Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO 102675-PI C247SH45.exe

Overview

General Information

Sample name:PO 102675-PI C247SH45.exe
Analysis ID:1501075
MD5:fc67feff386a251162f941b610f01eeb
SHA1:482f7f3f808cc0997df34d8847b676fde1d1147a
SHA256:b2fb490ecbe535fb56d2e56751bbe28eb84e4c08c04ee5517f8dc462743df83e
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO 102675-PI C247SH45.exe (PID: 2860 cmdline: "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe" MD5: FC67FEFF386A251162F941B610F01EEB)
    • powershell.exe (PID: 6924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cfEpcI.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6932 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 1384 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpE520.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PO 102675-PI C247SH45.exe (PID: 5916 cmdline: "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe" MD5: FC67FEFF386A251162F941B610F01EEB)
  • cfEpcI.exe (PID: 5520 cmdline: C:\Users\user\AppData\Roaming\cfEpcI.exe MD5: FC67FEFF386A251162F941B610F01EEB)
    • schtasks.exe (PID: 5144 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpF7DD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cfEpcI.exe (PID: 5348 cmdline: "C:\Users\user\AppData\Roaming\cfEpcI.exe" MD5: FC67FEFF386A251162F941B610F01EEB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.2793018287.0000000002E4F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000002.2789262829.000000000042F000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000009.00000002.2789262829.000000000042F000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000002.2792486568.00000000030C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000A.00000002.1617341416.0000000004568000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PO 102675-PI C247SH45.exe.5022918.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.PO 102675-PI C247SH45.exe.5022918.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.PO 102675-PI C247SH45.exe.5022918.5.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3173d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31859:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31935:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a5b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                10.2.cfEpcI.exe.45a3508.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  10.2.cfEpcI.exe.45a3508.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 22 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe", ParentImage: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe, ParentProcessId: 2860, ParentProcessName: PO 102675-PI C247SH45.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe", ProcessId: 6924, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe", ParentImage: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe, ParentProcessId: 2860, ParentProcessName: PO 102675-PI C247SH45.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe", ProcessId: 6924, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpF7DD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpF7DD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\cfEpcI.exe, ParentImage: C:\Users\user\AppData\Roaming\cfEpcI.exe, ParentProcessId: 5520, ParentProcessName: cfEpcI.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpF7DD.tmp", ProcessId: 5144, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe, Initiated: true, ProcessId: 5916, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49706
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpE520.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpE520.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe", ParentImage: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe, ParentProcessId: 2860, ParentProcessName: PO 102675-PI C247SH45.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpE520.tmp", ProcessId: 1384, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe", ParentImage: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe, ParentProcessId: 2860, ParentProcessName: PO 102675-PI C247SH45.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe", ProcessId: 6924, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpE520.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpE520.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe", ParentImage: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe, ParentProcessId: 2860, ParentProcessName: PO 102675-PI C247SH45.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpE520.tmp", ProcessId: 1384, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://mail.iaa-airferight.comAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}
                    Multi AV Scanner detection for domain / URL
                    Source: mail.iaa-airferight.comVirustotal: Detection: 8%Perma Link
                    Source: http://mail.iaa-airferight.comVirustotal: Detection: 8%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeReversingLabs: Detection: 57%
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeVirustotal: Detection: 62%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: PO 102675-PI C247SH45.exeReversingLabs: Detection: 57%
                    Source: PO 102675-PI C247SH45.exeVirustotal: Detection: 62%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: PO 102675-PI C247SH45.exeJoe Sandbox ML: detected
                    Source: PO 102675-PI C247SH45.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: PO 102675-PI C247SH45.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA
                    Source: global trafficTCP traffic: 192.168.2.7:49706 -> 46.175.148.58:25
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: PO 102675-PI C247SH45.exe, 00000009.00000002.2792486568.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, cfEpcI.exe, 0000000E.00000002.2793018287.0000000002E57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://s2.symcb.com0
                    Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1570158388.0000000003516000.00000004.00000800.00020000.00000000.sdmp, cfEpcI.exe, 0000000A.00000002.1615626316.0000000002A96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://www.symauth.com/cps0(
                    Source: PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drString found in binary or memory: http://www.symauth.com/rpa00
                    Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1571966268.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, PO 102675-PI C247SH45.exe, 00000009.00000002.2789262829.000000000042F000.00000040.00000400.00020000.00000000.sdmp, cfEpcI.exe, 0000000A.00000002.1617341416.0000000004568000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, SKTzxzsJw.cs.Net Code: sf6jJs8S
                    Source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.raw.unpack, SKTzxzsJw.cs.Net Code: sf6jJs8S

