ef0-1148fb1 CreateActCtxA 1062->1063 1065 1148fb3-1148fb9 1063->1065 1066 1148fba-1149014 1063->1066 1065->1066 1073 1149016-1149019 1066->1073 1074 1149023-1149027 1066->1074 1073->1074 1075 1149038 1074->1075 1076 1149029-1149035 1074->1076 1077 1149039 1075->1077 1076->1075 1077->1077
                                                                                                            APIs
                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 01148FA1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1766626672.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1140000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Create
                                                                                                            • String ID:
                                                                                                            • API String ID: 2289755597-0
                                                                                                            • Opcode ID: fd2f2a1fa8caa21920d0af4605ca4df12a03c59cf84b3d57be03a0f66acfbd52
                                                                                                            • Instruction ID: 6a246e6e661f6daec8831e7ac8caee1666d7f1c237b3e4525e32543447f00eac
                                                                                                            • Opcode Fuzzy Hash: fd2f2a1fa8caa21920d0af4605ca4df12a03c59cf84b3d57be03a0f66acfbd52
                                                                                                            • Instruction Fuzzy Hash: 4641E3B0C0061DCFDB24CFA9C8447DEBBB5BF49714F24815AD408AB251DB766985CF91
                                                                                                            Function 01147A8C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1079 1147a8c-1148fb1 CreateActCtxA 1082 1148fb3-1148fb9 1079->1082 1083 1148fba-1149014 1079->1083 1082->1083 1090 1149016-1149019 1083->1090 1091 1149023-1149027 1083->1091 1090->1091 1092 1149038 1091->1092 1093 1149029-1149035 1091->1093 1094 1149039 1092->1094 1093->1092 1094->1094
                                                                                                            APIs
                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 01148FA1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1766626672.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1140000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Create
                                                                                                            • String ID:
                                                                                                            • API String ID: 2289755597-0
                                                                                                            • Opcode ID: df597cd77a28440a3751482568397e5d0becfc665dd0d1b3d2e9dad518a23d93
                                                                                                            • Instruction ID: ac0518801f1811dc05b57f473d8cac454213451e042ab32a29af3f21c566efce
                                                                                                            • Opcode Fuzzy Hash: df597cd77a28440a3751482568397e5d0becfc665dd0d1b3d2e9dad518a23d93
                                                                                                            • Instruction Fuzzy Hash: 8041EFB0C00619DFDB28CFA9C844B9EBBB5BF48714F2080AAD408AB251DB756945CF91
                                                                                                            Function 093FADB9 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1096 93fadb9-93fae0e 1099 93fae1e-93fae5d WriteProcessMemory 1096->1099 1100 93fae10-93fae1c 1096->1100 1102 93fae5f-93fae65 1099->1102 1103 93fae66-93fae96 1099->1103 1100->1099 1102->1103
                                                                                                            APIs
                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 093FAE50
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3559483778-0
                                                                                                            • Opcode ID: 86549c1ec6d21f1ebc0f3313e15463e778d7d0990db397a17508c10708eb1861
                                                                                                            • Instruction ID: 0341484845ad1520c669bb4aa35e0d3dfcf145ec116a105057a5c4fca28c3ba1
                                                                                                            • Opcode Fuzzy Hash: 86549c1ec6d21f1ebc0f3313e15463e778d7d0990db397a17508c10708eb1861
                                                                                                            • Instruction Fuzzy Hash: 5B2135B19003599FCB10DFA9C881BDEBBF4FF48314F10842AE959A7250D778A944CFA4
                                                                                                            Function 093FADC0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 093FAE50
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3559483778-0
                                                                                                            • Opcode ID: 26d4980325d19d29557fbb3970bddd1f458897f43ca3627b1ca4b322dc9d1ffa
                                                                                                            • Instruction ID: da6a0fa6c67b311d41e0da3ef4e36a8bd820b3aeb3448e0401d4a2a2e197c4e8
                                                                                                            • Opcode Fuzzy Hash: 26d4980325d19d29557fbb3970bddd1f458897f43ca3627b1ca4b322dc9d1ffa
                                                                                                            • Instruction Fuzzy Hash: 9E2127B19003599FCB10CFA9C885BDEBBF5FF48314F108429E959A7250D7789954CFA4
                                                                                                            Function 093FAC20 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 093FACA6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ContextThreadWow64
                                                                                                            • String ID:
                                                                                                            • API String ID: 983334009-0
                                                                                                            • Opcode ID: 626680af98292c8a80e4a07c6bdbd4a1af926e79b24794adcb069ba37f40d66e
                                                                                                            • Instruction ID: b196ac2c833ee2cda9fb8d8b6f201c72f07268d56d542ed69c084fe81d8b0828
                                                                                                            • Opcode Fuzzy Hash: 626680af98292c8a80e4a07c6bdbd4a1af926e79b24794adcb069ba37f40d66e
                                                                                                            • Instruction Fuzzy Hash: 7A2157B59002089FCB10DFAAC485BEEFBF4EF88324F148429D559A7240DB78A945CFA5
                                                                                                            Function 093FAEA8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 093FAF30
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 1726664587-0
                                                                                                            • Opcode ID: f1270dbd5dcf5acdb1bf4b49978a62dd7df736b974aac7bb3f1376191909848a
                                                                                                            • Instruction ID: 6e62b1df34062ede21e2f9d33f8c66feddfc3a1001a3ba52ff91a16343ffee73
                                                                                                            • Opcode Fuzzy Hash: f1270dbd5dcf5acdb1bf4b49978a62dd7df736b974aac7bb3f1376191909848a
                                                                                                            • Instruction Fuzzy Hash: 392139B18003499FCB10DFA9C881ADEFBF5FF48314F108429E959A7250D7759945CFA5
                                                                                                            Function 093FAC28 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 093FACA6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ContextThreadWow64
                                                                                                            • String ID:
                                                                                                            • API String ID: 983334009-0
                                                                                                            • Opcode ID: 4f81df52784ba4751338077184ff5ad58734b48d774e5f6c8864733c77e51b59
                                                                                                            • Instruction ID: 5783daac737007a3c164cffd0eccb6d8dbb05d731fcfd1c8e50a33a38645682b
                                                                                                            • Opcode Fuzzy Hash: 4f81df52784ba4751338077184ff5ad58734b48d774e5f6c8864733c77e51b59
                                                                                                            • Instruction Fuzzy Hash: F22149B5D003098FDB10DFAAC4857EEBBF4EF88324F148429D559A7240D778A944CFA5
                                                                                                            Function 093FAEB0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 093FAF30
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 1726664587-0
                                                                                                            • Opcode ID: 24f890f7a7428586bdcc1025c9207282c52e1bb3298fb6fe77c622e7b55fa52f
                                                                                                            • Instruction ID: 1dbc3fde87766bbcd9758830b6ba5a982a4719393a1c00c0ec0cd61dea916edd
                                                                                                            • Opcode Fuzzy Hash: 24f890f7a7428586bdcc1025c9207282c52e1bb3298fb6fe77c622e7b55fa52f
                                                                                                            • Instruction Fuzzy Hash: 282128B18003599FCB10DFAAC880ADEFBF5FF48320F108429E959A7250D7749944CFA5
                                                                                                            Function 093FACF9 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 093FAD6E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: 18cc8506e075bc0834bf7a9e4edbdd5c8533ea86539e35465cfe7a8fe0fc2719
                                                                                                            • Instruction ID: 7dcdcb5399b955c29d639a32f8cb87f858e04e6fcf252dab0e0343e2a9df4942
                                                                                                            • Opcode Fuzzy Hash: 18cc8506e075bc0834bf7a9e4edbdd5c8533ea86539e35465cfe7a8fe0fc2719
                                                                                                            • Instruction Fuzzy Hash: AC1167B18002489FCB10DFAAC844BDEBFF5EF88324F10842AE559A7260D7759940CFA0
                                                                                                            Function 093FAB71 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ResumeThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 947044025-0
                                                                                                            • Opcode ID: 32ba3f5b47d6f69c38ebd3d9372d9cf912700479123b13eb1103ce7fb6e6ca1a
                                                                                                            • Instruction ID: 94e54245255f2f790d21b1b8425839c75c4098707d0824623837a16dcb7b03bc
                                                                                                            • Opcode Fuzzy Hash: 32ba3f5b47d6f69c38ebd3d9372d9cf912700479123b13eb1103ce7fb6e6ca1a
                                                                                                            • Instruction Fuzzy Hash: 831134B1D002488ECB24DFA9C445BEEFBF5EF88324F20842AD55AA7250D679A945CF94
                                                                                                            Function 093FAD00 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 093FAD6E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: ac3fc8a26f178c184fc98d94e3f3b1fdefa71d6a17e8eefd733b3a35248a0fd2
                                                                                                            • Instruction ID: a94f96c9bf081c27f84523af98233fef7796e8f4c3a26c62da58602d5764eac4
                                                                                                            • Opcode Fuzzy Hash: ac3fc8a26f178c184fc98d94e3f3b1fdefa71d6a17e8eefd733b3a35248a0fd2
                                                                                                            • Instruction Fuzzy Hash: E41137B19002499FCB10DFAAC844BDEBFF5EF88324F108419E559A7250C775A944CFA5
                                                                                                            Function 093FAB78 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ResumeThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 947044025-0
                                                                                                            • Opcode ID: 861b63ccf45787e5beb7a7b50b141c55ba52ba2877f0be2e1e569f7f76cde2db
                                                                                                            • Instruction ID: 6ae7a094ae3d9a2ba23bcc18d9440dc4c767401d6a6d0fd376015271e1c0fc2f
                                                                                                            • Opcode Fuzzy Hash: 861b63ccf45787e5beb7a7b50b141c55ba52ba2877f0be2e1e569f7f76cde2db
                                                                                                            • Instruction Fuzzy Hash: 941166B19002488FCB20DFAAC4447DEFBF5EB88324F208429D519A7250DB79A944CFA4
                                                                                                            Function 093FB0F0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 093FF3B5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost
                                                                                                            • String ID:
                                                                                                            • API String ID: 410705778-0
                                                                                                            • Opcode ID: 97bbdf95070d26baf8458d60923f2e2d546ff40be66fe8904668c00df772bca1
                                                                                                            • Instruction ID: 83292dfefb57b856021b82b5036312818ad40379fc75fb2144bc39e63c303fda
                                                                                                            • Opcode Fuzzy Hash: 97bbdf95070d26baf8458d60923f2e2d546ff40be66fe8904668c00df772bca1
                                                                                                            • Instruction Fuzzy Hash: B311F5B58003499FCB10DF99C844BDEFBF8EB48324F10841AE954A7610C375A944CFA5
                                                                                                            Function 093FF350 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 093FF3B5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost
                                                                                                            • String ID:
                                                                                                            • API String ID: 410705778-0
                                                                                                            • Opcode ID: 97086f78e5cc2c6a3ef002e0506807aa319a5a15c4e4db17ec5db800800f16a1
                                                                                                            • Instruction ID: ee1d42208f3fedeba756729597fbafd49b4cbed442c2b7125778ad3ee9ac85ca
                                                                                                            • Opcode Fuzzy Hash: 97086f78e5cc2c6a3ef002e0506807aa319a5a15c4e4db17ec5db800800f16a1
                                                                                                            • Instruction Fuzzy Hash: B411E0B58002499FDB10CFA9D445BDEBBF8EB88324F20841AE959A7211C375A944CFA1
                                                                                                            Function 0114E7B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0114E81E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1766626672.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1140000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139908857-0
                                                                                                            • Opcode ID: 65438b92d7e730c848242a4afb7b29fdb76aa86e495256565ca78e57e7907a44
                                                                                                            • Instruction ID: 483fa2820777dc9de96139bee79af1d2f298f2223a43977a097f0defbbf93fed
                                                                                                            • Opcode Fuzzy Hash: 65438b92d7e730c848242a4afb7b29fdb76aa86e495256565ca78e57e7907a44
                                                                                                            • Instruction Fuzzy Hash: BC1110B5C002498FDB14CF9AD444ADEFBF4AB88324F10842AD819A7210D379A545CFA5
                                                                                                            Function 010ED4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1765119526.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_10ed000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 339bc3476189b6ff3db32a20217705b02fa05caaf9c62b3182dcb8b982e863c0
                                                                                                            • Instruction ID: dc299d26def920e1725728d2e9f3fd2ab26f7a914e65e625246f898c42817ba4
                                                                                                            • Opcode Fuzzy Hash: 339bc3476189b6ff3db32a20217705b02fa05caaf9c62b3182dcb8b982e863c0
                                                                                                            • Instruction Fuzzy Hash: 102125B2500240DFDB05DF59D9C8B2ABFE5FB88318F20C5A9E9890B256C336D456CBA1
                                                                                                            Function 010FD01C Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1765798319.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_10fd000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2e3d69dae1d1d422a20f2c9c58b98cd377bda952fe9b73767589c80695e8b1a2
                                                                                                            • Instruction ID: c72afb7822e62a7fce487309f9ec32084f6acf923107ef4a93af3f0738c8bd20
                                                                                                            • Opcode Fuzzy Hash: 2e3d69dae1d1d422a20f2c9c58b98cd377bda952fe9b73767589c80695e8b1a2
                                                                                                            • Instruction Fuzzy Hash: 92212271604200DFDB15DF58D984B2ABFA5EB84314F20C6ADEA8A4B656C33AD447CB61
                                                                                                            Function 010ED4BF Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1765119526.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_10ed000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                            • Instruction ID: bc6633480e81959eff296075097f30cfe4c26f86bfcba6d54134518843406de2
                                                                                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                            • Instruction Fuzzy Hash: 9B11D376504280CFDB16CF54D9C4B16BFB1FB84318F24C6AAD9490B657C336D45ACBA1
                                                                                                            Function 010FD017 Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1765798319.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_10fd000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                            • Instruction ID: e2055eb4e149bece383e94622aacefdfe23709f7b4baa160c931f72fefe7f0ab
                                                                                                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                            • Instruction Fuzzy Hash: 5211DD75504280CFDB16CF58D5C4B16FFA2FB84314F24C6AEE9494BA56C33AD40ACBA2
                                                                                                            Function 010ED731 Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1765119526.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_10ed000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8f63da45f4654dbfdf7d2a64ff346d3bcd9ebe673eb9f1ece52d4f96d78e4e27
                                                                                                            • Instruction ID: 7534cbabe11bccdd7e0b4cedf93a4e7dad45a59e801b1c8d8fdf5408aec6f989
                                                                                                            • Opcode Fuzzy Hash: 8f63da45f4654dbfdf7d2a64ff346d3bcd9ebe673eb9f1ece52d4f96d78e4e27
                                                                                                            • Instruction Fuzzy Hash: 6E01A7710483849EE7114B6ACD8876BBFD8FF81325F18C56AEDC94A196E279D840C7B1