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.cfEpcI.exe.45a3508.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.PO 102675-PI C247SH45.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.cfEpcI.exe.4568ae8.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.cfEpcI.exe.45a3508.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.cfEpcI.exe.4568ae8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeCode function: 9_2_016493789_2_01649378
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeCode function: 9_2_01649B389_2_01649B38
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeCode function: 9_2_01644A989_2_01644A98
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeCode function: 9_2_0164CDB09_2_0164CDB0
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeCode function: 9_2_01643E809_2_01643E80
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeCode function: 9_2_016441C89_2_016441C8
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeCode function: 9_2_066756D89_2_066756D8
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeCode function: 9_2_06673F489_2_06673F48
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeCode function: 9_2_06672F009_2_06672F00
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeCode function: 9_2_0667BD009_2_0667BD00
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeCode function: 9_2_0667DD109_2_0667DD10
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeCode function: 9_2_06679AE09_2_06679AE0
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeCode function: 9_2_06678B989_2_06678B98
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeCode function: 9_2_066700409_2_06670040
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeCode function: 9_2_066736509_2_06673650
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeCode function: 9_2_06674FF89_2_06674FF8
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeCode function: 9_2_0667DB689_2_0667DB68
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_027C38AC10_2_027C38AC
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_027C145810_2_027C1458
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_027C1E1810_2_027C1E18
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_027C1E0B10_2_027C1E0B
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_027C3DD010_2_027C3DD0
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_06C747A810_2_06C747A8
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_06C7856910_2_06C78569
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_06C70AB010_2_06C70AB0
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_06C777E810_2_06C777E8
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_06C7976010_2_06C79760
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_06C704F010_2_06C704F0
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_06C704B910_2_06C704B9
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_06C7050010_2_06C70500
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_06C773B010_2_06C773B0
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_06C7932810_2_06C79328
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_06C7EE3810_2_06C7EE38
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_06C77C2010_2_06C77C20
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_06C70AA010_2_06C70AA0
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 14_2_013C937814_2_013C9378
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 14_2_013C9B3814_2_013C9B38
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 14_2_013C4A9814_2_013C4A98
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 14_2_013CCDB014_2_013CCDB0
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 14_2_013C3E8014_2_013C3E80
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 14_2_013C41C814_2_013C41C8
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 14_2_062356D814_2_062356D8
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 14_2_06232F0014_2_06232F00
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 14_2_06233F4814_2_06233F48
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 14_2_0623BD0014_2_0623BD00
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 14_2_0623DD0014_2_0623DD00
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 14_2_06239AE014_2_06239AE0
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 14_2_06238B9814_2_06238B98
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 14_2_0623004014_2_06230040
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 14_2_0623365014_2_06233650
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 14_2_06234FF814_2_06234FF8
                    Source: PO 102675-PI C247SH45.exeStatic PE information: invalid certificate
                    Source: PO 102675-PI C247SH45.exe, 00000000.00000000.1528780222.0000000000E52000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelingxi_win_ia32_1.43.1.exe0 vs PO 102675-PI C247SH45.exe
                    Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1570158388.00000000032EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSalmun.dll. vs PO 102675-PI C247SH45.exe
                    Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1569425068.000000000164E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO 102675-PI C247SH45.exe
                    Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1570158388.0000000003516000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs PO 102675-PI C247SH45.exe
                    Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1571966268.0000000004C89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PO 102675-PI C247SH45.exe
                    Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1571966268.0000000004FE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs PO 102675-PI C247SH45.exe
                    Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1578581845.0000000009ED0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PO 102675-PI C247SH45.exe
                    Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1576696348.0000000005BD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSalmun.dll. vs PO 102675-PI C247SH45.exe
                    Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1570158388.0000000003271000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSalmun.dll. vs PO 102675-PI C247SH45.exe
                    Source: PO 102675-PI C247SH45.exe, 00000009.00000002.2789262829.000000000042F000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs PO 102675-PI C247SH45.exe
                    Source: PO 102675-PI C247SH45.exe, 00000009.00000002.2789687228.0000000000FF9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PO 102675-PI C247SH45.exe
                    Source: PO 102675-PI C247SH45.exeBinary or memory string: OriginalFilenamelingxi_win_ia32_1.43.1.exe0 vs PO 102675-PI C247SH45.exe
                    Source: PO 102675-PI C247SH45.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.cfEpcI.exe.45a3508.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.PO 102675-PI C247SH45.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.cfEpcI.exe.4568ae8.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.cfEpcI.exe.45a3508.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.cfEpcI.exe.4568ae8.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: PO 102675-PI C247SH45.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: cfEpcI.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, XZNGMaRh1iVe1T7tRw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, XZNGMaRh1iVe1T7tRw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, P4iBrYYtWeo13uAdCW.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, P4iBrYYtWeo13uAdCW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, P4iBrYYtWeo13uAdCW.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, P4iBrYYtWeo13uAdCW.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, P4iBrYYtWeo13uAdCW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, P4iBrYYtWeo13uAdCW.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/15@1/1
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeFile created: C:\Users\user\AppData\Roaming\cfEpcI.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeMutant created: \Sessions\1\BaseNamedObjects\lLtGeCKPLLzGHEf
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1412:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5456:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4084:120:WilError_03
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE520.tmpJump to behavior
                    Source: PO 102675-PI C247SH45.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: PO 102675-PI C247SH45.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: PO 102675-PI C247SH45.exeReversingLabs: Detection: 57%
                    Source: PO 102675-PI C247SH45.exeVirustotal: Detection: 62%
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeFile read: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe"
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cfEpcI.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpE520.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess created: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\cfEpcI.exe C:\Users\user\AppData\Roaming\cfEpcI.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpF7DD.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess created: C:\Users\user\AppData\Roaming\cfEpcI.exe "C:\Users\user\AppData\Roaming\cfEpcI.exe"
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cfEpcI.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpE520.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess created: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpF7DD.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess created: C:\Users\user\AppData\Roaming\cfEpcI.exe "C:\Users\user\AppData\Roaming\cfEpcI.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: PO 102675-PI C247SH45.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: PO 102675-PI C247SH45.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: PO 102675-PI C247SH45.exe, Form2.cs.Net Code: _206E_206E_206E_200E_200D_200C_206B_202E_200F_202D_202E_206E_202E_202D_200B_200C_206D_200D_200B_202C_200B_202D_202E_202E_202C_206F_200D_200C_202C_206F_206D_206F_200C_206C_202A_200D_200E_206D_202A_200F_202E System.Reflection.Assembly.Load(byte[])
                    Source: cfEpcI.exe.0.dr, Form2.cs.Net Code: _206E_206E_206E_200E_200D_200C_206B_202E_200F_202D_202E_206E_202E_202D_200B_200C_206D_200D_200B_202C_200B_202D_202E_202E_202C_206F_200D_200C_202C_206F_206D_206F_200C_206C_202A_200D_200E_206D_202A_200F_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, P4iBrYYtWeo13uAdCW.cs.Net Code: gS4X5Y5rNM System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO 102675-PI C247SH45.exe.5bb0000.9.raw.unpack, PingPong.cs.Net Code: _202B_206B_206C_202A_206A_202A_200D_200F_200B_202D_206D_202A_206D_206E_206A_202B_200F_200D_202B_202B_202D_206C_200F_206C_206A_206E_200C_202D_206F_206D_206A_202D_200C_200D_200E_206D_200E_202D_206E_200E_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, P4iBrYYtWeo13uAdCW.cs.Net Code: gS4X5Y5rNM System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_027C8ABE push 6900B2AEh; ret 10_2_027C8AC3
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeCode function: 10_2_06C7E090 pushad ; iretd 10_2_06C7E091
                    Source: PO 102675-PI C247SH45.exeStatic PE information: section name: .text entropy: 7.741414937120459
                    Source: cfEpcI.exe.0.drStatic PE information: section name: .text entropy: 7.741414937120459
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, Dbc3IgX1pIbLinsKnQ.csHigh entropy of concatenated method names: 'VHcPeEQxkE', 'keOP1uUGD2', 'KWePYXGmvU', 'mHLPcE8Gn9', 'aBoPVFHojV', 'w2aPRululZ', 'PSlPCLt2Gl', 'CDbPscLYP0', 'L4RPWoMx54', 'ho5PSfZwxm'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, EZeN25cUnTlvDeDFeY.csHigh entropy of concatenated method names: 'U0LEwsWD57', 'dvJE3M4E7u', 'eN3Ug91OWJ', 'P5fUVKKNao', 'JM3URUmdDy', 'L92UTOm1Q1', 'DFWUCZtYo5', 'JBGUsbtMk2', 'R3xUHCxP6q', 'K3qUWH4mR0'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, TUtqE3NYx5moihSS3m.csHigh entropy of concatenated method names: 'N22jv1cM6i', 'yLqjK0Gpgr', 'ToString', 'ukxjuylvMB', 'BA6jl6DXIY', 'tY3jUE7Qo4', 'C47jEW9LN7', 'JVIjyV41eH', 'duujL4QNd1', 'ax9jtMxCfN'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, MixCIbONTxYKq4JYeR.csHigh entropy of concatenated method names: 'Dispose', 'kQ6poVcogM', 'DCN4cT4eNW', 'DtTMMZckUb', 'X3KpxtmXPK', 'znbpzEjKDu', 'ProcessDialogKey', 'JGn4mcDhWb', 'XIq4pLp5O4', 'MSe44D0q3W'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, TUssRygDr8sjbG2ASb.csHigh entropy of concatenated method names: 'btNUJaE2I4', 'HSFUfBf7ne', 'aLQUexO8Vq', 'cBrU17QGgl', 'mvgUqAWe8W', 'bXTU2CfAcV', 'sbVUjj6v7r', 'i06UFBtjQg', 'B0YUb705nJ', 'f82UhUnuZA'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, dI766yvWoXEifPqtC3.csHigh entropy of concatenated method names: 'zqSFul809L', 'bcyFl6D273', 'xGtFUhk5hQ', 'sLdFEO5fqa', 'mVXFy8aOvA', 'xLkFL5SU7F', 'HMUFtVG27X', 'lb0FdMUirh', 'PEeFvkF6HU', 'KYAFKQ0SeW'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, bCVkPj2qb5Ob5NYp2l.csHigh entropy of concatenated method names: 'Fi0yZAsGMO', 'z6Dyl35PtF', 'KTwyEMV30r', 'D2XyL82aTX', 'wMvytpNZFO', 'CK9ErW7PdX', 'FMVEifMmG3', 'MtSE7SCOH1', 'i9BEBKJOnu', 'I8UEoj6UYn'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, Gfi7r87ifsLFGY2M1A.csHigh entropy of concatenated method names: 'mOKpL2LOeX', 'Hk4ptObq5x', 'ENbpv5Ecfr', 'GLjpKevRMX', 'NqQpqtskyv', 'xxpp28aAQI', 'Iy7nV4Vml6i2JDHZgc', 'EjBPDB39AJqHdyj5dt', 'qjGxxExOEM5VHta2p2', 'mdipp7evTg'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, XZNGMaRh1iVe1T7tRw.csHigh entropy of concatenated method names: 'hWkl9ywE1J', 'mimlNN8Kfr', 'r9wl8KD0le', 'krhlncQG4b', 'usRlrWh1qn', 'pvAliXFDi0', 'Alal7MBjta', 'fmQlBUh3AE', 'WImloc7UNS', 'SywlxMr4RL'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, wTVEfVjdfxonTGLWVt.csHigh entropy of concatenated method names: 'AalbpEJCAx', 'mmFbDO9XkW', 'gfBbX19ERI', 'mmnbuXDZ4b', 'NaUblufxP7', 'vbSbEoaM0I', 'wZRbyUrehu', 'DSDF71MIp7', 'doWFBesAK8', 'QDuFo4GSbq'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, P4iBrYYtWeo13uAdCW.csHigh entropy of concatenated method names: 'FDyDZfwegY', 'F5CDuPIyZG', 'E6VDlKNfo6', 'riKDUy1lq9', 'FRXDEhMO5i', 'mvYDyE8aWC', 'QDVDLHFQR1', 'FmTDtjUqv2', 'ofEDdvgVg2', 'hO3DvouLBG'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, F7PXvwkbCrp0yksg4y.csHigh entropy of concatenated method names: 'KDdjBkL4Po', 'zdvjxo7oBL', 'fIiFm7wifw', 'iTAFpbGprP', 'AdJjS9l1Z7', 'EqUjaFuFDK', 'aKkjOktwda', 'znCj9Qe6q3', 'iGQjN7lS3v', 'a4Kj8Lvsu2'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, dKqS8cFIN1dX56nNFY.csHigh entropy of concatenated method names: 'AljL0vodjs', 'mhoL6kmqe4', 'i8kL5RJ1jy', 'MO1LJQrFLR', 'iXxLwBnr5b', 'qjMLf4529C', 'MCCL3pSpLi', 'hJcLeLM69E', 'JXgL1EEo08', 'pmELkBDxDF'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, iCOmEBKMDjAh6X6SK2y.csHigh entropy of concatenated method names: 'nYAb0MxgTU', 'jJ9b6o8xf3', 'g4sb5hUjYp', 'vi2bJyvKR7', 'PsQbw7UOok', 'SHYbfojMWu', 'x3Yb3VhBxl', 'J9XbeUAbiQ', 'jkcb12qkOs', 'KFwbk8jsn3'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, BKQ4dd4VQCEcwOGDg0.csHigh entropy of concatenated method names: 'xHg5meUwI', 'vS4Jo0i2L', 'ailfyOONA', 'C1g3qhPp7', 'Bsj1baXxc', 'ftMkQcmMu', 'Pw4AiqXW7RmSXsCYxN', 'tWN5TskpsRic2C1XjE', 'imiFitVPW', 'RsmhbNRUa'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, CcCRQVxa89tGTbPktF.csHigh entropy of concatenated method names: 'kXPqWpbYmg', 'RA1qaV9nPY', 'vAgq9bLaFv', 'coPqN6mUda', 'LBXqcCjsU9', 'qQTqgLnFhy', 'aDeqVfhXcp', 'GMrqR4RDFD', 'modqTM5DFo', 'PPuqCZFdqx'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, SsoqpGzoVWwgTYwUET.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'seXbPBfITh', 'tX7bqScaNT', 'vhub2n0aO4', 'HDnbj83TmM', 'dPXbFnhA19', 'AnPbbQpJMx', 'KBdbhbqbiv'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, SGbsmiHhmglYislFr9.csHigh entropy of concatenated method names: 'vbELuHN13T', 'bCkLUOxJVU', 'c9NLyEmPPU', 'WDayxq0swQ', 'bIoyzGsOVF', 'ON5LmiC3n6', 'Ul2LpKbDZt', 'fvoL49I7De', 'BT8LD2g9jQ', 'aGiLXYjcF6'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4f0c660.8.raw.unpack, I7B4uAKw8ph5eVgtCWE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OxAh91gJ5T', 'YxNhNhopol', 'MwIh89Bnaf', 'A6KhneIe73', 'YW3hrBc86T', 'LWjhii3oxq', 'pAuh7w9iZ6'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, Dbc3IgX1pIbLinsKnQ.csHigh entropy of concatenated method names: 'VHcPeEQxkE', 'keOP1uUGD2', 'KWePYXGmvU', 'mHLPcE8Gn9', 'aBoPVFHojV', 'w2aPRululZ', 'PSlPCLt2Gl', 'CDbPscLYP0', 'L4RPWoMx54', 'ho5PSfZwxm'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, EZeN25cUnTlvDeDFeY.csHigh entropy of concatenated method names: 'U0LEwsWD57', 'dvJE3M4E7u', 'eN3Ug91OWJ', 'P5fUVKKNao', 'JM3URUmdDy', 'L92UTOm1Q1', 'DFWUCZtYo5', 'JBGUsbtMk2', 'R3xUHCxP6q', 'K3qUWH4mR0'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, TUtqE3NYx5moihSS3m.csHigh entropy of concatenated method names: 'N22jv1cM6i', 'yLqjK0Gpgr', 'ToString', 'ukxjuylvMB', 'BA6jl6DXIY', 'tY3jUE7Qo4', 'C47jEW9LN7', 'JVIjyV41eH', 'duujL4QNd1', 'ax9jtMxCfN'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, MixCIbONTxYKq4JYeR.csHigh entropy of concatenated method names: 'Dispose', 'kQ6poVcogM', 'DCN4cT4eNW', 'DtTMMZckUb', 'X3KpxtmXPK', 'znbpzEjKDu', 'ProcessDialogKey', 'JGn4mcDhWb', 'XIq4pLp5O4', 'MSe44D0q3W'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, TUssRygDr8sjbG2ASb.csHigh entropy of concatenated method names: 'btNUJaE2I4', 'HSFUfBf7ne', 'aLQUexO8Vq', 'cBrU17QGgl', 'mvgUqAWe8W', 'bXTU2CfAcV', 'sbVUjj6v7r', 'i06UFBtjQg', 'B0YUb705nJ', 'f82UhUnuZA'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, dI766yvWoXEifPqtC3.csHigh entropy of concatenated method names: 'zqSFul809L', 'bcyFl6D273', 'xGtFUhk5hQ', 'sLdFEO5fqa', 'mVXFy8aOvA', 'xLkFL5SU7F', 'HMUFtVG27X', 'lb0FdMUirh', 'PEeFvkF6HU', 'KYAFKQ0SeW'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, bCVkPj2qb5Ob5NYp2l.csHigh entropy of concatenated method names: 'Fi0yZAsGMO', 'z6Dyl35PtF', 'KTwyEMV30r', 'D2XyL82aTX', 'wMvytpNZFO', 'CK9ErW7PdX', 'FMVEifMmG3', 'MtSE7SCOH1', 'i9BEBKJOnu', 'I8UEoj6UYn'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, Gfi7r87ifsLFGY2M1A.csHigh entropy of concatenated method names: 'mOKpL2LOeX', 'Hk4ptObq5x', 'ENbpv5Ecfr', 'GLjpKevRMX', 'NqQpqtskyv', 'xxpp28aAQI', 'Iy7nV4Vml6i2JDHZgc', 'EjBPDB39AJqHdyj5dt', 'qjGxxExOEM5VHta2p2', 'mdipp7evTg'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, XZNGMaRh1iVe1T7tRw.csHigh entropy of concatenated method names: 'hWkl9ywE1J', 'mimlNN8Kfr', 'r9wl8KD0le', 'krhlncQG4b', 'usRlrWh1qn', 'pvAliXFDi0', 'Alal7MBjta', 'fmQlBUh3AE', 'WImloc7UNS', 'SywlxMr4RL'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, wTVEfVjdfxonTGLWVt.csHigh entropy of concatenated method names: 'AalbpEJCAx', 'mmFbDO9XkW', 'gfBbX19ERI', 'mmnbuXDZ4b', 'NaUblufxP7', 'vbSbEoaM0I', 'wZRbyUrehu', 'DSDF71MIp7', 'doWFBesAK8', 'QDuFo4GSbq'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, P4iBrYYtWeo13uAdCW.csHigh entropy of concatenated method names: 'FDyDZfwegY', 'F5CDuPIyZG', 'E6VDlKNfo6', 'riKDUy1lq9', 'FRXDEhMO5i', 'mvYDyE8aWC', 'QDVDLHFQR1', 'FmTDtjUqv2', 'ofEDdvgVg2', 'hO3DvouLBG'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, F7PXvwkbCrp0yksg4y.csHigh entropy of concatenated method names: 'KDdjBkL4Po', 'zdvjxo7oBL', 'fIiFm7wifw', 'iTAFpbGprP', 'AdJjS9l1Z7', 'EqUjaFuFDK', 'aKkjOktwda', 'znCj9Qe6q3', 'iGQjN7lS3v', 'a4Kj8Lvsu2'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, dKqS8cFIN1dX56nNFY.csHigh entropy of concatenated method names: 'AljL0vodjs', 'mhoL6kmqe4', 'i8kL5RJ1jy', 'MO1LJQrFLR', 'iXxLwBnr5b', 'qjMLf4529C', 'MCCL3pSpLi', 'hJcLeLM69E', 'JXgL1EEo08', 'pmELkBDxDF'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, iCOmEBKMDjAh6X6SK2y.csHigh entropy of concatenated method names: 'nYAb0MxgTU', 'jJ9b6o8xf3', 'g4sb5hUjYp', 'vi2bJyvKR7', 'PsQbw7UOok', 'SHYbfojMWu', 'x3Yb3VhBxl', 'J9XbeUAbiQ', 'jkcb12qkOs', 'KFwbk8jsn3'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, BKQ4dd4VQCEcwOGDg0.csHigh entropy of concatenated method names: 'xHg5meUwI', 'vS4Jo0i2L', 'ailfyOONA', 'C1g3qhPp7', 'Bsj1baXxc', 'ftMkQcmMu', 'Pw4AiqXW7RmSXsCYxN', 'tWN5TskpsRic2C1XjE', 'imiFitVPW', 'RsmhbNRUa'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, CcCRQVxa89tGTbPktF.csHigh entropy of concatenated method names: 'kXPqWpbYmg', 'RA1qaV9nPY', 'vAgq9bLaFv', 'coPqN6mUda', 'LBXqcCjsU9', 'qQTqgLnFhy', 'aDeqVfhXcp', 'GMrqR4RDFD', 'modqTM5DFo', 'PPuqCZFdqx'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, SsoqpGzoVWwgTYwUET.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'seXbPBfITh', 'tX7bqScaNT', 'vhub2n0aO4', 'HDnbj83TmM', 'dPXbFnhA19', 'AnPbbQpJMx', 'KBdbhbqbiv'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, SGbsmiHhmglYislFr9.csHigh entropy of concatenated method names: 'vbELuHN13T', 'bCkLUOxJVU', 'c9NLyEmPPU', 'WDayxq0swQ', 'bIoyzGsOVF', 'ON5LmiC3n6', 'Ul2LpKbDZt', 'fvoL49I7De', 'BT8LD2g9jQ', 'aGiLXYjcF6'
                    Source: 0.2.PO 102675-PI C247SH45.exe.4e90240.7.raw.unpack, I7B4uAKw8ph5eVgtCWE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OxAh91gJ5T', 'YxNhNhopol', 'MwIh89Bnaf', 'A6KhneIe73', 'YW3hrBc86T', 'LWjhii3oxq', 'pAuh7w9iZ6'
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeFile created: C:\Users\user\AppData\Roaming\cfEpcI.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpE520.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: PO 102675-PI C247SH45.exe PID: 2860, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cfEpcI.exe PID: 5520, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeMemory allocated: 1620000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeMemory allocated: 3270000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeMemory allocated: 3090000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeMemory allocated: 7710000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeMemory allocated: 8710000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeMemory allocated: 8890000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeMemory allocated: 9890000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeMemory allocated: 9F50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeMemory allocated: AF50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeMemory allocated: BF50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeMemory allocated: 1640000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeMemory allocated: 3070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeMemory allocated: 870000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeMemory allocated: 27F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeMemory allocated: A80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeMemory allocated: 6D00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeMemory allocated: 6AD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeMemory allocated: 7D00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeMemory allocated: 8D00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeMemory allocated: 93B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeMemory allocated: A3B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeMemory allocated: B3B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeMemory allocated: 1270000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeMemory allocated: 2E00000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeMemory allocated: 2D00000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7875Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 792Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7222Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2161Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeWindow / User API: threadDelayed 4167Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeWindow / User API: threadDelayed 5655Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeWindow / User API: threadDelayed 1705
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeWindow / User API: threadDelayed 8160
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 6356Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2516Thread sleep count: 7875 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6588Thread sleep count: 792 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4808Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2648Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1792Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep count: 34 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -99813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 6008Thread sleep count: 4167 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -99697s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -99578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -99438s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -99328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 6008Thread sleep count: 5655 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -99188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -99072s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -98966s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -98860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -98750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -98641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep count: 34 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -98500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -98374s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -98265s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -98157s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -98032s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -97907s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -97782s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -97672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -97563s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -97438s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -97313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -97188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -97063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -96954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -96829s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -96704s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -96579s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -96454s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -96329s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -96204s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -96079s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -95954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -95829s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -95704s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -95579s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -95454s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -95329s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -95204s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -95079s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -94954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -94829s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -94704s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -94579s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -94454s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -94329s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -94204s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -94079s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -93954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe TID: 2912Thread sleep time: -93829s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 1316Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -23058430092136925s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -99890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 2920Thread sleep count: 1705 > 30
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 2920Thread sleep count: 8160 > 30
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -99781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -99668s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -99561s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -99453s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -99344s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -99234s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -99125s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -99015s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -98906s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -98797s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -98687s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -98576s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -98467s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -98359s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -98150s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -98031s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -97922s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -97812s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -97703s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -97594s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -97484s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -97375s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -97266s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -97156s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -97046s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -96937s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -96828s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -96719s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -96609s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -96500s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -96390s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -96281s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -96168s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -96047s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -95937s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -95828s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -95719s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -95609s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -95500s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -95391s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -95281s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -95172s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -95062s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -94953s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -94844s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -94734s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -94625s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exe TID: 7056Thread sleep time: -94516s >= -30000s
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 99813Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 99697Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 99578Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 99438Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 99188Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 99072Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 98966Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 98860Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 98750Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 98641Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 98500Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 98374Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 98265Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 98157Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 98032Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 97907Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 97782Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 97672Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 97563Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 97438Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 97313Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 97188Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 97063Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 96954Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 96829Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 96704Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 96579Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 96454Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 96329Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 96204Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 96079Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 95954Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 95829Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 95704Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 95579Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 95454Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 95329Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 95204Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 95079Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 94954Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 94829Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 94704Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 94579Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 94454Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 94329Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 94204Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 94079Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 93954Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeThread delayed: delay time: 93829Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 99890
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 99781
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 99668
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 99561
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 99453
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 99344
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 99234
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 99125
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 99015
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 98906
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 98797
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 98687
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 98576
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 98467
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 98359
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 98150
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 98031
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 97922
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 97812
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 97703
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 97594
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 97484
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 97375
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 97266
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 97156
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 97046
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 96937
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 96828
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 96719
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 96609
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 96500
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 96390
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 96281
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 96168
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 96047
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 95937
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 95828
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 95719
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 95609
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 95500
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 95391
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 95281
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 95172
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 95062
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 94953
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 94844
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 94734
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 94625
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeThread delayed: delay time: 94516
                    Source: cfEpcI.exe, 0000000A.00000002.1614391489.0000000000A04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: PO 102675-PI C247SH45.exe, 00000000.00000002.1569706995.0000000001720000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: PO 102675-PI C247SH45.exe, 00000009.00000002.2791699933.00000000014FF000.00000004.00000020.00020000.00000000.sdmp, cfEpcI.exe, 0000000E.00000002.2790878961.00000000010BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe"
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cfEpcI.exe"
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cfEpcI.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeMemory written: C:\Users\user\AppData\Roaming\cfEpcI.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cfEpcI.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpE520.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeProcess created: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpF7DD.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeProcess created: C:\Users\user\AppData\Roaming\cfEpcI.exe "C:\Users\user\AppData\Roaming\cfEpcI.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeQueries volume information: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeQueries volume information: C:\Users\user\Desktop\PO 102675-PI C247SH45.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeQueries volume information: C:\Users\user\AppData\Roaming\cfEpcI.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeQueries volume information: C:\Users\user\AppData\Roaming\cfEpcI.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.cfEpcI.exe.45a3508.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.PO 102675-PI C247SH45.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.cfEpcI.exe.4568ae8.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.cfEpcI.exe.45a3508.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.cfEpcI.exe.4568ae8.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.2793018287.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2789262829.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2792486568.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1617341416.0000000004568000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2793018287.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2792486568.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1571966268.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO 102675-PI C247SH45.exe PID: 2860, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PO 102675-PI C247SH45.exe PID: 5916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cfEpcI.exe PID: 5520, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cfEpcI.exe PID: 5348, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\PO 102675-PI C247SH45.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\cfEpcI.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.cfEpcI.exe.45a3508.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.PO 102675-PI C247SH45.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.cfEpcI.exe.4568ae8.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.cfEpcI.exe.45a3508.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.cfEpcI.exe.4568ae8.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2789262829.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1617341416.0000000004568000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2793018287.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2792486568.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1571966268.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO 102675-PI C247SH45.exe PID: 2860, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PO 102675-PI C247SH45.exe PID: 5916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cfEpcI.exe PID: 5520, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cfEpcI.exe PID: 5348, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.cfEpcI.exe.45a3508.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.PO 102675-PI C247SH45.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.cfEpcI.exe.4568ae8.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 102675-PI C247SH45.exe.5022918.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.cfEpcI.exe.45a3508.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.cfEpcI.exe.4568ae8.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PO 102675-PI C247SH45.exe.4fe7ef8.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.2793018287.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2789262829.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2792486568.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1617341416.0000000004568000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2793018287.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2792486568.0000000003071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1571966268.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PO 102675-PI C247SH45.exe PID: 2860, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PO 102675-PI C247SH45.exe PID: 5916, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cfEpcI.exe PID: 5520, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: cfEpcI.exe PID: 5348, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		211
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		1
                    Input Capture                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		1
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		141
                    Virtualization/Sandbox Evasion                    		1
                    Credentials in Registry                    		141
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		11
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object Model2
                    Data from Local System                    		Protocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Obfuscated Files or Information                    		Cached Domain Credentials24
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                    Software Packing                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501075 Sample: PO 102675-PI C247SH45.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 46 mail.iaa-airferight.com 2->46 50 Multi AV Scanner detection for domain / URL 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 13 other signatures 2->56 8 PO 102675-PI C247SH45.exe 7 2->8         started        12 cfEpcI.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\cfEpcI.exe, PE32 8->38 dropped 40 C:\Users\user\...\cfEpcI.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpE520.tmp, XML 8->42 dropped 44 C:\Users\...\PO 102675-PI C247SH45.exe.log, ASCII 8->44 dropped 58 Adds a directory exclusion to Windows Defender 8->58 14 PO 102675-PI C247SH45.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        60 Multi AV Scanner detection for dropped file 12->60 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->62 64 Machine Learning detection for dropped file 12->64 66 Injects a PE file into a foreign processes 12->66 24 cfEpcI.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 48 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->48 68 Loading BitLocker PowerShell Module 18->68 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->70 72 Tries to steal Mail credentials (via file / registry access) 24->72 74 Tries to harvest and steal ftp login credentials 24->74 76 Tries to harvest and steal browser information (history, passwords, etc) 24->76 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    PO 102675-PI C247SH45.exe58%ReversingLabsWin32.Spyware.Negasteal
                    PO 102675-PI C247SH45.exe63%VirustotalBrowse
                    PO 102675-PI C247SH45.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\cfEpcI.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\cfEpcI.exe58%ReversingLabsWin32.Spyware.Negasteal
                    C:\Users\user\AppData\Roaming\cfEpcI.exe63%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    mail.iaa-airferight.com8%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://account.dyn.com/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://www.symauth.com/cps0(0%URL Reputationsafe
                    http://www.symauth.com/rpa000%URL Reputationsafe
                    http://mail.iaa-airferight.com100%Avira URL Cloudmalware
                    http://mail.iaa-airferight.com8%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truetrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://account.dyn.com/PO 102675-PI C247SH45.exe, 00000000.00000002.1571966268.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, PO 102675-PI C247SH45.exe, 00000009.00000002.2789262829.000000000042F000.00000040.00000400.00020000.00000000.sdmp, cfEpcI.exe, 0000000A.00000002.1617341416.0000000004568000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO 102675-PI C247SH45.exe, 00000000.00000002.1570158388.0000000003516000.00000004.00000800.00020000.00000000.sdmp, cfEpcI.exe, 0000000A.00000002.1615626316.0000000002A96000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.symauth.com/cps0(PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.symauth.com/rpa00PO 102675-PI C247SH45.exe, cfEpcI.exe.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://mail.iaa-airferight.comPO 102675-PI C247SH45.exe, 00000009.00000002.2792486568.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, cfEpcI.exe, 0000000E.00000002.2793018287.0000000002E57000.00000004.00000800.00020000.00000000.sdmptrue
                    • 8%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    46.175.148.58
                    		mail.iaa-airferight.comUkraine
                    		56394ASLAGIDKOM-NETUAtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1501075
                    Start date and time:2024-08-29 12:01:15 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 48s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:19
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:PO 102675-PI C247SH45.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@19/15@1/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 97%
                    • Number of executed functions: 147
                    • Number of non-executed functions: 4
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    06:02:41API Interceptor169x Sleep call for process: PO 102675-PI C247SH45.exe modified
                    06:02:43API Interceptor44x Sleep call for process: powershell.exe modified
                    06:02:46API Interceptor177x Sleep call for process: cfEpcI.exe modified
                    12:02:44Task SchedulerRun new task: cfEpcI path: C:\Users\user\AppData\Roaming\cfEpcI.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    46.175.148.58Great Wall Motor Sale Bank_Sift_Copy.Pdf.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                      SecuriteInfo.com.BackDoor.SpyBotNET.62.13095.12836.exeGet hashmaliciousAgentTeslaBrowse
                        PO 102675-PI C247SH45.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                          NINGBO-Invoices-Past Due.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                            Payment Advice-DPEB08-2SDC - SS25 Price C246SH32.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                              New RFQ Compliance_Matrix_Product.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                New PO Compliance_Matrix_Product.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                  Shipmernt copy.exeGet hashmaliciousAgentTeslaBrowse
                                    Payment Advice-DPEB08-2SDC - SS25 Price C246SH32.exeGet hashmaliciousAgentTeslaBrowse
                                      Purchase, Order no X850580.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        mail.iaa-airferight.comGreat Wall Motor Sale Bank_Sift_Copy.Pdf.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                        • 46.175.148.58
                                        SecuriteInfo.com.BackDoor.SpyBotNET.62.13095.12836.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        PO 102675-PI C247SH45.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                        • 46.175.148.58
                                        NINGBO-Invoices-Past Due.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                        • 46.175.148.58
                                        Payment Advice-DPEB08-2SDC - SS25 Price C246SH32.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                        • 46.175.148.58
                                        New RFQ Compliance_Matrix_Product.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                        • 46.175.148.58
                                        New PO Compliance_Matrix_Product.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                        • 46.175.148.58
                                        Shipmernt copy.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        Payment Advice-DPEB08-2SDC - SS25 Price C246SH32.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        Purchase, Order no X850580.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 46.175.148.58