                                                                                                            Function 010ED730 Relevance: .0, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1765119526.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_10ed000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1f1dbda084efa339ff9ceff99818f4d0c50b33488d50e2f48018985e777e2d02
                                                                                                            • Instruction ID: 9f09820f196476e15d44d31a94ba903282c7cd7326e2057a3481124ba49f1bc4
                                                                                                            • Opcode Fuzzy Hash: 1f1dbda084efa339ff9ceff99818f4d0c50b33488d50e2f48018985e777e2d02
                                                                                                            • Instruction Fuzzy Hash: CBF0C8710043449EE7108B1AC888766FFD8EF80334F18C45AED484E282D2759840CB71

                                                                                                            Non-executed Functions

                                                                                                            Function 093F7EA0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: D@
                                                                                                            • API String ID: 0-2394783225
                                                                                                            • Opcode ID: f5cd627f84d8ff54eb7fae997fe3ce0acca0d5504a6701bb2485437225e19ed3
                                                                                                            • Instruction ID: c40a2bf03f06e2b09d9a47544c63ac4132b122dc8da2754951ac3a184960d88b
                                                                                                            • Opcode Fuzzy Hash: f5cd627f84d8ff54eb7fae997fe3ce0acca0d5504a6701bb2485437225e19ed3
                                                                                                            • Instruction Fuzzy Hash: 77E13B74E002198FDB14DFA9C5909AEFBB2FF89304F249269E515AB355D730AD42CFA0
                                                                                                            Function 093F8B48 Relevance: .3, Instructions: 312COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 40c5e691eb3b3dd6e6702ff0fff384bd7792ae9fc027d68aacd0cb0238cffdff
                                                                                                            • Instruction ID: d515b856364726556a0b2095e9a6f7b63c188e538920e58fa4663d93737e219f
                                                                                                            • Opcode Fuzzy Hash: 40c5e691eb3b3dd6e6702ff0fff384bd7792ae9fc027d68aacd0cb0238cffdff
                                                                                                            • Instruction Fuzzy Hash: 03E11974E002198FDB14DFA9C5909AEFBB2FF89304F249169E515AB356D730AD42CFA0
                                                                                                            Function 093FA350 Relevance: .3, Instructions: 312COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0a76ea3c4c0a9fabc9cf7d9c7b463a996095bf0ae662b718ad8858a68fa8e780
                                                                                                            • Instruction ID: bdb95a9c2a2955bde29a882c32f65e990985f6ae8556cd794d1293b8356c93bb
                                                                                                            • Opcode Fuzzy Hash: 0a76ea3c4c0a9fabc9cf7d9c7b463a996095bf0ae662b718ad8858a68fa8e780
                                                                                                            • Instruction Fuzzy Hash: 8CE10974E002198FDB14DFA9C5909AEFBB2FF49304F249169E519AB355D730AD42CF60
                                                                                                            Function 093F82D8 Relevance: .3, Instructions: 312COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ec13b93277f21c8780511d665a7511f891a7815e3b54a9f76ec764967822b729
                                                                                                            • Instruction ID: 8485510d11aa27d8014cf7558d7729b84a3419ed0b50f0af921dce82dc728563
                                                                                                            • Opcode Fuzzy Hash: ec13b93277f21c8780511d665a7511f891a7815e3b54a9f76ec764967822b729
                                                                                                            • Instruction Fuzzy Hash: 7BE10974E001198FDB14DFA9C5909AEFBB2FF88304F249169E515AB35AD730AD42CFA1
                                                                                                            Function 01141128 Relevance: .1, Instructions: 145COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1766626672.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1140000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: afe47c59080e1ece7acd5642c863f3cb9267ee5751fb3a0f580295a16b80b967
                                                                                                            • Instruction ID: b443f46ab045ba0d22944a7101576f9509bb0bff32b8f5e0637aa8e948093368
                                                                                                            • Opcode Fuzzy Hash: afe47c59080e1ece7acd5642c863f3cb9267ee5751fb3a0f580295a16b80b967
                                                                                                            • Instruction Fuzzy Hash: 14517C302002019FD714EB65D95579ABFA3FF80300F50CA6CD6D69FAA9DF70E94A8B91
                                                                                                            Function 093F82C8 Relevance: .1, Instructions: 135COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7492c2bb7639258f7b7c390564db5786a66968e858a65167fd4b4f2214a0a40d
                                                                                                            • Instruction ID: bd54b96601e511e98cbd9b1f65e7e626b95b566cbec7491adb60d56f6b52ec21
                                                                                                            • Opcode Fuzzy Hash: 7492c2bb7639258f7b7c390564db5786a66968e858a65167fd4b4f2214a0a40d
                                                                                                            • Instruction Fuzzy Hash: 44513C74E002198FDB18DFA9C5805AEFBF2FF89304F24C16AD459A7256D730A942CFA1
                                                                                                            Function 093FA33F Relevance: .1, Instructions: 134COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1787918865.00000000093F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 093F0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_93f0000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 86b2086a6efa24d4d5ca72283ba526c73af6f2538804e19face918fbc852069f
                                                                                                            • Instruction ID: 2bb76f178f9abd3464fa209ba13fc5195c2b041a22014ce93a1a8fb18a8e6f38
                                                                                                            • Opcode Fuzzy Hash: 86b2086a6efa24d4d5ca72283ba526c73af6f2538804e19face918fbc852069f
                                                                                                            • Instruction Fuzzy Hash: C4512770E002198FDB14DFA9C5845AEFBF2BF89300F24816AD559A7356D730A942CFA1
                                                                                                            Function 01143759 Relevance: .1, Instructions: 105COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1766626672.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1140000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9284a9d23f0a787abd22442567d6959ec2f3f852d84e738dcb3d26c43e09a71a
                                                                                                            • Instruction ID: ba5825751ccfd5efb1b27e54b19334ac196e452c73ee9cd585ca2cdfd2ba0a92
                                                                                                            • Opcode Fuzzy Hash: 9284a9d23f0a787abd22442567d6959ec2f3f852d84e738dcb3d26c43e09a71a
                                                                                                            • Instruction Fuzzy Hash: F841D275F2461A8FEB48CF68C8856AEFBF2BF89610B158626D455E7360D330D901CB92
                                                                                                            Function 01143768 Relevance: .1, Instructions: 102COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.1766626672.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_1140000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6de4dd43ca0961eb307072e7e77a5ef110d1df0de884b9dd615b5d41e15eba63
                                                                                                            • Instruction ID: b281bf7390323ffa3732859b923dc85f2bfc0b51d107d7dc9a129b7ea18ee98e
                                                                                                            • Opcode Fuzzy Hash: 6de4dd43ca0961eb307072e7e77a5ef110d1df0de884b9dd615b5d41e15eba63
                                                                                                            • Instruction Fuzzy Hash: B331D175F2462A8FAB48CF68C8456AEFBF2FF88610B158632D515E7360D330D901CB92

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:13%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:19
                                                                                                            Total number of Limit Nodes:4
                                                                                                            execution_graph 23404 1020848 23406 102084e 23404->23406 23405 102091b 23406->23405 23408 1021382 23406->23408 23410 1021396 23408->23410 23409 1021484 23409->23406 23410->23409 23412 1027ea8 23410->23412 23413 1027eb2 23412->23413 23414 1027ecc 23413->23414 23417 652d9f0 23413->23417 23422 652d9e0 23413->23422 23414->23410 23419 652da05 23417->23419 23418 652dc1a 23418->23414 23419->23418 23420 652dc31 GlobalMemoryStatusEx 23419->23420 23421 652de88 GlobalMemoryStatusEx 23419->23421 23420->23419 23421->23419 23424 652da05 23422->23424 23423 652dc1a 23423->23414 23424->23423 23425 652dc31 GlobalMemoryStatusEx 23424->23425 23426 652de88 GlobalMemoryStatusEx 23424->23426 23425->23424 23426->23424

                                                                                                            Executed Functions

                                                                                                            Function 0102ADE2 Relevance: 2.7, Instructions: 2705COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1167 102ade2-102ade6 1168 102ade8-102af6f 1167->1168 1170 102af82-102b7b7 1168->1170 1171 102af71-102af77 1168->1171 1182 102c997-102cec2 1170->1182 1171->1170 1172 102ced1-102cffe call 102a968 1171->1172 1191 102d010-102d880 1172->1191 1198 102cec8-102cecb 1182->1198 1191->1171 1200 102d880 1191->1200 1198->1172 1198->1191 1200->1171 1201 102d886-102d888 1200->1201 1202 102d88a 1201->1202 1203 102d88f-102d892 1201->1203 1202->1203 1204 102aa4a-102adbb 1203->1204 1205 102d898-102d89f 1203->1205 1204->1168
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6d1faf73ab28692396516166e1dc0cfc7aefeba38e202fbadfca425c6263261e
                                                                                                            • Instruction ID: b5bf901b81343a0f7f31a1db1bb8595858819ac03afac730f7d78f0df04cbd67
                                                                                                            • Opcode Fuzzy Hash: 6d1faf73ab28692396516166e1dc0cfc7aefeba38e202fbadfca425c6263261e
                                                                                                            • Instruction Fuzzy Hash: 2B53F631D10B1A8ADB51EF68C880599F7B1FF99300F15D79AE4587B221FB70AAD4CB81
                                                                                                            Function 010241C8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \VKm
                                                                                                            • API String ID: 0-3894457903
                                                                                                            • Opcode ID: 211fe7f2867bcf8422d56f40ad2f80c0604f21922c500a84ddd4ba9d4426b51f
                                                                                                            • Instruction ID: 8dbfb4594c5c4c5364b02fae4891262052296a8f317df2ca7d9b5dce1bf54220
                                                                                                            • Opcode Fuzzy Hash: 211fe7f2867bcf8422d56f40ad2f80c0604f21922c500a84ddd4ba9d4426b51f
                                                                                                            • Instruction Fuzzy Hash: 08B12E70E002298FDF54CFA9D8857DDBBF2BF88314F148129E899E7254EB749845CB91
                                                                                                            Function 01023E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \VKm
                                                                                                            • API String ID: 0-3894457903
                                                                                                            • Opcode ID: 8f81bc6094ed9bb7aeda2d2f1b192139c9f44483c8926911611d91bf858ed07c
                                                                                                            • Instruction ID: ac5cf0e635780b3b0f1294a9f5378741cf4bc4fbeb12eedbdc3922ada0ba4642
                                                                                                            • Opcode Fuzzy Hash: 8f81bc6094ed9bb7aeda2d2f1b192139c9f44483c8926911611d91bf858ed07c
                                                                                                            • Instruction Fuzzy Hash: A1915F70E002198FDF50CFA9D9857DDBBF2BF98314F148129E499EB254EB749886CB81
                                                                                                            Function 01024A98 Relevance: .3, Instructions: 266COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a9a09cc9f3a6fe6d1cfeb031de6a9d2d6f187e1246114340bbff5b290931f640
                                                                                                            • Instruction ID: 6abda5cb902f844c7cffa20517f24e5aa7d9a4b338565a80ceb1a055eb11061e
                                                                                                            • Opcode Fuzzy Hash: a9a09cc9f3a6fe6d1cfeb031de6a9d2d6f187e1246114340bbff5b290931f640
                                                                                                            • Instruction Fuzzy Hash: 80B17F70E002298FDF51DFADD8857DDBBF2AF88314F248129D899E7294EB749845CB81
                                                                                                            Function 01024804 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1211 1024804-102489c 1215 10248e6-10248e8 1211->1215 1216 102489e-10248a9 1211->1216 1217 10248ea-1024902 1215->1217 1216->1215 1218 10248ab-10248b7 1216->1218 1225 1024904-102490f 1217->1225 1226 102494c-102494e 1217->1226 1219 10248da-10248e4 1218->1219 1220 10248b9-10248c3 1218->1220 1219->1217 1221 10248c7-10248d6 1220->1221 1222 10248c5 1220->1222 1221->1221 1224 10248d8 1221->1224 1222->1221 1224->1219 1225->1226 1228 1024911-102491d 1225->1228 1227 1024950-1024962 1226->1227 1235 1024969-1024995 1227->1235 1229 1024940-102494a 1228->1229 1230 102491f-1024929 1228->1230 1229->1227 1232 102492b 1230->1232 1233 102492d-102493c 1230->1233 1232->1233 1233->1233 1234 102493e 1233->1234 1234->1229 1236 102499b-10249a9 1235->1236 1237 10249b2-1024a0f 1236->1237 1238 10249ab-10249b1 1236->1238 1245 1024a11-1024a15 1237->1245 1246 1024a1f-1024a23 1237->1246 1238->1237 1245->1246 1247 1024a17-1024a1a call 1020ab8 1245->1247 1248 1024a33-1024a37 1246->1248 1249 1024a25-1024a29 1246->1249 1247->1246 1252 1024a47-1024a4b 1248->1252 1253 1024a39-1024a3d 1248->1253 1249->1248 1251 1024a2b-1024a2e call 1020ab8 1249->1251 1251->1248 1254 1024a5b 1252->1254 1255 1024a4d-1024a51 1252->1255 1253->1252 1257 1024a3f 1253->1257 1259 1024a5c 1254->1259 1255->1254 1258 1024a53 1255->1258 1257->1252 1258->1254 1259->1259
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \VKm$\VKm
                                                                                                            • API String ID: 0-3999629693
                                                                                                            • Opcode ID: 3d940c66a495b40663fadd26a643fe1483c9fef5722dd1ca78388c00c4ecd3ef
                                                                                                            • Instruction ID: 2ccb7e3734c891554be89d6da0cebdf48c08886abd6e518bce1da9a7cb44cafd
                                                                                                            • Opcode Fuzzy Hash: 3d940c66a495b40663fadd26a643fe1483c9fef5722dd1ca78388c00c4ecd3ef
                                                                                                            • Instruction Fuzzy Hash: 3C716BB0E00259DFDB50CFA9C8847DEBBF1AF48314F148129E499EB254EB749846CF95
                                                                                                            Function 01024810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1260 1024810-102489c 1263 10248e6-10248e8 1260->1263 1264 102489e-10248a9 1260->1264 1265 10248ea-1024902 1263->1265 1264->1263 1266 10248ab-10248b7 1264->1266 1273 1024904-102490f 1265->1273 1274 102494c-102494e 1265->1274 1267 10248da-10248e4 1266->1267 1268 10248b9-10248c3 1266->1268 1267->1265 1269 10248c7-10248d6 1268->1269 1270 10248c5 1268->1270 1269->1269 1272 10248d8 1269->1272 1270->1269 1272->1267 1273->1274 1276 1024911-102491d 1273->1276 1275 1024950-1024995 1274->1275 1284 102499b-10249a9 1275->1284 1277 1024940-102494a 1276->1277 1278 102491f-1024929 1276->1278 1277->1275 1280 102492b 1278->1280 1281 102492d-102493c 1278->1281 1280->1281 1281->1281 1282 102493e 1281->1282 1282->1277 1285 10249b2-1024a0f 1284->1285 1286 10249ab-10249b1 1284->1286 1293 1024a11-1024a15 1285->1293 1294 1024a1f-1024a23 1285->1294 1286->1285 1293->1294 1295 1024a17-1024a1a call 1020ab8 1293->1295 1296 1024a33-1024a37 1294->1296 1297 1024a25-1024a29 1294->1297 1295->1294 1300 1024a47-1024a4b 1296->1300 1301 1024a39-1024a3d 1296->1301 1297->1296 1299 1024a2b-1024a2e call 1020ab8 1297->1299 1299->1296 1302 1024a5b 1300->1302 1303 1024a4d-1024a51 1300->1303 1301->1300 1305 1024a3f 1301->1305 1307 1024a5c 1302->1307 1303->1302 1306 1024a53 1303->1306 1305->1300 1306->1302 1307->1307
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \VKm$\VKm
                                                                                                            • API String ID: 0-3999629693
                                                                                                            • Opcode ID: 4d14c083179c312a3344208025a865fed81f6c73d62be5392abd2230cba8deeb
                                                                                                            • Instruction ID: 6b8c753c1e0d07717e804bc7d57465b4465a11c7b10733c044da4f276d46741b
                                                                                                            • Opcode Fuzzy Hash: 4d14c083179c312a3344208025a865fed81f6c73d62be5392abd2230cba8deeb
                                                                                                            • Instruction Fuzzy Hash: CF716AB0E00259CFDB54CFA9C8847DEBBF2AF88314F148129E459EB254EB749846CF95
                                                                                                            Function 0652E950 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4206685257.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_6520000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: da8d73795f94b10f78dcd894f3efb3794dde218f59e74fc609ea127a7358b0b5
                                                                                                            • Instruction ID: 3b297bdce1d2fa61da4912b24a9bf266be97c659d73ad7d01fba5ddafde26068
                                                                                                            • Opcode Fuzzy Hash: da8d73795f94b10f78dcd894f3efb3794dde218f59e74fc609ea127a7358b0b5
                                                                                                            • Instruction Fuzzy Hash: ED412272D003599FCB14DF79D80469EBBF5BF89310F14856AE908AB281EB749885CBE1
                                                                                                            Function 0652EA38 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GlobalMemoryStatusEx.KERNEL32 ref: 0652EA9F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4206685257.0000000006520000.00000040.00000800.00020000.00000000.sdmp, Offset: 06520000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_6520000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: GlobalMemoryStatus
                                                                                                            • String ID:
                                                                                                            • API String ID: 1890195054-0
                                                                                                            • Opcode ID: f12f8dafacc33a416ebb8a2217343a5f658173e3c356c6a81b366fb2faefd17f
                                                                                                            • Instruction ID: 24115dda2ea145df4227fcfd0e123f82175f5ed82fa8a99cda110a7316258911
                                                                                                            • Opcode Fuzzy Hash: f12f8dafacc33a416ebb8a2217343a5f658173e3c356c6a81b366fb2faefd17f
                                                                                                            • Instruction Fuzzy Hash: 801123B1C0026A9FCB10CF9AC449BDEFBF4BF48320F10812AD818A7250D378A940CFA5
                                                                                                            Function 010241BD Relevance: 1.5, Strings: 1, Instructions: 277COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \VKm
                                                                                                            • API String ID: 0-3894457903
                                                                                                            • Opcode ID: 98b068d828a41c71f9a99bf214df390a4b1698fa23b5323181782f5974a8e21a
                                                                                                            • Instruction ID: 36f22e22c0fee567aa2644be281e520cd3a559f6c89b0b4a741ade177da20d68
                                                                                                            • Opcode Fuzzy Hash: 98b068d828a41c71f9a99bf214df390a4b1698fa23b5323181782f5974a8e21a
                                                                                                            • Instruction Fuzzy Hash: B9B12B70E00229CFDB54CFA9D8857DDBBF1BF88314F148129E899E7294EB749846CB91
                                                                                                            Function 01023E74 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \VKm
                                                                                                            • API String ID: 0-3894457903
                                                                                                            • Opcode ID: 745dff3e57b0572de1c60512c15091827f04f4d2bf61482357021f0fb5881d7b
                                                                                                            • Instruction ID: b44bc44046fd4232b90d4499e710c00aa46450da7a94af4ba1305aedf9e98c82
                                                                                                            • Opcode Fuzzy Hash: 745dff3e57b0572de1c60512c15091827f04f4d2bf61482357021f0fb5881d7b
                                                                                                            • Instruction Fuzzy Hash: 4E915D70E00219CFDB50CFA8D985BDDBBF1BF58314F248129E499EB254EB749886CB91
                                                                                                            Function 01026ECF Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LR^q
                                                                                                            • API String ID: 0-2625958711
                                                                                                            • Opcode ID: c44629838a683429959189a595fca1c819ea9703f607bdf66e26babcb5c04a07
                                                                                                            • Instruction ID: 215ca8c624813b2057ca5f30ff1c01e3f2caab4b2ce3facd1f052230ed954747
                                                                                                            • Opcode Fuzzy Hash: c44629838a683429959189a595fca1c819ea9703f607bdf66e26babcb5c04a07
                                                                                                            • Instruction Fuzzy Hash: A2516B34700225CFDB54EB68C598AAE7BF2EF88300F2044A9E446EB3A1DB759C45CB91
                                                                                                            Function 01027D90 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LR^q
                                                                                                            • API String ID: 0-2625958711
                                                                                                            • Opcode ID: 870962d4c205e6877af491eeba357be3541d8c68edfb85c4d9b9253ba128b0ec
                                                                                                            • Instruction ID: 5e369f218231e5ce16c5a0d0895a091525c96387b6590578950b59f762fa7050
                                                                                                            • Opcode Fuzzy Hash: 870962d4c205e6877af491eeba357be3541d8c68edfb85c4d9b9253ba128b0ec
                                                                                                            • Instruction Fuzzy Hash: E3318F35E00229DFEF65DFA9C4407AEB7B2FF99300F208469E905EB241DB71A846CB51
                                                                                                            Function 01027D80 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LR^q
                                                                                                            • API String ID: 0-2625958711
                                                                                                            • Opcode ID: c545006247cebac8131bacce2927f2e445aeb17f6c7959ddbff06ddb574502a4
                                                                                                            • Instruction ID: 5e81ba1d76ef9755f46d60ba7a3d67087ebfd7a87f126047625ac99593bf2f28
                                                                                                            • Opcode Fuzzy Hash: c545006247cebac8131bacce2927f2e445aeb17f6c7959ddbff06ddb574502a4
                                                                                                            • Instruction Fuzzy Hash: F6318F35E002299FEF66DF68C4547AEB7F2EF99300F208459E905EB241EBB09846CB50
                                                                                                            Function 01026B98 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LR^q
                                                                                                            • API String ID: 0-2625958711
                                                                                                            • Opcode ID: 37ba6ff3932562a2b5c6b43979659bc05271b01ee9b9671cc2aef57e231587c4
                                                                                                            • Instruction ID: 13705e302e56d448227d041443d351f4fb9414bbdd2cff32321f42bbd3598dba
                                                                                                            • Opcode Fuzzy Hash: 37ba6ff3932562a2b5c6b43979659bc05271b01ee9b9671cc2aef57e231587c4
                                                                                                            • Instruction Fuzzy Hash: DE114834B082415FD306AB3880642AE7FF2EF8A300B0048EED056CB792DE748847C792
                                                                                                            Function 01028720 Relevance: .6, Instructions: 557COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2518915801cbfbc0b69d7f6807e33afb7d9b7554f8b1f05cd24cf54065cc33b5
                                                                                                            • Instruction ID: 29ac00c8fc772f7a0a3cd75c62e700a77cccd5c1b3512014846fe46deb9de8f9
                                                                                                            • Opcode Fuzzy Hash: 2518915801cbfbc0b69d7f6807e33afb7d9b7554f8b1f05cd24cf54065cc33b5
                                                                                                            • Instruction Fuzzy Hash: AD127E347002029FDB66AB3CE45166D73E2FB95311F649939E106CB795CF72EC8A8B81
                                                                                                            Function 0102A182 Relevance: .4, Instructions: 422COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 99589844ada8a0c11d7f64e1fecbdfa2bbb23872713ec3a8b1e2da146121789d
                                                                                                            • Instruction ID: dfcaf207681de7da040070604f563e87c0eabf94c2ed24b642e0a6b56f0422b2
                                                                                                            • Opcode Fuzzy Hash: 99589844ada8a0c11d7f64e1fecbdfa2bbb23872713ec3a8b1e2da146121789d
                                                                                                            • Instruction Fuzzy Hash: 74E1DF30B00215CFDB15DB68D984AAEBBF2EB88314F208469E54ADB751DF31EC46CB51
                                                                                                            Function 01024A8D Relevance: .3, Instructions: 264COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d984316dc380d0a263d39364e04baa0e573e293aa7b20b6c160f2577c05523db
                                                                                                            • Instruction ID: 4cca25d8c0eda612a3203a2e2f2095a422cdf8afc45f01f336279c2f17567a42
                                                                                                            • Opcode Fuzzy Hash: d984316dc380d0a263d39364e04baa0e573e293aa7b20b6c160f2577c05523db
                                                                                                            • Instruction Fuzzy Hash: 8BB15E70E002298FDF51DFACD8857DDBBF1AF48314F248169D899EB254EB749886CB81
                                                                                                            Function 01020CCB Relevance: .1, Instructions: 138COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ce66d3caf94a72ef1b0125603ba8489ccfaee9f96c346c67dad49a8232ba7b5f
                                                                                                            • Instruction ID: 3449ff2c2c2f3787b5e35b653d289737697c0cdef6fadf2e9a8c6453f06292bd
                                                                                                            • Opcode Fuzzy Hash: ce66d3caf94a72ef1b0125603ba8489ccfaee9f96c346c67dad49a8232ba7b5f
                                                                                                            • Instruction Fuzzy Hash: 295154B0D002688FDB14DFA9C888BDDBBF1BF48300F14816AE859AB355D775A845CF91
                                                                                                            Function 01026CD4 Relevance: .1, Instructions: 138COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0413429ced87396d52d490b631fc8896318695876ac8ad439565d7a7217beb92
                                                                                                            • Instruction ID: fbefe3a59187fd30a8df8cc2bb0f8798d896914c7407be0b21ae71ca15c9945d
                                                                                                            • Opcode Fuzzy Hash: 0413429ced87396d52d490b631fc8896318695876ac8ad439565d7a7217beb92
                                                                                                            • Instruction Fuzzy Hash: 5F515570D102288FDB14DFA9C888BDDBBF1BF48314F148169E859AB354D775A845CF91
                                                                                                            Function 0102A6C8 Relevance: .1, Instructions: 137COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 087aa32e2444321e4ccb261d36f6be070556a01785be00392b070275c14d8048
                                                                                                            • Instruction ID: 79cc200c1d717f944a5a2f27560b40735e7fcad6d86cae535499dd7fdf154df0
                                                                                                            • Opcode Fuzzy Hash: 087aa32e2444321e4ccb261d36f6be070556a01785be00392b070275c14d8048
                                                                                                            • Instruction Fuzzy Hash: 7B513871A00205DFDB44DF69E884A99FBF6FF88310F14C1AAE9089B356EB70D945CB90
                                                                                                            Function 01026CE0 Relevance: .1, Instructions: 132COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9b4cc5f623c25a6d57c88fedc69ddeba4f4e7d49d890f589d2e460f14463c4ec
                                                                                                            • Instruction ID: a0f081f4847cb7e212f51fbaaa63c3f70b18a2c0a3f2dcb6d2ac4960402b2572
                                                                                                            • Opcode Fuzzy Hash: 9b4cc5f623c25a6d57c88fedc69ddeba4f4e7d49d890f589d2e460f14463c4ec
                                                                                                            • Instruction Fuzzy Hash: CB5133B0D10228CFDB18DFA9C888B9EBBF1BF48314F148169E859AB350D775A845CF95
                                                                                                            Function 01021128 Relevance: .1, Instructions: 121COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2832b2be0a97fdb1e736bb182a467822c26cfaa857b0ebe028281cf9e2ab8eb6
                                                                                                            • Instruction ID: 0810d2000162739e28b5e0d52a0eedb00b28e63b8c4641d0ca6b465d9515e3d6
                                                                                                            • Opcode Fuzzy Hash: 2832b2be0a97fdb1e736bb182a467822c26cfaa857b0ebe028281cf9e2ab8eb6
                                                                                                            • Instruction Fuzzy Hash: AF51F9702111428FCB66EB6DF990E757BB2F7B63043444969D0085B3BEDB35694BCB90
                                                                                                            Function 01021138 Relevance: .1, Instructions: 112COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c9e0ef71cf47be8ad35d13e0f9c6a2cad19af8e128e8b9472ab246c54cb2892b
                                                                                                            • Instruction ID: 1b257df37a93c7726f23f8b05b3bab923591f71b9b9bb8345609e117733581d8
                                                                                                            • Opcode Fuzzy Hash: c9e0ef71cf47be8ad35d13e0f9c6a2cad19af8e128e8b9472ab246c54cb2892b
                                                                                                            • Instruction Fuzzy Hash: 5751E6702111428FCB66EB6DF990E797BB2F7B63043448968D0085B3BEDB35694BCB90
                                                                                                            Function 0102DE6A Relevance: .1, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9c32c44c8cdddd9be80ef0a4ea0c90f5b31b5582d2368b98674d8805eee72b45
                                                                                                            • Instruction ID: 48940c80968b3f3a89004c4c8128609f41c6d2e3dd6aaf08278785cd04815874
                                                                                                            • Opcode Fuzzy Hash: 9c32c44c8cdddd9be80ef0a4ea0c90f5b31b5582d2368b98674d8805eee72b45
                                                                                                            • Instruction Fuzzy Hash: 8D314975B00216EFD705DB68C890E3AB7AAFBC4704F14C168E5459B2A9CB32EC43CB91
                                                                                                            Function 010226DC Relevance: .1, Instructions: 93COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5731492bb6713892b4c1d81091690267fabce88f8a47563eebea94c353c1256f
                                                                                                            • Instruction ID: 2c953b10f4952238a6623d2c14e438abf998539574e15d9c4d6b8aa2767b8bec
                                                                                                            • Opcode Fuzzy Hash: 5731492bb6713892b4c1d81091690267fabce88f8a47563eebea94c353c1256f
                                                                                                            • Instruction Fuzzy Hash: E941EFB0D002499FDB10DFA9C484ADEBFF5FF48314F10802AE809AB254DB75994ACF90
                                                                                                            Function 01025097 Relevance: .1, Instructions: 92COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 90a835701a5d4176c18f9ccf1b1762ea76c8a7c707a35a005cfc41e3c3d2ff8d
                                                                                                            • Instruction ID: 174433f4e8a90a63ec7c05c3916f9c64b67411be8112438471f3242303ceaa4e
                                                                                                            • Opcode Fuzzy Hash: 90a835701a5d4176c18f9ccf1b1762ea76c8a7c707a35a005cfc41e3c3d2ff8d
                                                                                                            • Instruction Fuzzy Hash: B0314034700225CFEB69EB78C954AED77F2EF48244F2004A8D945AB3A4DB769C42CB95
                                                                                                            Function 010226E8 Relevance: .1, Instructions: 90COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 00e096df84dc49226e4108744179c4764149a3e2b85ecdd1f839459680210f75
                                                                                                            • Instruction ID: 7bc3076995faec1c6bc12b09b90d799f7f6aaac93b1fefe8653b3e38bf6d861a
                                                                                                            • Opcode Fuzzy Hash: 00e096df84dc49226e4108744179c4764149a3e2b85ecdd1f839459680210f75
                                                                                                            • Instruction Fuzzy Hash: C841DEB0D003599FDB10DFA9C484A9EBFF5BF48310F10802AE819AB254DB75A945CB90
                                                                                                            Function 010250A8 Relevance: .1, Instructions: 89COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 42641b5840f39fe311f4f0803ec7bace311b33c90a63ed2c6656b60ea961f1b6
                                                                                                            • Instruction ID: cc10d650abb9a9f7b121a1e2440e4b778d1cef14373fdc9082d4c1fb3a3ad573
                                                                                                            • Opcode Fuzzy Hash: 42641b5840f39fe311f4f0803ec7bace311b33c90a63ed2c6656b60ea961f1b6
                                                                                                            • Instruction Fuzzy Hash: 8D313234700225CFDB69EB78C954AED77F6EF88244F2004A8D941AB3A4DB76DC42CB95
                                                                                                            Function 0102A068 Relevance: .1, Instructions: 86COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7952b24354ab08a4f0aa1e188ac66521b75c5e3f172568700a0b852fa567c0cf
                                                                                                            • Instruction ID: d398c32e549bbd48bf45f987ff16838a52007c2b3146154630e004840a8ff571
                                                                                                            • Opcode Fuzzy Hash: 7952b24354ab08a4f0aa1e188ac66521b75c5e3f172568700a0b852fa567c0cf
                                                                                                            • Instruction Fuzzy Hash: BF31A035F00216DFDF59CF68D89469EF7B2FF89310F108619E905AB641DB71A886CB90
                                                                                                            Function 0102A078 Relevance: .1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7656e547b7011a0f428c21894d78dd0825468ca263f5279a17ba716bccefe909
                                                                                                            • Instruction ID: 9b9822711def48301c09947e1d2e782aa0acc3a18c05967cfe4fee0542764c6c
                                                                                                            • Opcode Fuzzy Hash: 7656e547b7011a0f428c21894d78dd0825468ca263f5279a17ba716bccefe909
                                                                                                            • Instruction Fuzzy Hash: 9F216F30F00219DBDB59CF68D89069EF7B2FF89310F108659E905EB641DB7198868B90
                                                                                                            Function 0102169F Relevance: .1, Instructions: 77COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a40d5137b401282e0bef5bffd4d4dca9bcdb4df8394654bef67b33cf00fe7ed1
                                                                                                            • Instruction ID: 465c7b3f683023c8903ca6f2a877aa6ee74ab484f60b05dad8663f025362c7a6
                                                                                                            • Opcode Fuzzy Hash: a40d5137b401282e0bef5bffd4d4dca9bcdb4df8394654bef67b33cf00fe7ed1
                                                                                                            • Instruction Fuzzy Hash: FB2177386001114FDF63AB6CE84876D7766FB56304F144971D049C739AEB38D8478B92
                                                                                                            Function 0102A85A Relevance: .1, Instructions: 76COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ef0bf47c329104bae3cbe86146a14fe52c91e7e21da096ab4172418aff03088d
                                                                                                            • Instruction ID: 21f6b75dae5ed847fee66c409c74bc8ee2002b1a74e1b0f30ff9bf7191245226