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ASLAGIDKOM-NETUAGreat Wall Motor Sale Bank_Sift_Copy.Pdf.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                        • 46.175.148.58
                                        SecuriteInfo.com.BackDoor.SpyBotNET.62.13095.12836.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        PO 102675-PI C247SH45.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                        • 46.175.148.58
                                        NINGBO-Invoices-Past Due.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                        • 46.175.148.58
                                        Payment Advice-DPEB08-2SDC - SS25 Price C246SH32.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                        • 46.175.148.58
                                        New RFQ Compliance_Matrix_Product.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                        • 46.175.148.58
                                        New PO Compliance_Matrix_Product.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                        • 46.175.148.58
                                        Shipmernt copy.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        Payment Advice-DPEB08-2SDC - SS25 Price C246SH32.exeGet hashmaliciousAgentTeslaBrowse
                                        • 46.175.148.58
                                        Purchase, Order no X850580.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 46.175.148.58

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO 102675-PI C247SH45.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\PO 102675-PI C247SH45.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.34331486778365
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cfEpcI.exe.log

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\cfEpcI.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1216
                                        Entropy (8bit):5.34331486778365
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                        Malicious:false
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):2232
                                        Entropy (8bit):5.380747059108785
                                        Encrypted:false
                                        SSDEEP:48:lylWSU4xc4RQmFoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:lGLHxcIFKLgZ2KRHWLOug8s
                                        MD5:D3C361B9D7A7E2A173C0491782FE3758
                                        SHA1:E69AD4615F1CFBD8226139AD961F066ECB91CD72
                                        SHA-256:047514DB40C3FF6F13A5B950AA984ED393401E686A6AF6D4AC4BCCA9A3A33A0D
                                        SHA-512:CFCDB34C34CABC3C2368F0B0B0A3DBD3D99B2477786BDB042D6240BD68F1904EA4619370F09C76C1B59382485FE81D70C62EDD9C922C6ED3EEA6987067BAF590
                                        Malicious:false
                                        Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.ConfigurationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4hxoslke.utz.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bj3n0tt0.ott.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_clwnphlv.td5.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibdbjrpr.fln.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jtaqqemt.q11.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmfxejuo.ml2.psm1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ns3imu2b.rks.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z5tvnosi.ib1.ps1

                                        Download File
                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\tmpE520.tmp

                                        Download File
                                        Process:C:\Users\user\Desktop\PO 102675-PI C247SH45.exe
                                        File Type:XML 1.0 document, ASCII text
                                        Category:dropped
                                        Size (bytes):1600
                                        Entropy (8bit):5.11484170367726
                                        Encrypted:false
                                        SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt1xvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTLv
                                        MD5:1B620044249376AAF79EF2504BFD19A8
                                        SHA1:E01C0D4957FC3A8B791843A4AC4A558238FD2DF2
                                        SHA-256:F9DB814DEC3C5959338DA7CD954F5CBECFB015CC1D4BE600A95E5BE67A40E902
                                        SHA-512:960A249566AB767773D997E77014F49361E3C333127BF0C19244AB59CBF0BC44BD18F70BE6212D6D2B6F61D91168A507DA211FA96ED62ABD2C5DB86967203479
                                        Malicious:true
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                        C:\Users\user\AppData\Local\Temp\tmpF7DD.tmp

                                        Download File
                                        Process:C:\Users\user\AppData\Roaming\cfEpcI.exe
                                        File Type:XML 1.0 document, ASCII text
                                        Category:dropped
                                        Size (bytes):1600
                                        Entropy (8bit):5.11484170367726
                                        Encrypted:false
                                        SSDEEP:24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt1xvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTLv
                                        MD5:1B620044249376AAF79EF2504BFD19A8
                                        SHA1:E01C0D4957FC3A8B791843A4AC4A558238FD2DF2
                                        SHA-256:F9DB814DEC3C5959338DA7CD954F5CBECFB015CC1D4BE600A95E5BE67A40E902
                                        SHA-512:960A249566AB767773D997E77014F49361E3C333127BF0C19244AB59CBF0BC44BD18F70BE6212D6D2B6F61D91168A507DA211FA96ED62ABD2C5DB86967203479
                                        Malicious:false
                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

                                        C:\Users\user\AppData\Roaming\cfEpcI.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\PO 102675-PI C247SH45.exe
                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Category:dropped
                                        Size (bytes):800872
                                        Entropy (8bit):7.738047903099238
                                        Encrypted:false
                                        SSDEEP:24576:6qPRco/A3jfPjxkCcG/zXkvoUgx5Jf0k6xt:vcOATXVkCcG/z0vohx5B6T
                                        MD5:FC67FEFF386A251162F941B610F01EEB
                                        SHA1:482F7F3F808CC0997DF34D8847B676FDE1D1147A
                                        SHA-256:B2FB490ECBE535FB56D2E56751BBE28EB84E4C08C04EE5517F8DC462743DF83E
                                        SHA-512:4901FD53E4AF53D3FFB970D700D65A60BD889914BB43B309B5B3E75909439F1FF53281571067AD847C80BB8B2BDE5D2633BE0F93C5023F273AF9C52D1832B888
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 58%
                                        • Antivirus: Virustotal, Detection: 63%, Browse
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d..f..............0.................. ... ....@.. .......................`............@.....................................S.... ..................h4...@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......Pd..8...........p................................................0..........*....0..<........(.... ..3. ..t.a%..$^E$...........G.......#...\...........1.......~...[...........J.......................}...z...-...h... ...........[...........5.......~.......8.......8.....{.....($.... .n3aZ ..ea8=...~......(.....oa.... U.G:Z v.j.a8....~......(.....oa...~......(.....oa...~......(.....oa.... .G.HZ .jW.a8....~......(.....oa.... ....Z ....a8........... .m.rZ ."..a8...... .L.

                                        C:\Users\user\AppData\Roaming\cfEpcI.exe:Zone.Identifier

                                        Download File
                                        Process:C:\Users\user\Desktop\PO 102675-PI C247SH45.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):26
                                        Entropy (8bit):3.95006375643621
                                        Encrypted:false
                                        SSDEEP:3:ggPYV:rPYV
                                        MD5:187F488E27DB4AF347237FE461A079AD
                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                        Malicious:true
                                        Preview:[ZoneTransfer]....ZoneId=0

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.738047903099238
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                        • Win32 Executable (generic) a (10002005/4) 49.96%
                                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:PO 102675-PI C247SH45.exe
                                        File size:800'872 bytes
                                        MD5:fc67feff386a251162f941b610f01eeb
                                        SHA1:482f7f3f808cc0997df34d8847b676fde1d1147a
                                        SHA256:b2fb490ecbe535fb56d2e56751bbe28eb84e4c08c04ee5517f8dc462743df83e
                                        SHA512:4901fd53e4af53d3ffb970d700d65a60bd889914bb43b309b5b3e75909439f1ff53281571067ad847c80bb8b2bde5d2633be0f93c5023f273af9c52d1832b888
                                        SSDEEP:24576:6qPRco/A3jfPjxkCcG/zXkvoUgx5Jf0k6xt:vcOATXVkCcG/z0vohx5B6T
                                        TLSH:E305E0D43621731ECD678831C568DC71A2A5297AB306B6E744EB3B4B794C192DF08FA3
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d..f..............0.................. ... ....@.. .......................`............@................................

                                        File Icon

                                        Icon Hash:939393939393b3b3

                                        Static PE Info

                                        General

                                        Entrypoint:0x4c10de
                                        Entrypoint Section:.text
                                        Digitally signed:true
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x66CD0764 [Mon Aug 26 22:53:24 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Authenticode Signature

                                        Signature Valid:false
                                        Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                        Signature Validation Error:The digital signature of the object did not verify
                                        Error Number:-2146869232
                                        Not Before, Not After
                                        • 11/11/2021 01:00:00 14/11/2024 00:59:59
                                        Subject Chain
                                        • CN="NetEase Youdao Information Technology (Beijing) Co.,Ltd.", O="NetEase Youdao Information Technology (Beijing) Co.,Ltd.", S=Beijing, C=CN
                                        Version:3
                                        Thumbprint MD5:4F5FEC748CD450F88841E761105381F9
                                        Thumbprint SHA-1:4969233BC110419F015F688CF21C19254B1B0BAA
                                        Thumbprint SHA-256:1CC254B81F32E63E63AD35958D2E738ADAA491167E1EA91199DEF66274175909
                                        Serial:01CC0C6632D0CA3E68F19D8028508E91

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc10880x53.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc20000xca4.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0xc04000x3468
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xc40000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xbf0e40xbf200a863bf41d71d442c4abc403bcb959848False0.8785524137508175data7.741414937120459IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0xc20000xca40xe000cb5ab5ccb54dd95ed483f13324709c0False0.4165736607142857data5.0327988291068335IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xc40000xc0x2000d14372f0d0c754057c549d43eff8a6aFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0xc20e80x83aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.49002849002849
                                        RT_GROUP_ICON0xc29240x14data1.05
                                        RT_VERSION0xc29380x36cdata0.4372146118721461

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Aug 29, 2024 12:02:46.140786886 CEST4970625192.168.2.746.175.148.58
                                        Aug 29, 2024 12:02:47.152100086 CEST4970625192.168.2.746.175.148.58
                                        Aug 29, 2024 12:02:49.152061939 CEST4970625192.168.2.746.175.148.58
                                        Aug 29, 2024 12:02:49.419506073 CEST4970925192.168.2.746.175.148.58
                                        Aug 29, 2024 12:02:50.433331966 CEST4970925192.168.2.746.175.148.58
                                        Aug 29, 2024 12:02:52.433335066 CEST4970925192.168.2.746.175.148.58
                                        Aug 29, 2024 12:02:53.167722940 CEST4970625192.168.2.746.175.148.58
                                        Aug 29, 2024 12:02:56.437731981 CEST4970925192.168.2.746.175.148.58
                                        Aug 29, 2024 12:03:01.183342934 CEST4970625192.168.2.746.175.148.58
                                        Aug 29, 2024 12:03:04.449044943 CEST4970925192.168.2.746.175.148.58