                                                                                                            • Opcode Fuzzy Hash: ef0bf47c329104bae3cbe86146a14fe52c91e7e21da096ab4172418aff03088d
                                                                                                            • Instruction Fuzzy Hash: F521B035B00215DFEB14CB69C854BAE7BFAAF88720F208165E505EB3A0DEB18D008B90
                                                                                                            Function 01029F68 Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f7c910671d8015a41fcf3c4bcb382ca86449bb08e9e068be94b152e26c0d0695
                                                                                                            • Instruction ID: e24ea226bdd2a7202bb45b74b29dc128ad515fdd8d9c56ce7950dd73390aedb8
                                                                                                            • Opcode Fuzzy Hash: f7c910671d8015a41fcf3c4bcb382ca86449bb08e9e068be94b152e26c0d0695
                                                                                                            • Instruction Fuzzy Hash: AA219231E002199BDB55CFA8C490A9EF7B2BF89314F14851AE815BB741DB70A846CB51
                                                                                                            Function 01024F89 Relevance: .1, Instructions: 73COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2cdb4dec8731aacdeab64a02b53152737d901e431147e637affecbdc42197bc9
                                                                                                            • Instruction ID: c1e137aac41c485245b668709d574736fa2aa52ab6f26fb5c5831645365d9ac3
                                                                                                            • Opcode Fuzzy Hash: 2cdb4dec8731aacdeab64a02b53152737d901e431147e637affecbdc42197bc9
                                                                                                            • Instruction Fuzzy Hash: ED212A34700215CFDB94DB78D998BAE77F1EF88204F1004A9E546EB3A0EB759D01CB95
                                                                                                            Function 00ECD005 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4191607099.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_ecd000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3c470e98b7b232e97e28315d7036703bbe905d237eaefe0b70c81d7e8e121255
                                                                                                            • Instruction ID: 2ed516310bc7b9b48eaabcb69fa0558a5d9ff2390075cedf96ccaa663bfd38fb
                                                                                                            • Opcode Fuzzy Hash: 3c470e98b7b232e97e28315d7036703bbe905d237eaefe0b70c81d7e8e121255
                                                                                                            • Instruction Fuzzy Hash: 4D212B7150D3C49FD703CB24D994B11BF71AB46214F29C5EBD8898F2A7C23A985ACB62
                                                                                                            Function 00ECD030 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4191607099.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_ecd000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1b9894c83b6819d4c835d18ba7c3693088b97bd841c86b5fc69d752d91bc0eb7
                                                                                                            • Instruction ID: 4b245f81dd8abb74daeb51e232ae425b01fb5e65f60b118bb5c83101ede7bdc0
                                                                                                            • Opcode Fuzzy Hash: 1b9894c83b6819d4c835d18ba7c3693088b97bd841c86b5fc69d752d91bc0eb7
                                                                                                            • Instruction Fuzzy Hash: 0521D071508204EFCB14DF18DE81F26BBA6EB84318F24C57ED8495A296C37BD847CA62
                                                                                                            Function 01021382 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6bd776a9f75387ec9ea9b078e761727cb0768ebaa4ee8e2cc5dbdc33c3ecc6b6
                                                                                                            • Instruction ID: cb95459fb7915b1a3cf1e846d10eaf07a581c58bcf2bb94ff924f12c1b71862f
                                                                                                            • Opcode Fuzzy Hash: 6bd776a9f75387ec9ea9b078e761727cb0768ebaa4ee8e2cc5dbdc33c3ecc6b6
                                                                                                            • Instruction Fuzzy Hash: 8A21D874A042208FFF72572CD44437D7BA1EB02314F1008A9E48AC77D2DE7988878742
                                                                                                            Function 01021878 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 58f63d2a49e2dccc397039e1760641fb3daf576b141c484edaf97bd7eff7d6e5
                                                                                                            • Instruction ID: e12fa8c6b0da070380b97e8ab457211acbb723a964e195fa4f9c3bbff156e67b
                                                                                                            • Opcode Fuzzy Hash: 58f63d2a49e2dccc397039e1760641fb3daf576b141c484edaf97bd7eff7d6e5
                                                                                                            • Instruction Fuzzy Hash: BB215E30B00226CFEB64EB78C5547AE77F2AF49344F2008A9D145EB294DB759D42CB65
                                                                                                            Function 01021888 Relevance: .1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8327556e8a99668fdbc0f9eef4b34388d2e5cbfb41afc87f635d1753f25a92a0
                                                                                                            • Instruction ID: 092eeb4730e0a38ab80e229233f2d0b0dec3261592eb106f16d7fc89f9bfe796
                                                                                                            • Opcode Fuzzy Hash: 8327556e8a99668fdbc0f9eef4b34388d2e5cbfb41afc87f635d1753f25a92a0
                                                                                                            • Instruction Fuzzy Hash: 4A217130B00225CFDB54EB78C5547AE77F6AF99244F1004A8D146EB394DB759D41CBA1
                                                                                                            Function 01029F78 Relevance: .1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c2dfa76f11d64fd8f88517e5d61e74bc607a6045b0be0c690f722a938681298c
                                                                                                            • Instruction ID: 33be0919eb501ced62869545d010d73dba49994afd6b73091db8d51ffbaa371f
                                                                                                            • Opcode Fuzzy Hash: c2dfa76f11d64fd8f88517e5d61e74bc607a6045b0be0c690f722a938681298c
                                                                                                            • Instruction Fuzzy Hash: D6218030E003299BDB59CFA8C490A9EF7B2BF89304F14861AE815BB740DB70A846CB51
                                                                                                            Function 010216B0 Relevance: .1, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2e1427f2830383d1a506286238a06b69d5ff5dca23ae3ec46b97a12ccd373892
                                                                                                            • Instruction ID: 2cfc5794aaf66eff92b9b4ccc8bb635d3c313b763984c866f60faf47641a7f44
                                                                                                            • Opcode Fuzzy Hash: 2e1427f2830383d1a506286238a06b69d5ff5dca23ae3ec46b97a12ccd373892
                                                                                                            • Instruction Fuzzy Hash: FA2124386001115FDF62E76CE948B2D77A6FB95304F104965D04EC739ADB39D8478B91
                                                                                                            Function 01024F98 Relevance: .1, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d98df75ba7f9086a1689ae7a80e4f7360febd782ee8e2db1d405d3ad76488940
                                                                                                            • Instruction ID: f0e0729137eb65c65b3cd9c44b7fdaf95d24b818d769a7a497f056c088c4df49
                                                                                                            • Opcode Fuzzy Hash: d98df75ba7f9086a1689ae7a80e4f7360febd782ee8e2db1d405d3ad76488940
                                                                                                            • Instruction Fuzzy Hash: 06212A34700214CFDB94DB79D998BAD77F1EB8D204F1004A9E506EB3A0DB759D01CB95
                                                                                                            Function 01020848 Relevance: .1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: de5bba2726a163e46a40406bbc738954e0fb890a1c7991864facd992e7c5c7ea
                                                                                                            • Instruction ID: 9fe8457f9404e3629c651645224c87bc36624ee0de03e2bffbaa1294e5a6d84b
                                                                                                            • Opcode Fuzzy Hash: de5bba2726a163e46a40406bbc738954e0fb890a1c7991864facd992e7c5c7ea
                                                                                                            • Instruction Fuzzy Hash: 4811C431B003244FEFA5567CD54437F72E1EB45310F1049B9F086DB39ADAA5D8858BC1
                                                                                                            Function 01020838 Relevance: .1, Instructions: 61COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 136f0400658d2574844c58863b5ca21cf694d47ee74c9d4572455dd27a028cc1
                                                                                                            • Instruction ID: b2a2cde85ac38f98c8efa012b859a5c902d0808bda3a0f05fe8def10e736a219
                                                                                                            • Opcode Fuzzy Hash: 136f0400658d2574844c58863b5ca21cf694d47ee74c9d4572455dd27a028cc1
                                                                                                            • Instruction Fuzzy Hash: 9D11B235B043204FEF66567C944037F77D1EB42314F1449BAF0C6DB28ADAA5C9868BC1
                                                                                                            Function 0102148E Relevance: .1, Instructions: 57COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bdb7c1f0b36c49949488624bdf5aecdc3dafe26b9907baf78cd44674b77809b7
                                                                                                            • Instruction ID: 7813b936893301a4ab75c62fe89856f28d8c452c8fbd0daded47cdfb47cc5da9
                                                                                                            • Opcode Fuzzy Hash: bdb7c1f0b36c49949488624bdf5aecdc3dafe26b9907baf78cd44674b77809b7
                                                                                                            • Instruction Fuzzy Hash: 6E113031E013359BCF61EFB884506EEBBE1EF58215B1444FAD849E7601EB35D942CB91
                                                                                                            Function 010217C6 Relevance: .1, Instructions: 57COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ea1dc79bd7956717fef2d42c434eab6f7239c1dd3bb9cc2294c430bc6d498cc2
                                                                                                            • Instruction ID: 9544c51e8a1365ec295e9cf43b2935ec3a89e4aa066d7a2e1b6e9294d445a5fe
                                                                                                            • Opcode Fuzzy Hash: ea1dc79bd7956717fef2d42c434eab6f7239c1dd3bb9cc2294c430bc6d498cc2
                                                                                                            • Instruction Fuzzy Hash: 8B11E579F012118FDBA1AF78984866E7BF5FB88250F100875E949D3340EA30C9538B91
                                                                                                            Function 01021498 Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7bf0463bffdea4100010c197968521df71c79119f46692cec9232f80af55554f
                                                                                                            • Instruction ID: 9a0a3ab490d60666ade3365e6e466bf91aeb9331ee7cb0bdffe89b6064666474
                                                                                                            • Opcode Fuzzy Hash: 7bf0463bffdea4100010c197968521df71c79119f46692cec9232f80af55554f
                                                                                                            • Instruction Fuzzy Hash: 5F012D31A003359FCF61EFB884506AEBBE5EB48210B1404BAE849E7305EB35D9418BE5
                                                                                                            Function 0102A6B8 Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4c710ebbe6b37fc4af6b7134a87f7f501fb783d231257db71c820385343c1278
                                                                                                            • Instruction ID: c9f673c0a3bd875ebc6d0e8e208c21f0522fcc0cb910312722219b79bc305419
                                                                                                            • Opcode Fuzzy Hash: 4c710ebbe6b37fc4af6b7134a87f7f501fb783d231257db71c820385343c1278
                                                                                                            • Instruction Fuzzy Hash: 0311A531A002048FDB04DF69D98568ABBB6FF85310F54C5A4C94C5F29AEB70A94AC7A1
                                                                                                            Function 01028F08 Relevance: .0, Instructions: 42COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 025829950a08c0b904fc88de80ec59d36466d6733786d467c75bf51172ea4cd7
                                                                                                            • Instruction ID: a0d9217b8629f537636c9e33914ba77bacabebbdeb2d92acd1d99488f7034dc5
                                                                                                            • Opcode Fuzzy Hash: 025829950a08c0b904fc88de80ec59d36466d6733786d467c75bf51172ea4cd7
                                                                                                            • Instruction Fuzzy Hash: 41018478900149AFDF41FBB8F951AEDBBB5EF55308B0046B5C0099B359EB306E468B91
                                                                                                            Function 01021524 Relevance: .0, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: db41ce894d85d3074b4ee7ebcc1f883ac036c414ac58b89c6acfb69d5a09a0bc
                                                                                                            • Instruction ID: 17606a6a2f0dcaa2ce4b2be6a1a27678efb0685f9e9ce2cf6093740c793835d9
                                                                                                            • Opcode Fuzzy Hash: db41ce894d85d3074b4ee7ebcc1f883ac036c414ac58b89c6acfb69d5a09a0bc
                                                                                                            • Instruction Fuzzy Hash: 43F02B37A04270DFD7228BA884902ACBFA0FE6811171D00D7D886DB611D731D442C751
                                                                                                            Function 01027EA8 Relevance: .0, Instructions: 34COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c44c63b1882985fe30a4f7c61827e379a11bc6829fb53510a552367657fddcea
                                                                                                            • Instruction ID: bee69f814d0b586326b023487fde0bc9ad311f823a7f31eedd78a837b1a8ee88
                                                                                                            • Opcode Fuzzy Hash: c44c63b1882985fe30a4f7c61827e379a11bc6829fb53510a552367657fddcea
                                                                                                            • Instruction Fuzzy Hash: 41F01439B40104CFD714EB74D598B6C73B2EF89215F2048A8E9068B3A0DF31AD02CB51
                                                                                                            Function 01028F18 Relevance: .0, Instructions: 33COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000008.00000002.4192317210.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_8_2_1020000_A6AHI7Uk18.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5fcd6d90486368b9d8ba44d2adeda94401f50018d111e9e602e17ae04f727f97
                                                                                                            • Instruction ID: 0b43b1af0e805826b912c3b1b1d9de0dc554f26c8fc155fd0d3ab6b8bf2a4b31
                                                                                                            • Opcode Fuzzy Hash: 5fcd6d90486368b9d8ba44d2adeda94401f50018d111e9e602e17ae04f727f97
                                                                                                            • Instruction Fuzzy Hash: 29F03134900109AFCF51FBB8E941AADB7B5EF40304F505679C0099B258DB316E468B81

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:12%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:156
                                                                                                            Total number of Limit Nodes:11
                                                                                                            execution_graph 18996 94cba4e 18997 94cba54 18996->18997 18998 94cba03 18996->18998 19001 94ccd38 18997->19001 19006 94ccd29 18997->19006 19002 94ccd4d 19001->19002 19011 94ccd78 19002->19011 19029 94ccd71 19002->19029 19003 94ccd5f 19003->18998 19007 94ccd3d 19006->19007 19009 94ccd78 12 API calls 19007->19009 19010 94ccd71 12 API calls 19007->19010 19008 94ccd5f 19008->18998 19009->19008 19010->19008 19012 94ccd92 19011->19012 19047 94cd44f 19012->19047 19052 94cd252 19012->19052 19057 94cd7d2 19012->19057 19063 94cd312 19012->19063 19071 94cd3b1 19012->19071 19076 94cd591 19012->19076 19081 94cd431 19012->19081 19086 94cd277 19012->19086 19090 94cd416 19012->19090 19095 94cd5bb 19012->19095 19100 94cd4ba 19012->19100 19105 94cd1f8 19012->19105 19112 94cd5ff 19012->19112 19117 94cd649 19012->19117 19122 94cd429 19012->19122 19013 94ccd9a 19013->19003 19030 94ccd7d 19029->19030 19032 94cd44f 2 API calls 19030->19032 19033 94cd429 2 API calls 19030->19033 19034 94cd649 2 API calls 19030->19034 19035 94cd5ff 2 API calls 19030->19035 19036 94cd1f8 4 API calls 19030->19036 19037 94cd4ba 2 API calls 19030->19037 19038 94cd5bb 2 API calls 19030->19038 19039 94cd416 2 API calls 19030->19039 19040 94cd277 2 API calls 19030->19040 19041 94cd431 2 API calls 19030->19041 19042 94cd591 2 API calls 19030->19042 19043 94cd3b1 2 API calls 19030->19043 19044 94cd312 4 API calls 19030->19044 19045 94cd7d2 2 API calls 19030->19045 19046 94cd252 2 API calls 19030->19046 19031 94ccd9a 19031->19003 19032->19031 19033->19031 19034->19031 19035->19031 19036->19031 19037->19031 19038->19031 19039->19031 19040->19031 19041->19031 19042->19031 19043->19031 19044->19031 19045->19031 19046->19031 19048 94cd455 19047->19048 19127 94cadbb 19048->19127 19131 94cadc0 19048->19131 19049 94cd2cd 19053 94cd25e 19052->19053 19054 94cd409 19053->19054 19135 94cab73 19053->19135 19139 94cab78 19053->19139 19054->19013 19058 94cd7df 19057->19058 19059 94cd466 19057->19059 19061 94cadbb WriteProcessMemory 19059->19061 19062 94cadc0 WriteProcessMemory 19059->19062 19060 94cd2cd 19061->19060 19062->19060 19064 94cd6d0 19063->19064 19065 94cd409 19063->19065 19143 94cac28 19064->19143 19147 94cac23 19064->19147 19065->19013 19066 94cd25e 19066->19065 19067 94cab78 ResumeThread 19066->19067 19068 94cab73 ResumeThread 19066->19068 19067->19066 19068->19066 19072 94cd3c6 19071->19072 19151 94caeab 19072->19151 19155 94caeb0 19072->19155 19073 94cd3ea 19073->19013 19077 94cd5a6 19076->19077 19079 94cadbb WriteProcessMemory 19077->19079 19080 94cadc0 WriteProcessMemory 19077->19080 19078 94cd83f 19079->19078 19080->19078 19082 94cda9f 19081->19082 19159 94cacfb 19082->19159 19163 94cad00 19082->19163 19083 94cdabd 19088 94cac28 Wow64SetThreadContext 19086->19088 19089 94cac23 Wow64SetThreadContext 19086->19089 19087 94cd291 19087->19013 19088->19087 19089->19087 19091 94cd25e 19090->19091 19091->19013 19092 94cd409 19091->19092 19093 94cab78 ResumeThread 19091->19093 19094 94cab73 ResumeThread 19091->19094 19092->19013 19093->19091 19094->19091 19096 94cd25e 19095->19096 19097 94cd409 19096->19097 19098 94cab78 ResumeThread 19096->19098 19099 94cab73 ResumeThread 19096->19099 19097->19013 19098->19096 19099->19096 19101 94cd595 19100->19101 19103 94cadbb WriteProcessMemory 19101->19103 19104 94cadc0 WriteProcessMemory 19101->19104 19102 94cd83f 19103->19102 19104->19102 19167 94cb448 19105->19167 19171 94cb443 19105->19171 19113 94cd608 19112->19113 19115 94cadbb WriteProcessMemory 19113->19115 19116 94cadc0 WriteProcessMemory 19113->19116 19114 94cd2de 19114->19013 19115->19114 19116->19114 19118 94cd656 19117->19118 19119 94cd50d 19118->19119 19120 94cab78 ResumeThread 19118->19120 19121 94cab73 ResumeThread 19118->19121 19119->19013 19120->19118 19121->19118 19123 94cd3c8 19122->19123 19124 94cd3ea 19122->19124 19125 94caeab ReadProcessMemory 19123->19125 19126 94caeb0 ReadProcessMemory 19123->19126 19124->19013 19125->19124 19126->19124 19128 94cae08 WriteProcessMemory 19127->19128 19130 94cae5f 19128->19130 19130->19049 19132 94cae08 WriteProcessMemory 19131->19132 19134 94cae5f 19132->19134 19134->19049 19136 94cabb8 ResumeThread 19135->19136 19138 94cabe9 19136->19138 19138->19053 19140 94cabb8 ResumeThread 19139->19140 19142 94cabe9 19140->19142 19142->19053 19144 94cac6d Wow64SetThreadContext 19143->19144 19146 94cacb5 19144->19146 19146->19066 19148 94cac6d Wow64SetThreadContext 19147->19148 19150 94cacb5 19148->19150 19150->19066 19152 94caefb ReadProcessMemory 19151->19152 19154 94caf3f 19152->19154 19154->19073 19156 94caefb ReadProcessMemory 19155->19156 19158 94caf3f 19156->19158 19158->19073 19160 94cad40 VirtualAllocEx 19159->19160 19162 94cad7d 19160->19162 19162->19083 19164 94cad40 VirtualAllocEx 19163->19164 19166 94cad7d 19164->19166 19166->19083 19168 94cb4d1 CreateProcessA 19167->19168 19170 94cb693 19168->19170 19172 94cb4d1 CreateProcessA 19171->19172 19174 94cb693 19172->19174 19175 94cdf18 19176 94ce0a3 19175->19176 19178 94cdf3e 19175->19178 19178->19176 19179 94cb0f0 19178->19179 19180 94ce198 PostMessageW 19179->19180 19181 94ce204 19180->19181 19181->19178 19182 2a1e7b8 19183 2a1e800 GetModuleHandleW 19182->19183 19184 2a1e7fa 19182->19184 19185 2a1e82d 19183->19185 19184->19183 19186 2a17858 19187 2a17862 19186->19187 19189 2a17d50 19186->19189 19190 2a17d75 19189->19190 19194 2a17e60 19190->19194 19198 2a17e4f 19190->19198 19195 2a17e87 19194->19195 19196 2a17f64 19195->19196 19202 2a17a8c 19195->19202 19196->19196 19199 2a17e60 19198->19199 19200 2a17f64 19199->19200 19201 2a17a8c CreateActCtxA 19199->19201 19200->19200 19201->19200 19203 2a18ef0 CreateActCtxA 19202->19203 19205 2a18fb3 19203->19205

                                                                                                            Executed Functions

                                                                                                            Function 094CB448 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 670 94cb448-94cb4dd 672 94cb4df-94cb4e9 670->672 673 94cb516-94cb536 670->673 672->673 674 94cb4eb-94cb4ed 672->674 680 94cb56f-94cb59e 673->680 681 94cb538-94cb542 673->681 675 94cb4ef-94cb4f9 674->675 676 94cb510-94cb513 674->676 678 94cb4fd-94cb50c 675->678 679 94cb4fb 675->679 676->673 678->678 682 94cb50e 678->682 679->678 687 94cb5d7-94cb691 CreateProcessA 680->687 688 94cb5a0-94cb5aa 680->688 681->680 683 94cb544-94cb546 681->683 682->676 685 94cb548-94cb552 683->685 686 94cb569-94cb56c 683->686 689 94cb554 685->689 690 94cb556-94cb565 685->690 686->680 701 94cb69a-94cb720 687->701 702 94cb693-94cb699 687->702 688->687 691 94cb5ac-94cb5ae 688->691 689->690 690->690 692 94cb567 690->692 693 94cb5b0-94cb5ba 691->693 694 94cb5d1-94cb5d4 691->694 692->686 696 94cb5bc 693->696 697 94cb5be-94cb5cd 693->697 694->687 696->697 697->697 698 94cb5cf 697->698 698->694 712 94cb730-94cb734 701->712 713 94cb722-94cb726 701->713 702->701 715 94cb744-94cb748 712->715 716 94cb736-94cb73a 712->716 713->712 714 94cb728 713->714 714->712 718 94cb758-94cb75c 715->718 719 94cb74a-94cb74e 715->719 716->715 717 94cb73c 716->717 717->715 720 94cb76e-94cb775 718->720 721 94cb75e-94cb764 718->721 719->718 722 94cb750 719->722 723 94cb78c 720->723 724 94cb777-94cb786 720->724 721->720 722->718 726 94cb78d 723->726 724->723 726->726
                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 094CB67E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1818048576.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_94c0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 963392458-0
                                                                                                            • Opcode ID: 98a831718fce3e8151114151ae966a72c652dda0f8cf95871e8ac9f588226e6b
                                                                                                            • Instruction ID: c04048d1ae8fb2d779395abd7efb1c815cef5dd3c8a89a7a82c3b55c2b2b73a1
                                                                                                            • Opcode Fuzzy Hash: 98a831718fce3e8151114151ae966a72c652dda0f8cf95871e8ac9f588226e6b
                                                                                                            • Instruction Fuzzy Hash: 7C916BB5D002198FDB64CF68C9427EEBBB2EF44314F1481AAE858A7350DB749985CFA1
                                                                                                            Function 094CB443 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 613 94cb443-94cb4dd 615 94cb4df-94cb4e9 613->615 616 94cb516-94cb536 613->616 615->616 617 94cb4eb-94cb4ed 615->617 623 94cb56f-94cb59e 616->623 624 94cb538-94cb542 616->624 618 94cb4ef-94cb4f9 617->618 619 94cb510-94cb513 617->619 621 94cb4fd-94cb50c 618->621 622 94cb4fb 618->622 619->616 621->621 625 94cb50e 621->625 622->621 630 94cb5d7-94cb691 CreateProcessA 623->630 631 94cb5a0-94cb5aa 623->631 624->623 626 94cb544-94cb546 624->626 625->619 628 94cb548-94cb552 626->628 629 94cb569-94cb56c 626->629 632 94cb554 628->632 633 94cb556-94cb565 628->633 629->623 644 94cb69a-94cb720 630->644 645 94cb693-94cb699 630->645 631->630 634 94cb5ac-94cb5ae 631->634 632->633 633->633 635 94cb567 633->635 636 94cb5b0-94cb5ba 634->636 637 94cb5d1-94cb5d4 634->637 635->629 639 94cb5bc 636->639 640 94cb5be-94cb5cd 636->640 637->630 639->640 640->640 641 94cb5cf 640->641 641->637 655 94cb730-94cb734 644->655 656 94cb722-94cb726 644->656 645->644 658 94cb744-94cb748 655->658 659 94cb736-94cb73a 655->659 656->655 657 94cb728 656->657 657->655 661 94cb758-94cb75c 658->661 662 94cb74a-94cb74e 658->662 659->658 660 94cb73c 659->660 660->658 663 94cb76e-94cb775 661->663 664 94cb75e-94cb764 661->664 662->661 665 94cb750 662->665 666 94cb78c 663->666 667 94cb777-94cb786 663->667 664->663 665->661 669 94cb78d 666->669 667->666 669->669
                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 094CB67E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1818048576.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_94c0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 963392458-0
                                                                                                            • Opcode ID: 6cdf8eaa12a256989bd91e226a87403bb1e1eaadde83a4f44eecdbab4632573a
                                                                                                            • Instruction ID: ef19a6c2db1149e6d37351708a5b1110310aa482c26f6e4cc5ddedf5b3adb495
                                                                                                            • Opcode Fuzzy Hash: 6cdf8eaa12a256989bd91e226a87403bb1e1eaadde83a4f44eecdbab4632573a
                                                                                                            • Instruction Fuzzy Hash: F3915BB5D00219CFDB64CF68C9427EEBBB2EF44314F1481AAE858A7350DB749985CFA1
                                                                                                            Function 02A18EE4 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 727 2a18ee4-2a18eef 728 2a18ef0-2a18fb1 CreateActCtxA 727->728 730 2a18fb3-2a18fb9 728->730 731 2a18fba-2a19014 728->731 730->731 738 2a19023-2a19027 731->738 739 2a19016-2a19019 731->739 740 2a19029-2a19035 738->740 741 2a19038 738->741 739->738 740->741 743 2a19039 741->743 743->743
                                                                                                            APIs
                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 02A18FA1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1812101178.0000000002A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_2a10000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Create
                                                                                                            • String ID:
                                                                                                            • API String ID: 2289755597-0
                                                                                                            • Opcode ID: 1354e68933a385e0cdd75e6474872ba4530c0769a296dcb89be8c7c8fa220c4d
                                                                                                            • Instruction ID: 7e3768baf3adec83dd3d183389741cf5a80af5f8c76f65659bf33c2777eb8a56
                                                                                                            • Opcode Fuzzy Hash: 1354e68933a385e0cdd75e6474872ba4530c0769a296dcb89be8c7c8fa220c4d
                                                                                                            • Instruction Fuzzy Hash: 3A41F2B0C00619CFDB24CFA9C844BDEBBB5FF49314F24805AD408AB255DB755985CF91
                                                                                                            Function 02A17A8C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 744 2a17a8c-2a18fb1 CreateActCtxA 747 2a18fb3-2a18fb9 744->747 748 2a18fba-2a19014 744->748 747->748 755 2a19023-2a19027 748->755 756 2a19016-2a19019 748->756 757 2a19029-2a19035 755->757 758 2a19038 755->758 756->755 757->758 760 2a19039 758->760 760->760
                                                                                                            APIs
                                                                                                            • CreateActCtxA.KERNEL32(?), ref: 02A18FA1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1812101178.0000000002A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_2a10000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Create
                                                                                                            • String ID:
                                                                                                            • API String ID: 2289755597-0
                                                                                                            • Opcode ID: 1df53774fdd1ba2f9c054697e3db8f8eb7c46485a0f058712964fc76b895d48d
                                                                                                            • Instruction ID: 392c995cff54922f9f8f3d7309ab5d11b80a7073ab154395293a8870bcbd72b2
                                                                                                            • Opcode Fuzzy Hash: 1df53774fdd1ba2f9c054697e3db8f8eb7c46485a0f058712964fc76b895d48d
                                                                                                            • Instruction Fuzzy Hash: CA4101B0C00619CFDB24CFA9C844BDEBBF5BF49314F2480AAD408AB255DBB56945CF91
                                                                                                            Function 094CADC0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 771 94cadc0-94cae0e 773 94cae1e-94cae5d WriteProcessMemory 771->773 774 94cae10-94cae1c 771->774 776 94cae5f-94cae65 773->776 777 94cae66-94cae96 773->777 774->773 776->777
                                                                                                            APIs
                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 094CAE50
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1818048576.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_94c0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3559483778-0
                                                                                                            • Opcode ID: 75f4b8725c9af694f3da1209a733e3464370d1f4f72bca074b9bf79b3f008d44
                                                                                                            • Instruction ID: fc44bd2ff312261a9c97f07be0295d275936f48f744c32b7923fddd59fd40a18
                                                                                                            • Opcode Fuzzy Hash: 75f4b8725c9af694f3da1209a733e3464370d1f4f72bca074b9bf79b3f008d44
                                                                                                            • Instruction Fuzzy Hash: 962125B5900359DFCB10DFA9C885BEEBBF5FF48310F10842AE958A7250C7789954CBA4
                                                                                                            Function 094CADBB Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 761 94cadbb-94cae0e 763 94cae1e-94cae5d WriteProcessMemory 761->763 764 94cae10-94cae1c 761->764 766 94cae5f-94cae65 763->766 767 94cae66-94cae96 763->767 764->763 766->767
                                                                                                            APIs
                                                                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 094CAE50
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1818048576.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_94c0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3559483778-0
                                                                                                            • Opcode ID: 24a158a6ca3d9db65dff8a44d446511b4c140adc949a179e09c0b57469120c25
                                                                                                            • Instruction ID: 84026026e010b7aa7a8c9d82f5b0d42d775b8773c992d08850829fd682fed71a
                                                                                                            • Opcode Fuzzy Hash: 24a158a6ca3d9db65dff8a44d446511b4c140adc949a179e09c0b57469120c25
                                                                                                            • Instruction Fuzzy Hash: F82124B5900259DFDB10DFA9C885BEEBBF5FF48310F10842AE958A7250C778A954CBA4
                                                                                                            Function 094CAC28 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 791 94cac28-94cac73 793 94cac75-94cac81 791->793 794 94cac83-94cacb3 Wow64SetThreadContext 791->794 793->794 796 94cacbc-94cacec 794->796 797 94cacb5-94cacbb 794->797 797->796
                                                                                                            APIs
                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 094CACA6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1818048576.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_94c0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ContextThreadWow64
                                                                                                            • String ID:
                                                                                                            • API String ID: 983334009-0
                                                                                                            • Opcode ID: d03e4208b6bb4dc64bb059f1b9abaf9c2dda432b7c750aa6a457aa652b58a2a0
                                                                                                            • Instruction ID: f0a06016824fe23e3a4abfa5c45b4ea1bcd7800953bc055fd0db61c065354d5d
                                                                                                            • Opcode Fuzzy Hash: d03e4208b6bb4dc64bb059f1b9abaf9c2dda432b7c750aa6a457aa652b58a2a0
                                                                                                            • Instruction Fuzzy Hash: 422118B59002098FDB10DFAAC4857EEBBF4EF88324F14842ED459A7241DB789945CFA5
                                                                                                            Function 094CAC23 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 781 94cac23-94cac73 783 94cac75-94cac81 781->783 784 94cac83-94cacb3 Wow64SetThreadContext 781->784 783->784 786 94cacbc-94cacec 784->786 787 94cacb5-94cacbb 784->787 787->786
                                                                                                            APIs
                                                                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 094CACA6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1818048576.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_94c0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ContextThreadWow64
                                                                                                            • String ID:
                                                                                                            • API String ID: 983334009-0
                                                                                                            • Opcode ID: 991dc4b782cc619d5b2d59adae1ad910325fba10e9d1841c6853ce7958c077cb
                                                                                                            • Instruction ID: 4ad0662906295662a089e70da079557b4fb8ab43b46846956e268d2f033b4a32
                                                                                                            • Opcode Fuzzy Hash: 991dc4b782cc619d5b2d59adae1ad910325fba10e9d1841c6853ce7958c077cb
                                                                                                            • Instruction Fuzzy Hash: 332138B5D002098FDB10DFA9C4847EEBBF4EF88314F10842ED459A7240CB78A985CFA4
                                                                                                            Function 094CAEAB Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 801 94caeab-94caf3d ReadProcessMemory 804 94caf3f-94caf45 801->804 805 94caf46-94caf76 801->805 804->805
                                                                                                            APIs
                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 094CAF30
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1818048576.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_94c0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 1726664587-0
                                                                                                            • Opcode ID: 2d20664caae0aaa626b9cdd18569f29b3a10d55722982277b2d9edac7a862a61
                                                                                                            • Instruction ID: 6c0b028a5625e6e20adfee4109e57ae5495388e009e1ac0e40e1b5fc1474069f
                                                                                                            • Opcode Fuzzy Hash: 2d20664caae0aaa626b9cdd18569f29b3a10d55722982277b2d9edac7a862a61
                                                                                                            • Instruction Fuzzy Hash: 552114B1D012599FDB10DFA9C884AEEBBF5FF48310F50842EE559A7250C738A945CFA4
                                                                                                            Function 094CAEB0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 809 94caeb0-94caf3d ReadProcessMemory 812 94caf3f-94caf45 809->812 813 94caf46-94caf76 809->813 812->813
                                                                                                            APIs
                                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 094CAF30
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1818048576.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_94c0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MemoryProcessRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 1726664587-0
                                                                                                            • Opcode ID: 70a7db2ca7c7ee2d5dd8a4a0e47f011a679fb3114f5240d99dd139c52b160a6e
                                                                                                            • Instruction ID: 7dc7a7d8f40c8c5f278f1c40c89ea0b5948a3fe8474dfca9f701901666143ba1
                                                                                                            • Opcode Fuzzy Hash: 70a7db2ca7c7ee2d5dd8a4a0e47f011a679fb3114f5240d99dd139c52b160a6e
                                                                                                            • Instruction Fuzzy Hash: F52125B18002599FCB10DFAAC880AEEFBF5FF48320F50842EE558A7250C7389944CFA4
                                                                                                            Function 094CAD00 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 094CAD6E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1818048576.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_94c0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: 9abedf03af120cc82d7742bd4f61b8a5a7a1c3e52c999c1e6b1496f29495f83d
                                                                                                            • Instruction ID: c5827384655ac0a97182dab11007b595a122d58829946cc1f11e23a1a81b90d7
                                                                                                            • Opcode Fuzzy Hash: 9abedf03af120cc82d7742bd4f61b8a5a7a1c3e52c999c1e6b1496f29495f83d
                                                                                                            • Instruction Fuzzy Hash: E31137B59002499FCB10DFAAC844BDFBFF5EF88324F10841AE559A7250C775A944CFA5
                                                                                                            Function 094CACFB Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 094CAD6E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1818048576.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_94c0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: 27886be8e87eca26fa6822eea13b8b3dd20895ad907616d8afe2fa42d049636d
                                                                                                            • Instruction ID: d556a869c98ac129134df8144048bafeaa246ca4b81b5d44843e0f9d3a29f927
                                                                                                            • Opcode Fuzzy Hash: 27886be8e87eca26fa6822eea13b8b3dd20895ad907616d8afe2fa42d049636d
                                                                                                            • Instruction Fuzzy Hash: 0B1156B59002498FCB20DFA9C844BDFBBF1EF88320F10841EE419A7260CB359540CFA1