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Aug 29, 2024 12:02:45.910514116 CEST5328553192.168.2.71.1.1.1
                                        Aug 29, 2024 12:02:46.119035006 CEST53532851.1.1.1192.168.2.7

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Aug 29, 2024 12:02:45.910514116 CEST192.168.2.71.1.1.10x4826Standard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Aug 29, 2024 12:02:46.119035006 CEST1.1.1.1192.168.2.70x4826No error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:06:02:41
                                        Start date:29/08/2024
                                        Path:C:\Users\user\Desktop\PO 102675-PI C247SH45.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\PO 102675-PI C247SH45.exe"
                                        Imagebase:0xe50000
                                        File size:800'872 bytes
                                        MD5 hash:FC67FEFF386A251162F941B610F01EEB
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1571966268.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1571966268.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:06:02:42
                                        Start date:29/08/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO 102675-PI C247SH45.exe"
                                        Imagebase:0xa10000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:06:02:42
                                        Start date:29/08/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff75da10000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:06:02:42
                                        Start date:29/08/2024
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\cfEpcI.exe"
                                        Imagebase:0xa10000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:06:02:42
                                        Start date:29/08/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff75da10000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:06:02:42
                                        Start date:29/08/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpE520.tmp"
                                        Imagebase:0xb0000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:8
                                        Start time:06:02:42
                                        Start date:29/08/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff75da10000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:9
                                        Start time:06:02:43
                                        Start date:29/08/2024
                                        Path:C:\Users\user\Desktop\PO 102675-PI C247SH45.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\PO 102675-PI C247SH45.exe"
                                        Imagebase:0xda0000
                                        File size:800'872 bytes
                                        MD5 hash:FC67FEFF386A251162F941B610F01EEB
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2789262829.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2789262829.000000000042F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2792486568.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2792486568.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2792486568.0000000003071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        General

                                        Target ID:10
                                        Start time:06:02:44
                                        Start date:29/08/2024
                                        Path:C:\Users\user\AppData\Roaming\cfEpcI.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Roaming\cfEpcI.exe
                                        Imagebase:0x1b0000
                                        File size:800'872 bytes
                                        MD5 hash:FC67FEFF386A251162F941B610F01EEB
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1617341416.0000000004568000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1617341416.0000000004568000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 58%, ReversingLabs
                                        • Detection: 63%, Virustotal, Browse
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:06:02:45
                                        Start date:29/08/2024
                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                        Imagebase:0x7ff7fb730000
                                        File size:496'640 bytes
                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                        Has elevated privileges:true
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:06:02:47
                                        Start date:29/08/2024
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cfEpcI" /XML "C:\Users\user\AppData\Local\Temp\tmpF7DD.tmp"
                                        Imagebase:0xb0000
                                        File size:187'904 bytes
                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:13
                                        Start time:06:02:47
                                        Start date:29/08/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff75da10000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:14
                                        Start time:06:02:47
                                        Start date:29/08/2024
                                        Path:C:\Users\user\AppData\Roaming\cfEpcI.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Roaming\cfEpcI.exe"
                                        Imagebase:0x940000
                                        File size:800'872 bytes
                                        MD5 hash:FC67FEFF386A251162F941B610F01EEB
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2793018287.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2793018287.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2793018287.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:6.7%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:34
                                          Total number of Limit Nodes:4
                                          execution_graph 12634 162ce60 12635 162cea2 12634->12635 12636 162cea8 GetModuleHandleW 12634->12636 12635->12636 12637 162ced5 12636->12637 12638 162ef00 12639 162ef46 GetCurrentProcess 12638->12639 12641 162ef91 12639->12641 12642 162ef98 GetCurrentThread 12639->12642 12641->12642 12643 162efd5 GetCurrentProcess 12642->12643 12644 162efce 12642->12644 12645 162f00b GetCurrentThreadId 12643->12645 12644->12643 12647 162f064 12645->12647 12658 1624550 12659 162455a 12658->12659 12661 1624680 12658->12661 12662 16246a5 12661->12662 12666 1624b88 12662->12666 12670 1624b98 12662->12670 12667 1624b95 12666->12667 12668 1624c9c 12667->12668 12674 1624814 12667->12674 12671 1624bbf 12670->12671 12672 1624814 CreateActCtxA 12671->12672 12673 1624c9c 12671->12673 12672->12673 12675 1625c28 CreateActCtxA 12674->12675 12677 1625ceb 12675->12677 12648 162f148 DuplicateHandle 12649 162f1de 12648->12649 12650 162cf08 12651 162cf1c 12650->12651 12652 162cf41 12651->12652 12654 162bfe0 12651->12654 12655 162d0e8 LoadLibraryExW 12654->12655 12657 162d161 12655->12657 12657->12652

                                          Executed Functions

                                          Function 0162EF00 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 298 162ef00-162ef8f GetCurrentProcess 302 162ef91-162ef97 298->302 303 162ef98-162efcc GetCurrentThread 298->303 302->303 304 162efd5-162f009 GetCurrentProcess 303->304 305 162efce-162efd4 303->305 307 162f012-162f02a 304->307 308 162f00b-162f011 304->308 305->304 311 162f033-162f062 GetCurrentThreadId 307->311 308->307 312 162f064-162f06a 311->312 313 162f06b-162f0cd 311->313 312->313
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 0162EF7E
                                          • GetCurrentThread.KERNEL32 ref: 0162EFBB
                                          • GetCurrentProcess.KERNEL32 ref: 0162EFF8
                                          • GetCurrentThreadId.KERNEL32 ref: 0162F051
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1569370759.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1620000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 00910b5307d49edcedcc524cad7fc948a52277d4d49e24900f831f3478139746
                                          • Instruction ID: 1a30d39416fa4146d2543956c06180c5414c3a7970aefe5589ce7a4dbf5a796e
                                          • Opcode Fuzzy Hash: 00910b5307d49edcedcc524cad7fc948a52277d4d49e24900f831f3478139746
                                          • Instruction Fuzzy Hash: 345146B0900649CFEB28CFAAD948BDEBBF1EF48314F208459E019A7390D7359944CF65
                                          Function 01625C1C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 342 1625c1c-1625c26 343 1625c28-1625ce9 CreateActCtxA 342->343 345 1625cf2-1625d4c 343->345 346 1625ceb-1625cf1 343->346 353 1625d5b-1625d5f 345->353 354 1625d4e-1625d51 345->354 346->345 355 1625d70 353->355 356 1625d61-1625d6d 353->356 354->353 358 1625d71 355->358 356->355 358->358
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01625CD9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1569370759.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1620000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 59b261712c1fd87b327054dd0104fc1836cc40db0fd6777b84f0a177801fe38f
                                          • Instruction ID: ca9c61e3a04c839b0d3dded5dc329b75a8138867de94bb2c7e0f74f98fa226a1
                                          • Opcode Fuzzy Hash: 59b261712c1fd87b327054dd0104fc1836cc40db0fd6777b84f0a177801fe38f
                                          • Instruction Fuzzy Hash: 8E41F0B1C00729CBEB24CFA9C844BDEBBB5BF49304F20806AD409AB251DB755946CF94
                                          Function 01624814 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 359 1624814-1625ce9 CreateActCtxA 362 1625cf2-1625d4c 359->362 363 1625ceb-1625cf1 359->363 370 1625d5b-1625d5f 362->370 371 1625d4e-1625d51 362->371 363->362 372 1625d70 370->372 373 1625d61-1625d6d 370->373 371->370 375 1625d71 372->375 373->372 375->375
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 01625CD9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1569370759.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1620000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: f6a64a7a5e3670d7b5b3fd704e0f4725faa0318ac912c085fa5cc6e290859f66
                                          • Instruction ID: 788066fe37a2ca4ea81edcd4fceb2bcf63a0bec2c8358b957789e3241deeda33
                                          • Opcode Fuzzy Hash: f6a64a7a5e3670d7b5b3fd704e0f4725faa0318ac912c085fa5cc6e290859f66
                                          • Instruction Fuzzy Hash: 2F41C171C00B29CBEB24CFAAC8447DEBBB5BF48704F20806AD409AB355DB755946CF94
                                          Function 0162F148 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 376 162f148-162f1dc DuplicateHandle 377 162f1e5-162f202 376->377 378 162f1de-162f1e4 376->378 378->377
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0162F1CF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1569370759.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1620000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: 380011ca1c620fc2f007878fd3eeee1e21caf61ef9e54a7a9f3ab5c993e355cd
                                          • Instruction ID: ffc0cc043da0eeaf0f9c8e70f5a91122b55d1502c03e87cf0d0407bfd90659e6
                                          • Opcode Fuzzy Hash: 380011ca1c620fc2f007878fd3eeee1e21caf61ef9e54a7a9f3ab5c993e355cd
                                          • Instruction Fuzzy Hash: B221C4B5D00259EFDB10CF9AD984ADEBBF4EB48310F14841AE914A7350D379A944CF65
                                          Function 0162BFE0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 381 162bfe0-162d128 383 162d130-162d15f LoadLibraryExW 381->383 384 162d12a-162d12d 381->384 385 162d161-162d167 383->385 386 162d168-162d185 383->386 384->383 385->386
                                          APIs
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0162CF41,00000800,00000000,00000000), ref: 0162D152
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1569370759.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1620000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: e9193e366047870b28127e3109bc92520ca3ba5afee92391808300266922ba72
                                          • Instruction ID: a79ca02febd52869ebe2f9f2040d663d98b250463a69ec0ce5cec4e7e0032e92
                                          • Opcode Fuzzy Hash: e9193e366047870b28127e3109bc92520ca3ba5afee92391808300266922ba72
                                          • Instruction Fuzzy Hash: 5111F2B69006499FDB20CF9AC844ADEBBF4EB88210F10842AE519A7600C379A545CFA5
                                          Function 0162CE60 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 389 162ce60-162cea0 390 162cea2-162cea5 389->390 391 162cea8-162ced3 GetModuleHandleW 389->391 390->391 392 162ced5-162cedb 391->392 393 162cedc-162cef0 391->393 392->393
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0162CEC6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1569370759.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1620000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: c7e03dd8fa42860ff2338fba953271335a3e95d99013f3e0c1ca0d1fa4a04168
                                          • Instruction ID: 13a83d2156bb180e253fd16c83dffcc3be5933e2db1ce9b251d9789873ec69fc
                                          • Opcode Fuzzy Hash: c7e03dd8fa42860ff2338fba953271335a3e95d99013f3e0c1ca0d1fa4a04168
                                          • Instruction Fuzzy Hash: 591110B6C006498FDB20CF9AC844BDEFBF4EF88210F10841AD468A7700C379A545CFA5
                                          Function 014BD1FC Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1568464354.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_14bd000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c6ee052c662c6263584598469b31a2af33af6e9bca6b09dd81d6b119403c7b52
                                          • Instruction ID: b31ec3ddd46ddf72306895b052ade9ea3e13fa716edcebc5fb90a8582102dae5
                                          • Opcode Fuzzy Hash: c6ee052c662c6263584598469b31a2af33af6e9bca6b09dd81d6b119403c7b52
                                          • Instruction Fuzzy Hash: F421C772904280DFDF19DF94D9C4B67BB65FB88328F2485AAED050B266C336D416CB71
                                          Function 014CD01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1568517499.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_14cd000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d90828dfddbaf912a75d255f0bfb956897557be155d87a59b8c738a98129213f
                                          • Instruction ID: 042d8f427dccaba5344190882934d3fae1a696d0bfc1190ebddfe66305823560
                                          • Opcode Fuzzy Hash: d90828dfddbaf912a75d255f0bfb956897557be155d87a59b8c738a98129213f
                                          • Instruction Fuzzy Hash: B92106B9904200DFDB55DF59D5C0B16BB61FB84718F20C57ED90A0B3A6C336D407CAA2
                                          Function 014CD1D4 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1568517499.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_14cd000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c3e79d323fbe01f61439e58673d3c934e6284ce038ab92c95b093a1d9684eedb
                                          • Instruction ID: 333818ac480940d97421a730cbd5dbb99ec2af1230c85b47fb39dce5819f0c32
                                          • Opcode Fuzzy Hash: c3e79d323fbe01f61439e58673d3c934e6284ce038ab92c95b093a1d9684eedb
                                          • Instruction Fuzzy Hash: F221F579904200EFDB55DF94D9C0B26BB66FB84724F20C57EE9094B3A2C336D446CAA1
                                          Function 014CD006 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1568517499.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_14cd000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1ad1b9a2dea2f8b939932ccbaf1bf564118f75e5ef07b99fd4c4da0a66ef8f07
                                          • Instruction ID: 4b649064c51be47865dfcdb7b6448b221641f167dd1e3ade14715a619799dcb4
                                          • Opcode Fuzzy Hash: 1ad1b9a2dea2f8b939932ccbaf1bf564118f75e5ef07b99fd4c4da0a66ef8f07
                                          • Instruction Fuzzy Hash: 3E21B3755093809FCB12CF24D590712BF71EB46214F28C5EFD8498F6A3C33A980ACBA2
                                          Function 014BD1F7 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1568464354.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_14bd000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 63590c6d4b85089a62ccbb5b73be6abf778bad766966e0b930af7b7dfcf8d66b
                                          • Instruction ID: e61705b7d989757b4c446e8450a95db9d6ac0b581443e5c033512ad09e9caaa9
                                          • Opcode Fuzzy Hash: 63590c6d4b85089a62ccbb5b73be6abf778bad766966e0b930af7b7dfcf8d66b
                                          • Instruction Fuzzy Hash: 27219076904280DFDB16CF54D9C4B56BF61FB84324F24C5AADD090B666C336D416CBA1
                                          Function 014CD1CF Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.1568517499.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_14cd000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                          • Instruction ID: 13df1f4ccee73081228c578910a91568f4423ac88e37e3dbd51769bf99870c36
                                          • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                          • Instruction Fuzzy Hash: 3611AC7A904240DFDB16CF54D5C0B16BB62FB84624F24C6AED8494B7A6C33AD40ACB91