                                                                                                            Function 094CAB78 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1818048576.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_94c0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ResumeThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 947044025-0
                                                                                                            • Opcode ID: ae32ab2e5cf9fc9a9e77aa2174ddd73da02ae8f0646e06c6d03802a70ab90378
                                                                                                            • Instruction ID: 33a7654cf99c53456196e50bf32f43866b7b33b835c0d9a8863432ec171194f3
                                                                                                            • Opcode Fuzzy Hash: ae32ab2e5cf9fc9a9e77aa2174ddd73da02ae8f0646e06c6d03802a70ab90378
                                                                                                            • Instruction Fuzzy Hash: 5B1166B5D002488FCB20DFAAC4447DEFBF5EB88324F20842ED519A7250CB38A944CFA4
                                                                                                            Function 094CAB73 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1818048576.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_94c0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ResumeThread
                                                                                                            • String ID:
                                                                                                            • API String ID: 947044025-0
                                                                                                            • Opcode ID: 0096218ba2910fd9feda921d4015a0f165d47cda1f20febe8f7c6239f724d7b4
                                                                                                            • Instruction ID: 06d4be0999b5b4586484cc29925188d42fadc167a4c8525c7b015221b0937526
                                                                                                            • Opcode Fuzzy Hash: 0096218ba2910fd9feda921d4015a0f165d47cda1f20febe8f7c6239f724d7b4
                                                                                                            • Instruction Fuzzy Hash: AE1155B5D002498FDB20DFAAC4447DEFBF5EB88324F20841ED119A7250CB38A984CFA4
                                                                                                            Function 094CE190 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 094CE1F5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1818048576.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_94c0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost
                                                                                                            • String ID:
                                                                                                            • API String ID: 410705778-0
                                                                                                            • Opcode ID: 9bfe5b0160a63b204eb76f18a8aaf434786bdc850c706eb7814371728a28c5f2
                                                                                                            • Instruction ID: 1f4c280d412c8032ce5ca9a4f1896c97c0272c4089ef5036630a6343428cefe9
                                                                                                            • Opcode Fuzzy Hash: 9bfe5b0160a63b204eb76f18a8aaf434786bdc850c706eb7814371728a28c5f2
                                                                                                            • Instruction Fuzzy Hash: A111F5B58003499FDB10DF99C885BDFBBF8FB49324F10845AE558A7250C375A944CFA1
                                                                                                            Function 02A1E7B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02A1E81E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1812101178.0000000002A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A10000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_2a10000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID:
                                                                                                            • API String ID: 4139908857-0
                                                                                                            • Opcode ID: 96e310a568de75b65350da709efa40d16921054f87cd1de9068b75e2402f9098
                                                                                                            • Instruction ID: ca1f3f4a3f91f3361d6276f5b878c1d794689af4edd53850b4a0ba26ac3673bf
                                                                                                            • Opcode Fuzzy Hash: 96e310a568de75b65350da709efa40d16921054f87cd1de9068b75e2402f9098
                                                                                                            • Instruction Fuzzy Hash: 7E1110B5C002498FCB10CF9AC544ADEFBF4EB88324F10842AD828B7210C779A545CFA5
                                                                                                            Function 094CB0F0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 094CE1F5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1818048576.00000000094C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094C0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_94c0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePost
                                                                                                            • String ID:
                                                                                                            • API String ID: 410705778-0
                                                                                                            • Opcode ID: 1765728a38d0996d78df7c840cc032d736fd41bb724011074b7f322ffd26e1d5
                                                                                                            • Instruction ID: 1a73ef4dbd194080ccc79bc955a88d74011c0ed108c4033987f36278921caa24
                                                                                                            • Opcode Fuzzy Hash: 1765728a38d0996d78df7c840cc032d736fd41bb724011074b7f322ffd26e1d5
                                                                                                            • Instruction Fuzzy Hash: 2111E3B58003489FDB60DF99C444BDEBBF8EB48310F10841AE558A7210C375A954CFA1
                                                                                                            Function 0286D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1811037825.000000000286D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0286D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_286d000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0a1dde053899edb85d8c2ffe93a6e1586a4a6c9ea5b72a5d66dac03e411549c9
                                                                                                            • Instruction ID: 12724c48759c2d5e104fef7ed15bc46e1108749d6af1eadd12d8b44697c3341c
                                                                                                            • Opcode Fuzzy Hash: 0a1dde053899edb85d8c2ffe93a6e1586a4a6c9ea5b72a5d66dac03e411549c9
                                                                                                            • Instruction Fuzzy Hash: 96213079600244DFDB05DF14C9C8B3ABF65FB88318F20C169E8098B656C336D846CAA2
                                                                                                            Function 0286D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1811037825.000000000286D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0286D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_286d000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4fe00a20f052ad9d3c221945790e615d61331e6f7082a9f8d1e12afe5bdf4f58
                                                                                                            • Instruction ID: be4d45770ea38a124aefff132884297f6c3a1625d59269934422352f4fa2f3a8
                                                                                                            • Opcode Fuzzy Hash: 4fe00a20f052ad9d3c221945790e615d61331e6f7082a9f8d1e12afe5bdf4f58
                                                                                                            • Instruction Fuzzy Hash: FB213679200244DFDB08DF04C9C8F26BF65FB98314F24C169D9098F656C336E846C6A1
                                                                                                            Function 0287D01C Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1811099324.000000000287D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0287D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_287d000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 20997eae56cd9552fd9076fa90e25b079263b81588abf482d6138b14f271b0a2
                                                                                                            • Instruction ID: f2e38fe73068c923c4e774795494e88ae0d20eb16bdf9b60ac9576061aec6e47
                                                                                                            • Opcode Fuzzy Hash: 20997eae56cd9552fd9076fa90e25b079263b81588abf482d6138b14f271b0a2
                                                                                                            • Instruction Fuzzy Hash: 9521FF7D604204DFDB14DF24D984B26BBA5EF88318F24C56DE80E8B296C33AD847CA61
                                                                                                            Function 0287D007 Relevance: .1, Instructions: 61COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1811099324.000000000287D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0287D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_287d000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3088c0ec5e7e9046fbc3d1eb5a71f5d8d818eeabbcf8559fea00e8da29ec0afa
                                                                                                            • Instruction ID: 80fc37427f282ea04255001693e0d77225097aab52c64c166bcdc384212f9cc0
                                                                                                            • Opcode Fuzzy Hash: 3088c0ec5e7e9046fbc3d1eb5a71f5d8d818eeabbcf8559fea00e8da29ec0afa
                                                                                                            • Instruction Fuzzy Hash: 9A215E795093808FDB12CF24D994715BF71EF46214F28C5EAD8498F6A7C33AD80ACB62
                                                                                                            Function 0286D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1811037825.000000000286D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0286D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_286d000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                            • Instruction ID: 49cd62607b934206ca73b3845b003ed599f185fc0c4619f1a413afb698f46acf
                                                                                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                            • Instruction Fuzzy Hash: 4411E17A504240CFCB06CF00D5C4B26BF72FB94324F24C2A9D9094F656C33AE85ACBA1
                                                                                                            Function 0286D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1811037825.000000000286D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0286D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_286d000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                            • Instruction ID: d914339db5baabb0fb556cf82532aa3adc94d0b11f4b4271886dde96110fb958
                                                                                                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                            • Instruction Fuzzy Hash: ED11D37A504280CFCB16CF14D5C8B26BF71FB84318F24C6AAD9494F656C336D45ACBA1
                                                                                                            Function 0286D731 Relevance: .0, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1811037825.000000000286D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0286D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_286d000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3ad4ea0e445491852f5da9a5e7c9f9eaecd7c204b33ecb5f8e563657fab08432
                                                                                                            • Instruction ID: 348db13313c07673b37513a0bb8b07e2dc95a4e94988e57cd15f88d1d603c452
                                                                                                            • Opcode Fuzzy Hash: 3ad4ea0e445491852f5da9a5e7c9f9eaecd7c204b33ecb5f8e563657fab08432
                                                                                                            • Instruction Fuzzy Hash: 0901F7392083449AE7108A25CDC8777BF98EF41328F18C529ED088E182C7389840C6B2
                                                                                                            Function 0286D730 Relevance: .0, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000009.00000002.1811037825.000000000286D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0286D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_9_2_286d000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 91d3b96a23e3f966ccd97844f49a8aecfb9ba394a8ba7870417462e69799622f
                                                                                                            • Instruction ID: 0e3e84a0c5ff861bfb33ecfc92f38d9902edac7690fdf73eaad0480a7c90e840
                                                                                                            • Opcode Fuzzy Hash: 91d3b96a23e3f966ccd97844f49a8aecfb9ba394a8ba7870417462e69799622f
                                                                                                            • Instruction Fuzzy Hash: FEF062755043449EE7108A16C9C8B66FFA8EB81735F18C55AED0C5E286C3799844CBB1

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:12.6%
                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                            Signature Coverage:0%
                                                                                                            Total number of Nodes:25
                                                                                                            Total number of Limit Nodes:4
                                                                                                            execution_graph 24180 12a0848 24182 12a084e 24180->24182 24181 12a091b 24182->24181 24185 12a1488 24182->24185 24190 12a1382 24182->24190 24186 12a1396 24185->24186 24187 12a1484 24186->24187 24188 12a1488 GlobalMemoryStatusEx 24186->24188 24195 12a7ea8 24186->24195 24187->24182 24188->24186 24191 12a138a 24190->24191 24192 12a1484 24191->24192 24193 12a1488 GlobalMemoryStatusEx 24191->24193 24194 12a7ea8 GlobalMemoryStatusEx 24191->24194 24192->24182 24193->24191 24194->24191 24196 12a7eb2 24195->24196 24197 12a7ecc 24196->24197 24200 678d9f0 24196->24200 24205 678d9e0 24196->24205 24197->24186 24202 678da05 24200->24202 24201 678dc1a 24201->24197 24202->24201 24203 678de88 GlobalMemoryStatusEx 24202->24203 24204 678dc31 GlobalMemoryStatusEx 24202->24204 24203->24202 24204->24202 24207 678d9e4 24205->24207 24206 678dc1a 24206->24197 24207->24206 24208 678de88 GlobalMemoryStatusEx 24207->24208 24209 678dc31 GlobalMemoryStatusEx 24207->24209 24208->24207 24209->24207

                                                                                                            Executed Functions

                                                                                                            Function 012A41C8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \VKm
                                                                                                            • API String ID: 0-3894457903
                                                                                                            • Opcode ID: e928f9ec6ea6172a70034f3fd51216b5f71c2b61012381653d20c977eb8fb394
                                                                                                            • Instruction ID: 02a8f00823a7f30444d55438f044365f08ce96efab209157b402ceb7244d3c86
                                                                                                            • Opcode Fuzzy Hash: e928f9ec6ea6172a70034f3fd51216b5f71c2b61012381653d20c977eb8fb394
                                                                                                            • Instruction Fuzzy Hash: F5B14E70E1024ACFDF10DFA9D8857AEBBF2AF88314F588129E515A7254EBB4D845CF81
                                                                                                            Function 012A3E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \VKm
                                                                                                            • API String ID: 0-3894457903
                                                                                                            • Opcode ID: 7c5aab78f95c9f40f00ec4e556e68f32fb67b05a4ddcc1c93c49ca6dc4b3a131
                                                                                                            • Instruction ID: 6310c29918556eabdb3f9d45ebafcd78f083f49ecb2176905b8ae6fde9984ae2
                                                                                                            • Opcode Fuzzy Hash: 7c5aab78f95c9f40f00ec4e556e68f32fb67b05a4ddcc1c93c49ca6dc4b3a131
                                                                                                            • Instruction Fuzzy Hash: B6917B70E2024ACFDF14DFA8C98179EBBF2BF98304F588129E515E7254EB749846CB81
                                                                                                            Function 012A4A98 Relevance: .3, Instructions: 266COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 530e97de49ea53caa295fb2850be28e8d1d593d2271b57c4af20e78a579a695e
                                                                                                            • Instruction ID: 063b42ca6f952e2ca61520a87b2700dfa86e1fdcfba9a2ed41a28349ce56033b
                                                                                                            • Opcode Fuzzy Hash: 530e97de49ea53caa295fb2850be28e8d1d593d2271b57c4af20e78a579a695e
                                                                                                            • Instruction Fuzzy Hash: 3CB17070E1024ACFDF10DFA9D88179DBBF2AF88314F588529D919E7254EBB4D845CB81
                                                                                                            Function 012A4810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1192 12a4810-12a489c 1195 12a489e-12a48a9 1192->1195 1196 12a48e6-12a48e8 1192->1196 1195->1196 1198 12a48ab-12a48b7 1195->1198 1197 12a48ea-12a4902 1196->1197 1205 12a494c-12a494e 1197->1205 1206 12a4904-12a490f 1197->1206 1199 12a48da-12a48e4 1198->1199 1200 12a48b9-12a48c3 1198->1200 1199->1197 1202 12a48c7-12a48d6 1200->1202 1203 12a48c5 1200->1203 1202->1202 1204 12a48d8 1202->1204 1203->1202 1204->1199 1207 12a4950-12a4995 1205->1207 1206->1205 1208 12a4911-12a491d 1206->1208 1216 12a499b-12a49a9 1207->1216 1209 12a491f-12a4929 1208->1209 1210 12a4940-12a494a 1208->1210 1211 12a492b 1209->1211 1212 12a492d-12a493c 1209->1212 1210->1207 1211->1212 1212->1212 1214 12a493e 1212->1214 1214->1210 1217 12a49ab-12a49b1 1216->1217 1218 12a49b2-12a4a0f 1216->1218 1217->1218 1225 12a4a1f-12a4a23 1218->1225 1226 12a4a11-12a4a15 1218->1226 1228 12a4a33-12a4a37 1225->1228 1229 12a4a25-12a4a29 1225->1229 1226->1225 1227 12a4a17-12a4a1a call 12a0ab8 1226->1227 1227->1225 1232 12a4a39-12a4a3d 1228->1232 1233 12a4a47-12a4a4b 1228->1233 1229->1228 1231 12a4a2b-12a4a2e call 12a0ab8 1229->1231 1231->1228 1232->1233 1235 12a4a3f 1232->1235 1236 12a4a5b 1233->1236 1237 12a4a4d-12a4a51 1233->1237 1235->1233 1239 12a4a5c 1236->1239 1237->1236 1238 12a4a53 1237->1238 1238->1236 1239->1239
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \VKm$\VKm
                                                                                                            • API String ID: 0-3999629693
                                                                                                            • Opcode ID: d3ca8c6a36e2dad481678bfa603ff7ab3f2703a0459e60701538e5183c5156ab
                                                                                                            • Instruction ID: f0ac40a32e5ee5762096af431bbe935ebf6210ae674599fedf758e65a4705b0d
                                                                                                            • Opcode Fuzzy Hash: d3ca8c6a36e2dad481678bfa603ff7ab3f2703a0459e60701538e5183c5156ab
                                                                                                            • Instruction Fuzzy Hash: 3571AE70E1028ACFDB10DFA9D89079EBBF2BF88314F588129E514A7254EBB49845CF85
                                                                                                            Function 012A4806 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1240 12a4806-12a489c 1243 12a489e-12a48a9 1240->1243 1244 12a48e6-12a48e8 1240->1244 1243->1244 1246 12a48ab-12a48b7 1243->1246 1245 12a48ea-12a4902 1244->1245 1253 12a494c-12a494e 1245->1253 1254 12a4904-12a490f 1245->1254 1247 12a48da-12a48e4 1246->1247 1248 12a48b9-12a48c3 1246->1248 1247->1245 1250 12a48c7-12a48d6 1248->1250 1251 12a48c5 1248->1251 1250->1250 1252 12a48d8 1250->1252 1251->1250 1252->1247 1255 12a4950-12a4962 1253->1255 1254->1253 1256 12a4911-12a491d 1254->1256 1263 12a4969-12a4995 1255->1263 1257 12a491f-12a4929 1256->1257 1258 12a4940-12a494a 1256->1258 1259 12a492b 1257->1259 1260 12a492d-12a493c 1257->1260 1258->1255 1259->1260 1260->1260 1262 12a493e 1260->1262 1262->1258 1264 12a499b-12a49a9 1263->1264 1265 12a49ab-12a49b1 1264->1265 1266 12a49b2-12a4a0f 1264->1266 1265->1266 1273 12a4a1f-12a4a23 1266->1273 1274 12a4a11-12a4a15 1266->1274 1276 12a4a33-12a4a37 1273->1276 1277 12a4a25-12a4a29 1273->1277 1274->1273 1275 12a4a17-12a4a1a call 12a0ab8 1274->1275 1275->1273 1280 12a4a39-12a4a3d 1276->1280 1281 12a4a47-12a4a4b 1276->1281 1277->1276 1279 12a4a2b-12a4a2e call 12a0ab8 1277->1279 1279->1276 1280->1281 1283 12a4a3f 1280->1283 1284 12a4a5b 1281->1284 1285 12a4a4d-12a4a51 1281->1285 1283->1281 1287 12a4a5c 1284->1287 1285->1284 1286 12a4a53 1285->1286 1286->1284 1287->1287