                                          Execution Graph

                                          Execution Coverage:11.4%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:19
                                          Total number of Limit Nodes:4
                                          execution_graph 29036 1640848 29038 164084e 29036->29038 29037 164091b 29038->29037 29040 1641380 29038->29040 29041 1641396 29040->29041 29042 1641480 29041->29042 29044 1647090 29041->29044 29042->29038 29045 164709a 29044->29045 29046 16470b4 29045->29046 29049 667d388 29045->29049 29054 667d398 29045->29054 29046->29041 29051 667d3ad 29049->29051 29050 667d5c2 29050->29046 29051->29050 29052 667d5e8 GlobalMemoryStatusEx 29051->29052 29053 667d5d8 GlobalMemoryStatusEx 29051->29053 29052->29051 29053->29051 29056 667d3ad 29054->29056 29055 667d5c2 29055->29046 29056->29055 29057 667d5e8 GlobalMemoryStatusEx 29056->29057 29058 667d5d8 GlobalMemoryStatusEx 29056->29058 29057->29056 29058->29056

                                          Executed Functions

                                          Function 06670040 Relevance: 8.4, Strings: 6, Instructions: 934COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2801880364.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6670000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q$$q$$q$$q$$q$$q
                                          • API String ID: 0-2069967915
                                          • Opcode ID: 4f8218e17243ab16f1e0d51c0cb2b607ccd2a34ba798e29dc01ea340b321b15a
                                          • Instruction ID: 9ef12b3041afcd9d42f993e8dc4ac0d0065270fd79b8db316a596631a3378688
                                          • Opcode Fuzzy Hash: 4f8218e17243ab16f1e0d51c0cb2b607ccd2a34ba798e29dc01ea340b321b15a
                                          • Instruction Fuzzy Hash: C6823534E10719CFDB24DF68C984A9DB7B2FF89300F5486A9D409AB254EB74ED85CB90
                                          Function 06678B98 Relevance: 8.3, Strings: 6, Instructions: 790COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2801880364.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6670000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q$$q$$q$$q$$q$$q
                                          • API String ID: 0-2069967915
                                          • Opcode ID: 8bafaf8fec86a514ec86c6d791ac1042410f94e71f79364baa4906095836df48
                                          • Instruction ID: 03eb1fd103f44c52a73bed7836904841771a2c46ed3657144b2c3eca8fa76d67
                                          • Opcode Fuzzy Hash: 8bafaf8fec86a514ec86c6d791ac1042410f94e71f79364baa4906095836df48
                                          • Instruction Fuzzy Hash: 18527030E112098FEB64DB68D8947ADB7F2FB85310F24852AE405EB395DB39DC85CB91
                                          Function 01649B38 Relevance: 3.1, Instructions: 3062COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4ff216d06a14e50e2ab41c5554fe2f576b3af99d871a9391cee91a4545134d60
                                          • Instruction ID: c415f3705e8a572a29de3a77509e1b21288e56b890dd80ec1ea746c6d86ef6ec
                                          • Opcode Fuzzy Hash: 4ff216d06a14e50e2ab41c5554fe2f576b3af99d871a9391cee91a4545134d60
                                          • Instruction Fuzzy Hash: 29630C31D10B198ADB11EF68C8806A9F7B1FF99300F15C79AE45977225FB70AAD4CB81
                                          Function 066756D8 Relevance: 3.0, Strings: 2, Instructions: 472COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1647 66756d8-66756f6 1648 66756f8-66756fb 1647->1648 1649 6675712-6675715 1648->1649 1650 66756fd-667570b 1648->1650 1651 6675717-6675721 1649->1651 1652 6675722-6675725 1649->1652 1658 667577e-6675794 1650->1658 1659 667570d 1650->1659 1654 6675727-6675741 1652->1654 1655 6675746-6675749 1652->1655 1654->1655 1656 667576c-667576e 1655->1656 1657 667574b-6675767 1655->1657 1661 6675775-6675778 1656->1661 1662 6675770 1656->1662 1657->1656 1666 66759af-66759b9 1658->1666 1667 667579a-66757a3 1658->1667 1659->1649 1661->1648 1661->1658 1662->1661 1668 66759ba-66759ef 1667->1668 1669 66757a9-66757c6 1667->1669 1673 66759f1-66759f4 1668->1673 1677 667599c-66759a9 1669->1677 1678 66757cc-66757f4 1669->1678 1675 6675aa1-6675aa4 1673->1675 1676 66759fa-6675a06 1673->1676 1679 6675ac7-6675aca 1675->1679 1680 6675aa6-6675ac2 1675->1680 1683 6675a11-6675a13 1676->1683 1677->1666 1677->1667 1678->1677 1703 66757fa-6675803 1678->1703 1681 6675ad0-6675adf 1679->1681 1682 6675cff-6675d01 1679->1682 1680->1679 1698 6675ae1-6675afc 1681->1698 1699 6675afe-6675b42 1681->1699 1685 6675d03 1682->1685 1686 6675d08-6675d0b 1682->1686 1688 6675a15-6675a1b 1683->1688 1689 6675a2b-6675a2f 1683->1689 1685->1686 1686->1673 1693 6675d11-6675d1a 1686->1693 1694 6675a1f-6675a21 1688->1694 1695 6675a1d 1688->1695 1690 6675a31-6675a3b 1689->1690 1691 6675a3d 1689->1691 1696 6675a42-6675a44 1690->1696 1691->1696 1694->1689 1695->1689 1701 6675a46-6675a49 1696->1701 1702 6675a5b-6675a94 1696->1702 1698->1699 1707 6675cd3-6675ce8 1699->1707 1708 6675b48-6675b59 1699->1708 1701->1693 1702->1681 1727 6675a96-6675aa0 1702->1727 1703->1668 1705 6675809-6675825 1703->1705 1715 667582b-6675855 call 6671ae0 1705->1715 1716 667598a-6675996 1705->1716 1707->1682 1717 6675b5f-6675b7c 1708->1717 1718 6675cbe-6675ccd 1708->1718 1730 6675980-6675985 1715->1730 1731 667585b-6675883 1715->1731 1716->1677 1716->1703 1717->1718 1729 6675b82-6675c78 call 6673ef8 1717->1729 1718->1707 1718->1708 1780 6675c86 1729->1780 1781 6675c7a-6675c84 1729->1781 1730->1716 1731->1730 1737 6675889-66758b7 1731->1737 1737->1730 1743 66758bd-66758c6 1737->1743 1743->1730 1744 66758cc-66758fe 1743->1744 1752 6675900-6675904 1744->1752 1753 6675909-6675925 1744->1753 1752->1730 1754 6675906 1752->1754 1753->1716 1755 6675927-667597e call 6673ef8 1753->1755 1754->1753 1755->1716 1782 6675c8b-6675c8d 1780->1782 1781->1782 1782->1718 1783 6675c8f-6675c94 1782->1783 1784 6675c96-6675ca0 1783->1784 1785 6675ca2 1783->1785 1786 6675ca7-6675ca9 1784->1786 1785->1786 1786->1718 1787 6675cab-6675cb7 1786->1787 1787->1718
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2801880364.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6670000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q$$q
                                          • API String ID: 0-3126353813
                                          • Opcode ID: 17d2dbc6f78c163a523894363b9edb644c8585ea794959a6a11ebb9f8facac50
                                          • Instruction ID: bbce6ef6793c2dff3b0efd6d0504871903a9abfea6bacc25d99182b92939175f
                                          • Opcode Fuzzy Hash: 17d2dbc6f78c163a523894363b9edb644c8585ea794959a6a11ebb9f8facac50
                                          • Instruction Fuzzy Hash: 6F024A34B002059FDB54DB68D894BAEB7B2FF84310F248569E906AB394DF35EC46CB91
                                          Function 0164CDB0 Relevance: 2.3, Instructions: 2304COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b2cbe578e6a0ecaae5341dfd2e6e4e5a731aecd69a538536e15fbc4217193780
                                          • Instruction ID: bd7255db0f7662a7a56f3bcd58f3417a51800980758c32b430bfaf55c964fee6
                                          • Opcode Fuzzy Hash: b2cbe578e6a0ecaae5341dfd2e6e4e5a731aecd69a538536e15fbc4217193780
                                          • Instruction Fuzzy Hash: BF331F31D107198FDB11DF68C8806AEF7B1FF99300F15C69AE459A7225EB70AAC5CB81
                                          Function 06672F00 Relevance: 1.8, Strings: 1, Instructions: 588COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2436 6672f00-6672f1d 2437 6672f1f-6672f22 2436->2437 2438 6672f24-6672f43 2437->2438 2439 6672f48-6672f4b 2437->2439 2438->2439 2440 6672f65-6672f68 2439->2440 2441 6672f4d-6672f57 2439->2441 2442 6672f6f-6672f72 2440->2442 2443 6672f6a-6672f6c 2440->2443 2445 6672f5e-6672f60 2441->2445 2446 6672f74-6672f78 2442->2446 2447 6672f83-6672f86 2442->2447 2443->2442 2445->2440 2448 6672f7e 2446->2448 2449 66730c9-66730d6 2446->2449 2450 6672f94-6672f97 2447->2450 2451 6672f88-6672f8f 2447->2451 2448->2447 2453 6672f9f-6672fa2 2450->2453 2454 6672f99-6672f9a 2450->2454 2451->2450 2455 6672fa4-6672faa 2453->2455 2456 6672fda-6672fdd 2453->2456 2454->2453 2459 66730d7-6673103 2455->2459 2460 6672fb0-6672fb8 2455->2460 2457 6672ff1-6672ff4 2456->2457 2458 6672fdf-6672fec 2456->2458 2461 6672ff6-6673008 2457->2461 2462 667300d-6673010 2457->2462 2458->2457 2474 667310d-6673110 2459->2474 2460->2459 2463 6672fbe-6672fcb 2460->2463 2461->2462 2467 6673026-6673029 2462->2467 2468 6673012-6673021 2462->2468 2463->2459 2464 6672fd1-6672fd5 2463->2464 2464->2456 2470 6673046-6673049 2467->2470 2471 667302b-6673041 2467->2471 2468->2467 2472 6673055-6673058 2470->2472 2473 667304b-6673054 2470->2473 2471->2470 2477 6673071-6673077 2472->2477 2478 667305a-667305d 2472->2478 2479 6673132-6673135 2474->2479 2480 6673112-6673116 2474->2480 2477->2441 2483 667307d 2477->2483 2481 667305f-6673065 2478->2481 2482 667306c-667306f 2478->2482 2486 6673157-667315a 2479->2486 2487 6673137-667313b 2479->2487 2484 667311c-6673124 2480->2484 2485 66731fa-6673234 2480->2485 2490 6673087-667308a 2481->2490 2491 6673067 2481->2491 2482->2477 2492 6673082-6673085 2482->2492 2483->2492 2484->2485 2493 667312a-667312d 2484->2493 2505 6673236-6673239 2485->2505 2488 667315c-6673166 2486->2488 2489 667316b-667316e 2486->2489 2487->2485 2494 6673141-6673149 2487->2494 2488->2489 2496 6673170-6673177 2489->2496 2497 6673178-667317b 2489->2497 2498 667308f-6673092 2490->2498 2491->2482 2492->2490 2492->2498 2493->2479 2494->2485 2495 667314f-6673152 2494->2495 2495->2486 2501 6673193-6673196 2497->2501 2502 667317d-667318e 2497->2502 2503 66730a5-66730a8 2498->2503 2504 6673094-667309a 2498->2504 2506 66731a6-66731a9 2501->2506 2507 6673198-667319f 2501->2507 2502->2501 2511 66730b2-66730b5 2503->2511 2512 66730aa-66730ad 2503->2512 2504->2455 2508 66730a0 2504->2508 2509 6673247-667324a 2505->2509 2510 667323b-6673242 2505->2510 2519 66731c3-66731c6 2506->2519 2520 66731ab-66731af 2506->2520 2517 66731f2-66731f9 2507->2517 2518 66731a1 2507->2518 2508->2503 2513 667324c-667325d 2509->2513 2514 6673268-667326b 2509->2514 2510->2509 2511->2504 2515 66730b7-66730b9 2511->2515 2512->2511 2535 6673263 2513->2535 2536 6673601-6673614 2513->2536 2526 6673275-6673278 2514->2526 2527 667326d-6673272 2514->2527 2522 66730c0-66730c3 2515->2522 2523 66730bb 2515->2523 2518->2506 2524 66731e0-66731e2 2519->2524 2525 66731c8-66731cc 2519->2525 2520->2485 2521 66731b1-66731b9 2520->2521 2521->2485 2528 66731bb-66731be 2521->2528 2522->2437 2522->2449 2523->2522 2531 66731e4 2524->2531 2532 66731e9-66731ec 2524->2532 2525->2485 2530 66731ce-66731d6 2525->2530 2533 6673292-6673295 2526->2533 2534 667327a-667328b 2526->2534 2527->2526 2528->2519 2530->2485 2537 66731d8-66731db 2530->2537 2531->2532 2532->2474 2532->2517 2538 6673297-667329a 2533->2538 2539 66732ce-6673462 2533->2539 2542 667329c-66732ad 2534->2542 2546 667328d 2534->2546 2535->2514 2537->2524 2541 66732b4-66732b7 2538->2541 2538->2542 2585 667359b-66735ae 2539->2585 2586 6673468-667346f 2539->2586 2543 66732c5-66732c8 2541->2543 2544 66732b9-66732c0 2541->2544 2542->2510 2550 66732af 2542->2550 2543->2539 2548 66735b1-66735b4 2543->2548 2544->2543 2546->2533 2548->2539 2551 66735ba-66735bd 2548->2551 2550->2541 2553 66735bf-66735d0 2551->2553 2554 66735db-66735de 2551->2554 2553->2510 2562 66735d6 2553->2562 2555 66735e0-66735f1 2554->2555 2556 66735fc-66735ff 2554->2556 2555->2510 2566 66735f7 2555->2566 2556->2536 2559 6673617-6673619 2556->2559 2560 6673620-6673623 2559->2560 2561 667361b 2559->2561 2560->2505 2565 6673629-6673632 2560->2565 2561->2560 2562->2554 2566->2556 2587 6673475-6673498 2586->2587 2588 6673523-667352a 2586->2588 2597 66734a0-66734a8 2587->2597 2588->2585 2589 667352c-667355f 2588->2589 2601 6673564-6673591 2589->2601 2602 6673561 2589->2602 2599 66734ad-66734ee 2597->2599 2600 66734aa 2597->2600 2610 6673506-6673517 2599->2610 2611 66734f0-6673501 2599->2611 2600->2599 2601->2565 2602->2601 2610->2565 2611->2565
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2801880364.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6670000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $
                                          • API String ID: 0-3993045852
                                          • Opcode ID: b47fcd2aefe2bb144487413938cb2adfeef1b51e250a9b76c60169257a7bc47a
                                          • Instruction ID: a0c72a7412ee06b7f5590437488ef0cdbea3f46f9e5c7129d82e4ef3d346e06a
                                          • Opcode Fuzzy Hash: b47fcd2aefe2bb144487413938cb2adfeef1b51e250a9b76c60169257a7bc47a
                                          • Instruction Fuzzy Hash: FE22BF35F002158FDF64DBA8D8907AEBBB6EF84310F248569D816BB384DA35DD45CB90
                                          Function 0667BD00 Relevance: 1.8, Strings: 1, Instructions: 572COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2614 667bd00-667bd19 2615 667bd1b-667bd1e 2614->2615 2616 667bd20-667bd25 2615->2616 2617 667bd28-667bd2b 2615->2617 2616->2617 2618 667bd2d 2617->2618 2619 667bd3b-667bd3e 2617->2619 2624 667bd33-667bd36 2618->2624 2620 667bd61-667bd64 2619->2620 2621 667bd40-667bd5c 2619->2621 2622 667bf8a-667bf93 2620->2622 2623 667bd6a-667bd6d 2620->2623 2621->2620 2626 667bd6f-667bd78 2622->2626 2628 667bf99-667bfa3 2622->2628 2623->2626 2627 667bd8a-667bd8c 2623->2627 2624->2619 2629 667bfa4-667bfdb 2626->2629 2630 667bd7e-667bd85 2626->2630 2631 667bd93-667bd96 2627->2631 2632 667bd8e 2627->2632 2636 667bfdd-667bfe0 2629->2636 2630->2627 2631->2615 2634 667bd98-667be4c 2631->2634 2632->2631 2755 667be52-667be5d 2634->2755 2756 667bf48-667bf6c 2634->2756 2638 667bfe2-667bfe8 2636->2638 2639 667bffa-667bffd 2636->2639 2643 667c1d7-667c20e 2638->2643 2644 667bfee-667bff5 2638->2644 2641 667c004-667c007 2639->2641 2642 667bfff-667c001 2639->2642 2645 667c00e-667c011 2641->2645 2646 667c009-667c00b 2641->2646 2642->2641 2651 667c210-667c213 2643->2651 2644->2639 2649 667c017-667c01a 2645->2649 2650 667c0fc-667c102 2645->2650 2646->2645 2652 667c047-667c04a 2649->2652 2653 667c01c-667c042 2649->2653 2650->2638 2654 667c108 2650->2654 2656 667c215-667c21f 2651->2656 2657 667c220-667c223 2651->2657 2659 667c06d-667c070 2652->2659 2660 667c04c-667c068 2652->2660 2653->2652 2658 667c10d-667c110 2654->2658 2663 667c246-667c249 2657->2663 2664 667c225-667c241 2657->2664 2666 667c112-667c118 2658->2666 2667 667c11d-667c120 2658->2667 2661 667c072-667c07c 2659->2661 2662 667c081-667c084 2659->2662 2660->2659 2661->2662 2672 667c086-667c095 2662->2672 2673 667c09c-667c09f 2662->2673 2674 667c24b-667c264 2663->2674 2675 667c269-667c26c 2663->2675 2664->2663 2666->2667 2668 667c122-667c13e 2667->2668 2669 667c149-667c14c 2667->2669 2684 667c0a1-667c0a2 2668->2684 2714 667c144 2668->2714 2679 667c14e-667c154 2669->2679 2680 667c159-667c15c 2669->2680 2694 667c0ac-667c0ad 2672->2694 2698 667c097 2672->2698 2683 667c0a7-667c0aa 2673->2683 2673->2684 2674->2675 2676 667c283-667c285 2675->2676 2677 667c26e-667c27c 2675->2677 2687 667c287 2676->2687 2688 667c28c-667c28f 2676->2688 2697 667c295-667c2c2 2677->2697 2707 667c27e 2677->2707 2679->2680 2690 667c15e-667c178 2680->2690 2691 667c17d-667c180 2680->2691 2693 667c0b2-667c0b5 2683->2693 2683->2694 2684->2683 2687->2688 2688->2651 2688->2697 2690->2691 2699 667c182-667c1a5 2691->2699 2700 667c1aa-667c1ad 2691->2700 2701 667c0b7-667c0c9 2693->2701 2702 667c0ce-667c0d1 2693->2702 2694->2693 2733 667c451-667c456 2697->2733 2734 667c2c8-667c2ea 2697->2734 2698->2673 2699->2700 2712 667c1b3-667c1b5 2700->2712 2713 667c0ed-667c0f0 2700->2713 2701->2702 2710 667c0d3-667c0d6 2702->2710 2711 667c0e8-667c0eb 2702->2711 2707->2676 2710->2643 2718 667c0dc-667c0e3 2710->2718 2711->2713 2719 667c0f7-667c0fa 2711->2719 2720 667c1b7 2712->2720 2721 667c1bc-667c1bf 2712->2721 2713->2710 2722 667c0f2 2713->2722 2714->2669 2718->2711 2719->2650 2719->2658 2720->2721 2721->2636 2725 667c1c5-667c1d6 2721->2725 2722->2719 2739 667c45b-667c465 2733->2739 2738 667c2f0-667c2f9 2734->2738 2734->2739 2738->2733 2741 667c2ff-667c307 2738->2741 2742 667c43d-667c449 2741->2742 2743 667c30d-667c326 2741->2743 2742->2738 2744 667c44f 2742->2744 2750 667c433-667c438 2743->2750 2751 667c32c-667c353 2743->2751 2744->2739 2750->2742 2751->2750 2759 667c359-667c381 2751->2759 2761 667be75-667bf42 call 6673ef8 2755->2761 2762 667be5f-667be65 2755->2762 2767 667bf76 2756->2767 2768 667bf6e 2756->2768 2759->2750 2773 667c387-667c3a1 2759->2773 2761->2755 2761->2756 2764 667be67 2762->2764 2765 667be69-667be6b 2762->2765 2764->2761 2765->2761 2772 667bf77 2767->2772 2768->2767 2772->2772 2773->2750 2777 667c3a7-667c3c3 2773->2777 2777->2750 2782 667c3c5-667c3e4 2777->2782 2782->2750 2788 667c3e6-667c431 call 6673ef8 2782->2788 2788->2742
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2801880364.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6670000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq
                                          • API String ID: 0-3820536768
                                          • Opcode ID: e0c2475bdcfcaf3d6edf00868ec3e4bf2842f3f5f49735d28980697ea4685468
                                          • Instruction ID: fdb7539111e287708b33e68f3ed71587961de5c51608b92f4a53d1a2311e2d7a
                                          • Opcode Fuzzy Hash: e0c2475bdcfcaf3d6edf00868ec3e4bf2842f3f5f49735d28980697ea4685468
                                          • Instruction Fuzzy Hash: 3A227C34B102058FDB64DB78D494BADB7E2EF88310F248569E406EB3A5DB75EC42CB91
                                          Function 0667DD10 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2807 667dd10-667dd22 2808 667dd86-667dd8d 2807->2808 2809 667dd24-667dd51 call 667d348 call 667d17c 2807->2809 2816 667dd56-667dd63 2809->2816 2818 667dd65-667dd7e 2816->2818 2819 667dd8e-667ddf5 2816->2819 2818->2808 2829 667ddf7-667ddf9 2819->2829 2830 667ddfe-667de0e 2819->2830 2831 667e09d-667e0a4 2829->2831 2832 667de15-667de25 2830->2832 2833 667de10 2830->2833 2835 667e084-667e092 2832->2835 2836 667de2b-667de39 2832->2836 2833->2831 2839 667e0a5-667e11e 2835->2839 2841 667e094-667e098 call 6671ae0 2835->2841 2836->2839 2840 667de3f 2836->2840 2840->2839 2842 667de46-667de58 2840->2842 2843 667de83-667dea5 2840->2843 2844 667df42-667df6a 2840->2844 2845 667df6f-667df97 2840->2845 2846 667deaa-667decb 2840->2846 2847 667e009-667e035 2840->2847 2848 667e037-667e052 2840->2848 2849 667def6-667df17 2840->2849 2850 667e054-667e076 2840->2850 2851 667ded0-667def1 2840->2851 2852 667dfde-667e004 2840->2852 2853 667de5d-667de7e 2840->2853 2854 667df1c-667df3d 2840->2854 2855 667df9c-667dfd9 2840->2855 2856 667e078-667e082 2840->2856 2841->2831 2842->2831 2843->2831 2844->2831 2845->2831 2846->2831 2847->2831 2848->2831 2849->2831 2850->2831 2851->2831 2852->2831 2853->2831 2854->2831 2855->2831 2856->2831
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2801880364.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6670000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q
                                          • API String ID: 0-1301096350
                                          • Opcode ID: 6e5a671d696a4ec07ade830558109cf3eaa1045e7bd85ca050230fa589deacaf