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \VKm$\VKm
                                                                                                            • API String ID: 0-3999629693
                                                                                                            • Opcode ID: 900e287a61b10da0bb1a9211079c5f1e41e8655a1eefce25aeead7e6588828ec
                                                                                                            • Instruction ID: fca7a1e23f7f2bd59ac70c7c0e842545cbe26077709601669c4c41a679650829
                                                                                                            • Opcode Fuzzy Hash: 900e287a61b10da0bb1a9211079c5f1e41e8655a1eefce25aeead7e6588828ec
                                                                                                            • Instruction Fuzzy Hash: 9771BCB0E1028ACFDB10DFA9D8907DEBBF1BF48314F588129E518A7254EBB49841CF91
                                                                                                            Function 0678E950 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4207248929.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_6780000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: da77548e5bf9fbe0674ff430c41f7da9b899b87f2ff9d23dc776246a58deca4a
                                                                                                            • Instruction ID: a735419f2c27f14af7a8c2db3e97eee511714b3551ca007db3f49df8c75334cb
                                                                                                            • Opcode Fuzzy Hash: da77548e5bf9fbe0674ff430c41f7da9b899b87f2ff9d23dc776246a58deca4a
                                                                                                            • Instruction Fuzzy Hash: 73412472D043999FDB14EFB9D8042AEBBF1AF89310F14856AD518EB241DB749C44CBA2
                                                                                                            Function 0678EA38 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GlobalMemoryStatusEx.KERNEL32 ref: 0678EA9F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4207248929.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_6780000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: GlobalMemoryStatus
                                                                                                            • String ID:
                                                                                                            • API String ID: 1890195054-0
                                                                                                            • Opcode ID: 8b415a48be838f77ae4152d22fc9be78d1461dc0ca70fc87da5e866e981656b0
                                                                                                            • Instruction ID: ef03290f4e772e9e5cfb7f1a1ed399b45c482efbeb766d8e749b68a999b06ab1
                                                                                                            • Opcode Fuzzy Hash: 8b415a48be838f77ae4152d22fc9be78d1461dc0ca70fc87da5e866e981656b0
                                                                                                            • Instruction Fuzzy Hash: 6711E2B1C006599FCB10DFAAC544BEEFBF4BF48320F14816AD818A7250D778A944CFA5
                                                                                                            Function 012A41BE Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \VKm
                                                                                                            • API String ID: 0-3894457903
                                                                                                            • Opcode ID: 000df2688e7d54552426d62a4761a43dbd6a16507d0b3accd7345c1b2e88711a
                                                                                                            • Instruction ID: 5157dc791de394713b2484e305afe73dbcfb9be939b629054b50ae0ecf31f8be
                                                                                                            • Opcode Fuzzy Hash: 000df2688e7d54552426d62a4761a43dbd6a16507d0b3accd7345c1b2e88711a
                                                                                                            • Instruction Fuzzy Hash: A9B16D70E1024ACFDB10DFA8D88579DBBF1EF88314F588129E515A7254EBB4D845CF91
                                                                                                            Function 012A3E74 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: \VKm
                                                                                                            • API String ID: 0-3894457903
                                                                                                            • Opcode ID: 58ea9bb089df2ca61aa086dde0324067b4efbd0f6e92c786b81087646a81c5d4
                                                                                                            • Instruction ID: ff4f29140150b79ac42c292276b8832703cc42fb08f12a6290ebd419ca755e71
                                                                                                            • Opcode Fuzzy Hash: 58ea9bb089df2ca61aa086dde0324067b4efbd0f6e92c786b81087646a81c5d4
                                                                                                            • Instruction Fuzzy Hash: 5AA16970E2024ACFDF10DFA8D9857DEBBF2BF58314F588129E518A7254EB749845CB81
                                                                                                            Function 012A6ECF Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LR^q
                                                                                                            • API String ID: 0-2625958711
                                                                                                            • Opcode ID: c579d259016bb52075316ee0f5b029ef161447774351d755ad2e298ff5fe1e8a
                                                                                                            • Instruction ID: 908fc8a747237fda13096b81612097308cdca68aafdfadb38ad9d35992c31587
                                                                                                            • Opcode Fuzzy Hash: c579d259016bb52075316ee0f5b029ef161447774351d755ad2e298ff5fe1e8a
                                                                                                            • Instruction Fuzzy Hash: FC519C347602058FDB04EB68C558AAE7BF6EF88704F6444A9E506EB3A1DB76DC00CB91
                                                                                                            Function 012A7D90 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LR^q
                                                                                                            • API String ID: 0-2625958711
                                                                                                            • Opcode ID: edf7e1ed76b22b2fa4a2613e39cb409fefa6aaa9c067ef86799c1976808e84e4
                                                                                                            • Instruction ID: 2d0448ace8f005695a571620fcfab7a836c8ef0c67850cca05dc28ca686d227f
                                                                                                            • Opcode Fuzzy Hash: edf7e1ed76b22b2fa4a2613e39cb409fefa6aaa9c067ef86799c1976808e84e4
                                                                                                            • Instruction Fuzzy Hash: 6D316131E2020ACBEB15DFA9C5447AEB7B6FF85310F504525EA05FB240EB719D46CB45
                                                                                                            Function 012A7D80 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LR^q
                                                                                                            • API String ID: 0-2625958711
                                                                                                            • Opcode ID: 0d5bc4c307528cd715ace39290c046322552b2719a1dfadf260a2f478fd6c10b
                                                                                                            • Instruction ID: a80f67899fa2aa231be4ca09581ca4d0d0ffb8c322f4756fa9ea970cd2d2f1df
                                                                                                            • Opcode Fuzzy Hash: 0d5bc4c307528cd715ace39290c046322552b2719a1dfadf260a2f478fd6c10b
                                                                                                            • Instruction Fuzzy Hash: 73316F31E2060ACFEB15CF69C5547AEB7B6FF85300F608429EA05FB241DBB19942CB45
                                                                                                            Function 012A6B98 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: LR^q
                                                                                                            • API String ID: 0-2625958711
                                                                                                            • Opcode ID: d0d9f101f72f4978f574d5219d8749342bbaf9d74fe05372b94a68645ff84445
                                                                                                            • Instruction ID: 3c8c327a29d757b79cceda46290b79ce986fa78b82db74b49d913d017f4dc905
                                                                                                            • Opcode Fuzzy Hash: d0d9f101f72f4978f574d5219d8749342bbaf9d74fe05372b94a68645ff84445
                                                                                                            • Instruction Fuzzy Hash: 69012235710200AFD314EB7884557AE7BF2EF89700F58486ED15AD7390DF3988458782
                                                                                                            Function 012A86C8 Relevance: .6, Instructions: 575COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: efa585dff7568b22f0815a4840d794049fa54b7b511f521be33f6b0e9bab1b73
                                                                                                            • Instruction ID: 478f0ae340c7d308e34c6bed3e3e8917334fc61d63b122b0789f90bdcc247b69
                                                                                                            • Opcode Fuzzy Hash: efa585dff7568b22f0815a4840d794049fa54b7b511f521be33f6b0e9bab1b73
                                                                                                            • Instruction Fuzzy Hash: 60229074720602DFDB2AAB3CE55426DB7A2FB86311B504939E106CB355DF31EC8B9B81
                                                                                                            Function 012A8720 Relevance: .6, Instructions: 556COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 8c1a842a32da946ffb4197993b3a00585b3a9995f1b1e2272bfcf0fcd81e73d1
                                                                                                            • Instruction ID: c77bffdf29854bdbf6958574b4049a9b816875335253fcaed3a4f2b02b34fe80
                                                                                                            • Opcode Fuzzy Hash: 8c1a842a32da946ffb4197993b3a00585b3a9995f1b1e2272bfcf0fcd81e73d1
                                                                                                            • Instruction Fuzzy Hash: 0B126F74720603DFDB29AB2CE54426DB7A2FB86311B504A38E106CB355DF35EC8B9B81
                                                                                                            Function 012AA182 Relevance: .4, Instructions: 421COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 66361d14bfdac430262e92e2d6365b250eec80d6860454e0f7f429d655fd4ddc
                                                                                                            • Instruction ID: a131b3e224e0b67e146004f4939f17bd5eca234a6713d4505bc3a29be263784c
                                                                                                            • Opcode Fuzzy Hash: 66361d14bfdac430262e92e2d6365b250eec80d6860454e0f7f429d655fd4ddc
                                                                                                            • Instruction Fuzzy Hash: 48E1C130B102068FDF15DB68D984AAEBBB2FF88310F608429E61ADB355DB31DD42CB51
                                                                                                            Function 012A4A8E Relevance: .3, Instructions: 260COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 00f5fd28afaadbb5089c37a5ef583018a81d0f9650f840fc31d891a02f2715c3
                                                                                                            • Instruction ID: 3fedb0deb82b919b7bb1d8dc3543fc3fc441271a4da8acf9ad53d239698fb11f
                                                                                                            • Opcode Fuzzy Hash: 00f5fd28afaadbb5089c37a5ef583018a81d0f9650f840fc31d891a02f2715c3
                                                                                                            • Instruction Fuzzy Hash: 68A16F70E2064ACFDB10DFA8D8817DDBBF2AF48314F588529D918E7254EBB4D885CB81
                                                                                                            Function 012AA6C8 Relevance: .1, Instructions: 137COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 575ff80892e5674d5921c642dea19a099b4d4e25897fa0889c903d7b3a674631
                                                                                                            • Instruction ID: b37b7cae035f06a93917e94e7ce0272158c715c6fc0d84837bf1109502762fd5
                                                                                                            • Opcode Fuzzy Hash: 575ff80892e5674d5921c642dea19a099b4d4e25897fa0889c903d7b3a674631
                                                                                                            • Instruction Fuzzy Hash: E9516B71A002058FDB04DF69E88479DFBB2FF88310F54C1A9EA189B35AE770D945CB90
                                                                                                            Function 012A6CD4 Relevance: .1, Instructions: 135COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3b1771b33c9c9c771c87639292e345dd398b7e2d00291b1280c14c643d3d9103
                                                                                                            • Instruction ID: fdc80bc74f88e58e71548c548d3df17cd68787042493d5c89e3900fe2a48d87e
                                                                                                            • Opcode Fuzzy Hash: 3b1771b33c9c9c771c87639292e345dd398b7e2d00291b1280c14c643d3d9103
                                                                                                            • Instruction Fuzzy Hash: 0B513470E20219CFDB14CFA9C984B9EBBF1BF48314F58811AE919AB350D774A844CF95
                                                                                                            Function 012A6CE0 Relevance: .1, Instructions: 132COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 3dab70da4502fed9b124fe7871b7bd4f8a91a5e533dca4dc3b4fcd99734e21f1
                                                                                                            • Instruction ID: 1c0f438a07724ad7a3e1c31fecc4ec101141c4c4916cd0c3e91149ee20867e9b
                                                                                                            • Opcode Fuzzy Hash: 3dab70da4502fed9b124fe7871b7bd4f8a91a5e533dca4dc3b4fcd99734e21f1
                                                                                                            • Instruction Fuzzy Hash: DC512370E20219CFDB18CFA9C884B9EBBB1BF48314F588129E919AB351D774A844CF95
                                                                                                            Function 012A1128 Relevance: .1, Instructions: 118COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2a5914d80596f6ca4b4d4c60dd90e61c4bf064f0ae719e8eb8079eade87f13b8
                                                                                                            • Instruction ID: 7bc3f41d0cf628bb504cee1ae93ce846d7c213b7270cbeaa85451a5f87648b3c
                                                                                                            • Opcode Fuzzy Hash: 2a5914d80596f6ca4b4d4c60dd90e61c4bf064f0ae719e8eb8079eade87f13b8
                                                                                                            • Instruction Fuzzy Hash: F851C939211281CFC716FB68F995B54BBB9F7977087844965D0048B32DDB306D8AEB90
                                                                                                            Function 012A1138 Relevance: .1, Instructions: 112COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 09845dbd52fdaecfcbaca4467073c40b1b60cbc6fbe81c3dbb12819668a708f7
                                                                                                            • Instruction ID: a96b767ade7c4aa8f40ecc28d11387441c592287f67676987c1cb8386d61c167
                                                                                                            • Opcode Fuzzy Hash: 09845dbd52fdaecfcbaca4467073c40b1b60cbc6fbe81c3dbb12819668a708f7
                                                                                                            • Instruction Fuzzy Hash: B751A838211281CFC716FB68F995A54BBB9F7977083844969D0048B32EDB706D89EB90
                                                                                                            Function 012ADE6A Relevance: .1, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7fd6ed07f6e53bdccc12c3b28b79348781ef8b6cef15f781c93f586e7b79486c
                                                                                                            • Instruction ID: d5f265243d64e13910690a4790bcba10731c3fe58842205a4b99168e604de39d
                                                                                                            • Opcode Fuzzy Hash: 7fd6ed07f6e53bdccc12c3b28b79348781ef8b6cef15f781c93f586e7b79486c
                                                                                                            • Instruction Fuzzy Hash: 9E314975B00216EFD705DB68C890E3BB7AABBC4304F64C169E5459B299CB32EC43CB91
                                                                                                            Function 012A26DC Relevance: .1, Instructions: 93COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 0786cb3c0a2e72063c3ffaccd59fa2e08a8e96d355ca1919b004b0dcb4810255
                                                                                                            • Instruction ID: 4ea82059addd69dcc7c246d2ca83847820793d8dc67161a7f5d4c332a4bb5636
                                                                                                            • Opcode Fuzzy Hash: 0786cb3c0a2e72063c3ffaccd59fa2e08a8e96d355ca1919b004b0dcb4810255
                                                                                                            • Instruction Fuzzy Hash: 6741E0B1D10249DFDB14CFA9C984ADEBFB5FF48310F548029E419AB264DB749949CB90
                                                                                                            Function 012A26E8 Relevance: .1, Instructions: 90COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c6902b467e2fc4bd6426b2be54ba55740571e9d7446a92737446bbeaaeeef867
                                                                                                            • Instruction ID: 0ffe81f336fac18a60d82627974ba725933b6bc7d392fd59e2af64bcddba1fe4
                                                                                                            • Opcode Fuzzy Hash: c6902b467e2fc4bd6426b2be54ba55740571e9d7446a92737446bbeaaeeef867
                                                                                                            • Instruction Fuzzy Hash: 1C41EEB0D10249DFDB14DFA9C984ADEBFB5FF48310F508029E819AB254DB75A945CB90
                                                                                                            Function 012A50A8 Relevance: .1, Instructions: 89COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dc775a2c31eabfba145617823c4dc7042f4de59da9a035dac94606cf8d061724
                                                                                                            • Instruction ID: 1340f9bf242889ffcc30496c7ce1d2807191fd6091815fc7bf317205c85705c2
                                                                                                            • Opcode Fuzzy Hash: dc775a2c31eabfba145617823c4dc7042f4de59da9a035dac94606cf8d061724
                                                                                                            • Instruction Fuzzy Hash: BB314D34710216CFDB29EB78C5546AE77B6BF89354F900468DA02EB3A4DB36DC41CB91
                                                                                                            Function 012A5097 Relevance: .1, Instructions: 89COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: fe4f6afd816bead66547c04a98f16107a00e8f37acaca1000ce1e3a8fe632637
                                                                                                            • Instruction ID: d5d766069e5e920346e4266c31451db8c38b71282b85a3577d06c5c5f427e5e1
                                                                                                            • Opcode Fuzzy Hash: fe4f6afd816bead66547c04a98f16107a00e8f37acaca1000ce1e3a8fe632637
                                                                                                            • Instruction Fuzzy Hash: 28316C34710216CFDB29EB38C6546AE77B6BF89354F9004A8DA01EB3A4DB36DC41CB91
                                                                                                            Function 012AA068 Relevance: .1, Instructions: 87COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 9d95cfa969f423cb23476b12ac272600938cdbff96b1d1596b71ae829147ae41
                                                                                                            • Instruction ID: 9b87dec6579ddb6fe584307aa5d6dbe3884d9257cd3a29049986e834ce557e0b
                                                                                                            • Opcode Fuzzy Hash: 9d95cfa969f423cb23476b12ac272600938cdbff96b1d1596b71ae829147ae41
                                                                                                            • Instruction Fuzzy Hash: 77318131E102469BDB15CFA8D89079EFBB2FF89300F548619E915E7245DB71A845CB50
                                                                                                            Function 012A1488 Relevance: .1, Instructions: 86COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 60bd7df04f69ecb9a75f479d46a669cf73de61aded4efbb2f27198920a611d0f
                                                                                                            • Instruction ID: d4a378bb2e1335035d02c5a92bfeb23587b04cad0f28519b353137dca4ae1b6d
                                                                                                            • Opcode Fuzzy Hash: 60bd7df04f69ecb9a75f479d46a669cf73de61aded4efbb2f27198920a611d0f
                                                                                                            • Instruction Fuzzy Hash: 4C210A71A10252CFDF22AFBC95802AD7BB5EF05325F9400BAD905EB382DB39C9518791
                                                                                                            Function 012AA078 Relevance: .1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 51ee07f7e62f989789f6199c2c41fb65f9709436d391150e9fb661381df7b566
                                                                                                            • Instruction ID: 203e3c199950cbcbf9fc0a07217fce6ec212ec8cd50713eb1bd284674983d236
                                                                                                            • Opcode Fuzzy Hash: 51ee07f7e62f989789f6199c2c41fb65f9709436d391150e9fb661381df7b566
                                                                                                            • Instruction Fuzzy Hash: F0216F31E1024A9BDB15CF68D45069EF7B2BF89300F50C629E915EB345DB71A846CB90
                                                                                                            Function 012AA852 Relevance: .1, Instructions: 78COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 85d8c940cd275b48e7fbf26c6026c3920062defce3e19c7b9e08d22e817244a5
                                                                                                            • Instruction ID: 073b02af9dd3f8d339a38ec5a1640c111757918dd55700f1c74da4b99d523590
                                                                                                            • Opcode Fuzzy Hash: 85d8c940cd275b48e7fbf26c6026c3920062defce3e19c7b9e08d22e817244a5
                                                                                                            • Instruction Fuzzy Hash: C121F431A202068FEB14CB79C954BAE7BF5AF8C714F118125E601EB3A0DB71DD00CB90
                                                                                                            Function 012A169F Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 54f612a991ce6efac0281bbae4fba0a0de91d0ae01a761460b97fb79acb6a40d
                                                                                                            • Instruction ID: cb5f6b78c2c3ad119d162d9e56425c4d63b98f9a5c92c59769eb8db2f593d679
                                                                                                            • Opcode Fuzzy Hash: 54f612a991ce6efac0281bbae4fba0a0de91d0ae01a761460b97fb79acb6a40d
                                                                                                            • Instruction Fuzzy Hash: 652192346201429FDF12F728EC847297B5AF746B28F905A21E206C739EEB34DC958B91
                                                                                                            Function 012A9F68 Relevance: .1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 429508a8bc8a4ad525e3e2ea7d7243c47921b70dcd61b2f4bce4b9273c399436
                                                                                                            • Instruction ID: a79470c8efdfd70b8cf081f82667a31062130f6bb0abfb013f02e48c9948685d
                                                                                                            • Opcode Fuzzy Hash: 429508a8bc8a4ad525e3e2ea7d7243c47921b70dcd61b2f4bce4b9273c399436
                                                                                                            • Instruction Fuzzy Hash: FE219231E1020A9BCF15CF68C45169EB7B2EF89304F54851AE915FB351DB70A946CB51
                                                                                                            Function 012A1382 Relevance: .1, Instructions: 74COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ee0e45f596e21a80cd0cb5c672508adf14247e0b5411f24ff499cd47cb1bb372
                                                                                                            • Instruction ID: d8f71951c519406747e819a000f88ab59d6d0ed07631f9133f2de9319d51c1c9
                                                                                                            • Opcode Fuzzy Hash: ee0e45f596e21a80cd0cb5c672508adf14247e0b5411f24ff499cd47cb1bb372
                                                                                                            • Instruction Fuzzy Hash: 1E21D874620342DBEB36672CE4863787E61E702374F90086AFA06C73D6DA38CCD58741
                                                                                                            Function 012A4F8A Relevance: .1, Instructions: 73COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: dbd648cc43d1f4bc2081e595d9014dd0350526abc7f369b17074201197f5e860
                                                                                                            • Instruction ID: 612fcde1b544e1d33e824d1d68bd0fd3db11becbe2339b3d3df505bfdb8963aa
                                                                                                            • Opcode Fuzzy Hash: dbd648cc43d1f4bc2081e595d9014dd0350526abc7f369b17074201197f5e860
                                                                                                            • Instruction Fuzzy Hash: FA214634650205CFCB54EB78D558BAE7BF1AB8D304F6044A8E506EB3A4DB76DD00CB94
                                                                                                            Function 0125D030 Relevance: .1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4191723488.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_125d000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 07232ef228496a61ccfc687167dbcf738511048e397965e2c48e40c84557cfc9
                                                                                                            • Instruction ID: 375abae8d9acdbb5a78b0a5a9046661c885e63bb97c500c1aba60c01b9205e96
                                                                                                            • Opcode Fuzzy Hash: 07232ef228496a61ccfc687167dbcf738511048e397965e2c48e40c84557cfc9
                                                                                                            • Instruction Fuzzy Hash: F1212271514208DFDB51DF58D9C0B26BBA5EB84314F20C56DDD0A4B256C37AD847CA62
                                                                                                            Function 012A1878 Relevance: .1, Instructions: 71COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b177bf4a2352079d07caa2e23c8ef022afd0f81acaa2e1da1547a711e06fe66f
                                                                                                            • Instruction ID: e1fa0134081a519c4c446d1f59816c6d341180587e210974d9444fd3163e58e2
                                                                                                            • Opcode Fuzzy Hash: b177bf4a2352079d07caa2e23c8ef022afd0f81acaa2e1da1547a711e06fe66f
                                                                                                            • Instruction Fuzzy Hash: 63218E34B10206CFEB24EB78C5147AD77F6AF49365F600868C206EB264DB358C50CB65
                                                                                                            Function 012A1888 Relevance: .1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b41777d663a8eed8d71c94cb2d871e084da0678856fd17526d512e62ecf03c9a
                                                                                                            • Instruction ID: 5f5e28eded2a3989a698436639424a0abc382c3c84752eab642809c86ecbb9a8
                                                                                                            • Opcode Fuzzy Hash: b41777d663a8eed8d71c94cb2d871e084da0678856fd17526d512e62ecf03c9a
                                                                                                            • Instruction Fuzzy Hash: AE215C34B10206CFEB14EB78C5187AE77F6AF89354F500468C606EB3A4DB328D50CBA1
                                                                                                            Function 012A9F78 Relevance: .1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4c5cf15b2c83fd28795efa304d6d36368ad800a04cc85f83d2febca49a5faedc
                                                                                                            • Instruction ID: 960bd23cc16a492ebda8f27385ec9b02d22665a58a44d7e96649123f16169809
                                                                                                            • Opcode Fuzzy Hash: 4c5cf15b2c83fd28795efa304d6d36368ad800a04cc85f83d2febca49a5faedc
                                                                                                            • Instruction Fuzzy Hash: 61215031E1020A9BCF19CFA9C45469EF7B6BF89304F54852AE915FB341DB70A846CB51
                                                                                                            Function 012A16B0 Relevance: .1, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5fa5118142758aecf9631910d7b1dc367c6803e35a31689bfdef7ce961b75c09
                                                                                                            • Instruction ID: d42c3a2ffb7a70aa057a91ffc18b9023eac170bc8c3f5886b90d64108516865b
                                                                                                            • Opcode Fuzzy Hash: 5fa5118142758aecf9631910d7b1dc367c6803e35a31689bfdef7ce961b75c09
                                                                                                            • Instruction Fuzzy Hash: 772163346201429FDF16F72CEC847197B5AF746718F505921E20AC739EEB34DC958B92
                                                                                                            Function 012A4F98 Relevance: .1, Instructions: 68COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 391daea8335e625e6c6174618da7aafe158a3c2aa521bf52ac6a5e7cb0a21648
                                                                                                            • Instruction ID: ba8f0fef4c5ae9b83ba3eac90fc1906e9178169688cd233f0fec0c7c363194da
                                                                                                            • Opcode Fuzzy Hash: 391daea8335e625e6c6174618da7aafe158a3c2aa521bf52ac6a5e7cb0a21648
                                                                                                            • Instruction Fuzzy Hash: 36213434750205CFCB14EB78D558AAEBBF5AF8D304F5044A8E506EB3A4DB729D00DBA4
                                                                                                            Function 0125D006 Relevance: .1, Instructions: 66COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4191723488.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_125d000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 6dd6efc7a5ab7ad37ae4537d3039a05a127d88ec1ccc171451e5c820cd1085de
                                                                                                            • Instruction ID: 6fbf0b89259e7d8c22dfb4118e15482f9d4ce95d14702f801b8701b953598416
                                                                                                            • Opcode Fuzzy Hash: 6dd6efc7a5ab7ad37ae4537d3039a05a127d88ec1ccc171451e5c820cd1085de
                                                                                                            • Instruction Fuzzy Hash: E0217A755093C48FDB03CF64C990711BF71AB46214F28C5EBD9898F2A7C23A980ACB62
                                                                                                            Function 012A0848 Relevance: .1, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: f20cf070bd8d46503d77c5c8d1902683f04cde1750f5c4e99f7106cf72adc28e
                                                                                                            • Instruction ID: dbb1b12606d66a1a627008e1b74a30672aee5afb263d05836914f8acedcf110c
                                                                                                            • Opcode Fuzzy Hash: f20cf070bd8d46503d77c5c8d1902683f04cde1750f5c4e99f7106cf72adc28e
                                                                                                            • Instruction Fuzzy Hash: 1C11A330B202068FEF65AA7CD44432E76A1FB46714F904939F106DF35ADA65DC858BCD
                                                                                                            Function 012A17C0 Relevance: .1, Instructions: 60COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d4eafa4b126cc92c05068f36e8f955ce5c2eb8aa9ff486e128e1b9aacb5291cd
                                                                                                            • Instruction ID: bfc2179c2cd8e73b56a25dee11ce31a9883548dc16ca17e569d6739f49477749
                                                                                                            • Opcode Fuzzy Hash: d4eafa4b126cc92c05068f36e8f955ce5c2eb8aa9ff486e128e1b9aacb5291cd
                                                                                                            • Instruction Fuzzy Hash: 90112976B10301AFDB11AB79984565EBFEAF748260F600821E905D3380EF34C9528781
                                                                                                            Function 012A0838 Relevance: .1, Instructions: 60COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 7be2abdb0b7694828e46225f4540a099005cc2bd4c35896b765614e6830b7f4e
                                                                                                            • Instruction ID: 20463fd8e1792009bd6f6d19da8e5a38e3a5fe2bd1de7297b2f537a2107a49d2
                                                                                                            • Opcode Fuzzy Hash: 7be2abdb0b7694828e46225f4540a099005cc2bd4c35896b765614e6830b7f4e
                                                                                                            • Instruction Fuzzy Hash: 8B112530B303028FEF226678D84436E7291E742718F94493AF102DF246DA69CC858BCD
                                                                                                            Function 012A1498 Relevance: .1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ab4caf31e3629c3cc58237cd189be3ff8e8df74d04cd6fdcbcc347bb0806ce0f
                                                                                                            • Instruction ID: fb0bef07c47ec0734413aa7d377f673bd1f50af45a9029c512973024ef3b9695
                                                                                                            • Opcode Fuzzy Hash: ab4caf31e3629c3cc58237cd189be3ff8e8df74d04cd6fdcbcc347bb0806ce0f
                                                                                                            • Instruction Fuzzy Hash: 00012131A102169FCF21EFBC94501ADBBE5EB48360F54047AD905E7301EB35D9518BD5
                                                                                                            Function 012AA6C5 Relevance: .0, Instructions: 48COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: ecce76e231d973dc80d95087cc9175baea9b970581002655aa153682720eb944
                                                                                                            • Instruction ID: bcfffdb4e006d40140838ad4aed17d7ac84243beaf5eaa2bb0f27482ed0e8e65
                                                                                                            • Opcode Fuzzy Hash: ecce76e231d973dc80d95087cc9175baea9b970581002655aa153682720eb944
                                                                                                            • Instruction Fuzzy Hash: C8019231A101058FDB04DFA9D98469ABBB6FF84310F54C674C94C5B29AEB70ED45CBA1
                                                                                                            Function 012A1524 Relevance: .0, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 1eeb0be3dbac0a45bcbd02fcefdb93f9f93c10ac9b33379b732d3200e0d5da9f
                                                                                                            • Instruction ID: 7cee5d0ed7717eadff8597bec52776f0589591c48de97dc83d799da4a7ad5073
                                                                                                            • Opcode Fuzzy Hash: 1eeb0be3dbac0a45bcbd02fcefdb93f9f93c10ac9b33379b732d3200e0d5da9f
                                                                                                            • Instruction Fuzzy Hash: 3AF08B33A24110CFD7228BE894901ACBF70EE64331BDC00D7D842EB200C735C456CB51
                                                                                                            Function 012A8F08 Relevance: .0, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: a67c37fa1125077d16a280429b5cee805335f4c11aa4c63a18f9386cf2edb10d
                                                                                                            • Instruction ID: f655b2998c118d1129f560fd2b8f6daaa8a83a9947ad884287a68cea4ffd1bca
                                                                                                            • Opcode Fuzzy Hash: a67c37fa1125077d16a280429b5cee805335f4c11aa4c63a18f9386cf2edb10d
                                                                                                            • Instruction Fuzzy Hash: DB01D63491014A9FCF46FBA8E940B9DBB71FB41308F404778C0059B29DDF316E46A782
                                                                                                            Function 012A7EA8 Relevance: .0, Instructions: 34COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: c22b688dde57da69c1282843bf8da84e363bb26a23d079288580f0c6e7df160c
                                                                                                            • Instruction ID: 17fbc8c1e0ca23ba9ee2c3dd777af8ab7ca85670e6833ccb74348f6b77d08216
                                                                                                            • Opcode Fuzzy Hash: c22b688dde57da69c1282843bf8da84e363bb26a23d079288580f0c6e7df160c
                                                                                                            • Instruction Fuzzy Hash: 22F0F239B10204CFD704EB64D5A8B6CB7B2EB88215F6044A8E5068B3A0CB31AD42CB40
                                                                                                            Function 012A8F18 Relevance: .0, Instructions: 33COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: bbc4d7b2b8142771433b3df839c4436ef7c4aab5b68050e30d97adb032319582
                                                                                                            • Instruction ID: c618833bd05dd7ec18fe1d76db13be4186505bb01ae3c812163bd729440bd1dc
                                                                                                            • Opcode Fuzzy Hash: bbc4d7b2b8142771433b3df839c4436ef7c4aab5b68050e30d97adb032319582
                                                                                                            • Instruction Fuzzy Hash: 5FF04F34A10109AFCF45FBA8F950A9DBBB5FB41308F505678C0099725CEF316E49AB92
                                                                                                            Function 012AA957 Relevance: .0, Instructions: 5COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 0000000D.00000002.4192322708.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_13_2_12a0000_tAtOLFyXVhJq.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 5a25ce7573b9ffcd9fba4289738bd501e257553614477d0804d195155cd0b26b
                                                                                                            • Instruction ID: 581745c946a1a43f65e7659b01c7412a6a39025bbd7b90ecebeede90eaf75832
                                                                                                            • Opcode Fuzzy Hash: 5a25ce7573b9ffcd9fba4289738bd501e257553614477d0804d195155cd0b26b
                                                                                                            • Instruction Fuzzy Hash: EEB0120104D3C01AC74351302C153C22E208B83140F2901AF50E148053E40483294B13