                                          • Instruction ID: 9d336e058028134645474d9188e4d1622d62737ba8ee9a21a7c72d15adcc70d2
                                          • Opcode Fuzzy Hash: 6e5a671d696a4ec07ade830558109cf3eaa1045e7bd85ca050230fa589deacaf
                                          • Instruction Fuzzy Hash: 06B19374B042148FEB59AF75985977E7BB3AFC8210F14886EE006EB398DE359C0687D1
                                          Function 01643E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2928 1643e80-1643ee6 2930 1643f30-1643f32 2928->2930 2931 1643ee8-1643ef3 2928->2931 2933 1643f34-1643f8c 2930->2933 2931->2930 2932 1643ef5-1643f01 2931->2932 2934 1643f24-1643f2e 2932->2934 2935 1643f03-1643f0d 2932->2935 2942 1643fd6-1643fd8 2933->2942 2943 1643f8e-1643f99 2933->2943 2934->2933 2936 1643f11-1643f20 2935->2936 2937 1643f0f 2935->2937 2936->2936 2939 1643f22 2936->2939 2937->2936 2939->2934 2945 1643fda-1643ff2 2942->2945 2943->2942 2944 1643f9b-1643fa7 2943->2944 2946 1643fa9-1643fb3 2944->2946 2947 1643fca-1643fd4 2944->2947 2952 1643ff4-1643fff 2945->2952 2953 164403c-164403e 2945->2953 2948 1643fb5 2946->2948 2949 1643fb7-1643fc6 2946->2949 2947->2945 2948->2949 2949->2949 2951 1643fc8 2949->2951 2951->2947 2952->2953 2955 1644001-164400d 2952->2955 2954 1644040-164408e 2953->2954 2963 1644094-16440a2 2954->2963 2956 1644030-164403a 2955->2956 2957 164400f-1644019 2955->2957 2956->2954 2958 164401d-164402c 2957->2958 2959 164401b 2957->2959 2958->2958 2961 164402e 2958->2961 2959->2958 2961->2956 2964 16440a4-16440aa 2963->2964 2965 16440ab-164410b 2963->2965 2964->2965 2972 164410d-1644111 2965->2972 2973 164411b-164411f 2965->2973 2972->2973 2974 1644113 2972->2974 2975 1644121-1644125 2973->2975 2976 164412f-1644133 2973->2976 2974->2973 2975->2976 2977 1644127-164412a call 1640ab8 2975->2977 2978 1644135-1644139 2976->2978 2979 1644143-1644147 2976->2979 2977->2976 2978->2979 2981 164413b-164413e call 1640ab8 2978->2981 2982 1644157-164415b 2979->2982 2983 1644149-164414d 2979->2983 2981->2979 2984 164415d-1644161 2982->2984 2985 164416b-164416f 2982->2985 2983->2982 2987 164414f-1644152 call 1640ab8 2983->2987 2984->2985 2989 1644163 2984->2989 2990 1644171-1644175 2985->2990 2991 164417f 2985->2991 2987->2982 2989->2985 2990->2991 2992 1644177 2990->2992 2993 1644180 2991->2993 2992->2991 2993->2993
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \VGk
                                          • API String ID: 0-2918603798
                                          • Opcode ID: 17056f9ed373784b591b2a46916956c7529509fc1f8b3e3a24e1e3e2d5e352fe
                                          • Instruction ID: 7420e554dd159c2e8df5dbce809523036480674af4e3088f5a5f5082ddd57ffc
                                          • Opcode Fuzzy Hash: 17056f9ed373784b591b2a46916956c7529509fc1f8b3e3a24e1e3e2d5e352fe
                                          • Instruction Fuzzy Hash: 49913B70E002199FDB14CFA9C9857EEBBF2BF88714F148129E915AB394DB749846CB81
                                          Function 06673F48 Relevance: .8, Instructions: 811COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2801880364.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6670000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 78b071f01541b6a8f96e7dca81121964af6e7d4ffceb222c5f64d4e38ec7cd04
                                          • Instruction ID: 22be66c87506541749d4971fa20403c8e97d4e770a19d7d98be72b546cb3d067
                                          • Opcode Fuzzy Hash: 78b071f01541b6a8f96e7dca81121964af6e7d4ffceb222c5f64d4e38ec7cd04
                                          • Instruction Fuzzy Hash: 89623934B102048FDB64DB68D598BADB7F2EF88314F148569E816AB394DF35EC46CB80
                                          Function 06679AE0 Relevance: .6, Instructions: 646COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2801880364.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6670000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f0e5826bf73e007685ce6e8b376c7d316341deefa4d1d3a22bb69c9d7bead744
                                          • Instruction ID: 7b9f74f46e6d1350cb634979b4b95206c52d1a574fedf4c4520ec2f59b1e8673
                                          • Opcode Fuzzy Hash: f0e5826bf73e007685ce6e8b376c7d316341deefa4d1d3a22bb69c9d7bead744
                                          • Instruction Fuzzy Hash: EF324E34B112098FDF55DFA8D890BADB7B2EB89310F148529E805EB354DB39DC42CB91
                                          Function 01649378 Relevance: .6, Instructions: 616COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9920bb51add5ce1d6de410be01d11f1c332903f661ab6abb869478270ef0d2e4
                                          • Instruction ID: f4fff6f2df4650e1c165fd4bdaf020ca7239f19e00a91e89343df65094a36cc8
                                          • Opcode Fuzzy Hash: 9920bb51add5ce1d6de410be01d11f1c332903f661ab6abb869478270ef0d2e4
                                          • Instruction Fuzzy Hash: FE327D34B002148FDB15DFA8D894BAEBBB6EF88314F148569E909EB395DB35DC41CB90
                                          Function 01644A98 Relevance: .3, Instructions: 266COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cf64ade7d380e84c6f59aa4b8bb6ab1778e21ebe9576f63d93e36a6e07e3d202
                                          • Instruction ID: 508e9aaf3b8b28d995825e0e9aa6be37f73d6ed6dfd5ddbc0084850f680068ed
                                          • Opcode Fuzzy Hash: cf64ade7d380e84c6f59aa4b8bb6ab1778e21ebe9576f63d93e36a6e07e3d202
                                          • Instruction Fuzzy Hash: 5BB13C71E00209CFDB14CFA9DC8679DBBF2AF88354F188129D855EB394EB749845CB85
                                          Function 01644810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1789 1644810-164489c 1792 16448e6-16448e8 1789->1792 1793 164489e-16448a9 1789->1793 1794 16448ea-1644902 1792->1794 1793->1792 1795 16448ab-16448b7 1793->1795 1802 1644904-164490f 1794->1802 1803 164494c-164494e 1794->1803 1796 16448b9-16448c3 1795->1796 1797 16448da-16448e4 1795->1797 1798 16448c5 1796->1798 1799 16448c7-16448d6 1796->1799 1797->1794 1798->1799 1799->1799 1801 16448d8 1799->1801 1801->1797 1802->1803 1805 1644911-164491d 1802->1805 1804 1644950-16449a9 1803->1804 1814 16449b2-16449d2 1804->1814 1815 16449ab-16449b1 1804->1815 1806 1644940-164494a 1805->1806 1807 164491f-1644929 1805->1807 1806->1804 1809 164492d-164493c 1807->1809 1810 164492b 1807->1810 1809->1809 1811 164493e 1809->1811 1810->1809 1811->1806 1819 16449dc-1644a0f 1814->1819 1815->1814 1822 1644a11-1644a15 1819->1822 1823 1644a1f-1644a23 1819->1823 1822->1823 1824 1644a17-1644a1a call 1640ab8 1822->1824 1825 1644a25-1644a29 1823->1825 1826 1644a33-1644a37 1823->1826 1824->1823 1825->1826 1828 1644a2b-1644a2e call 1640ab8 1825->1828 1829 1644a47-1644a4b 1826->1829 1830 1644a39-1644a3d 1826->1830 1828->1826 1832 1644a4d-1644a51 1829->1832 1833 1644a5b 1829->1833 1830->1829 1831 1644a3f 1830->1831 1831->1829 1832->1833 1835 1644a53 1832->1835 1836 1644a5c 1833->1836 1835->1833 1836->1836
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \VGk$\VGk
                                          • API String ID: 0-3125469741
                                          • Opcode ID: 6b9185c9296246f6b27c4388a47ea165cb48f3cb16265edad4e0d51bec9ed505
                                          • Instruction ID: 09d04c3d5d7e585fa66171559e9512d58b53cefde3946daee5117b4be0be765a
                                          • Opcode Fuzzy Hash: 6b9185c9296246f6b27c4388a47ea165cb48f3cb16265edad4e0d51bec9ed505
                                          • Instruction Fuzzy Hash: 91715C70E00249DFEB14DFA9C8817DEBBF2BF48314F148129E815A7394DB749882CB95
                                          Function 01644804 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1837 1644804-164489c 1840 16448e6-16448e8 1837->1840 1841 164489e-16448a9 1837->1841 1842 16448ea-1644902 1840->1842 1841->1840 1843 16448ab-16448b7 1841->1843 1850 1644904-164490f 1842->1850 1851 164494c-164494e 1842->1851 1844 16448b9-16448c3 1843->1844 1845 16448da-16448e4 1843->1845 1846 16448c5 1844->1846 1847 16448c7-16448d6 1844->1847 1845->1842 1846->1847 1847->1847 1849 16448d8 1847->1849 1849->1845 1850->1851 1853 1644911-164491d 1850->1853 1852 1644950-1644962 1851->1852 1860 1644969-1644995 1852->1860 1854 1644940-164494a 1853->1854 1855 164491f-1644929 1853->1855 1854->1852 1857 164492d-164493c 1855->1857 1858 164492b 1855->1858 1857->1857 1859 164493e 1857->1859 1858->1857 1859->1854 1861 164499b-16449a9 1860->1861 1862 16449b2-16449c0 1861->1862 1863 16449ab-16449b1 1861->1863 1866 16449c8-16449d2 1862->1866 1863->1862 1867 16449dc-1644a0f 1866->1867 1870 1644a11-1644a15 1867->1870 1871 1644a1f-1644a23 1867->1871 1870->1871 1872 1644a17-1644a1a call 1640ab8 1870->1872 1873 1644a25-1644a29 1871->1873 1874 1644a33-1644a37 1871->1874 1872->1871 1873->1874 1876 1644a2b-1644a2e call 1640ab8 1873->1876 1877 1644a47-1644a4b 1874->1877 1878 1644a39-1644a3d 1874->1878 1876->1874 1880 1644a4d-1644a51 1877->1880 1881 1644a5b 1877->1881 1878->1877 1879 1644a3f 1878->1879 1879->1877 1880->1881 1883 1644a53 1880->1883 1884 1644a5c 1881->1884 1883->1881 1884->1884
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \VGk$\VGk
                                          • API String ID: 0-3125469741
                                          • Opcode ID: 11202da8ad5056b1085b36683a24c2915e31893f51ee466ed3616e6c61f86003
                                          • Instruction ID: cdb923e69fb1eb214fcb76b6a566fe0d4008136f845b243666f38c58904463e6
                                          • Opcode Fuzzy Hash: 11202da8ad5056b1085b36683a24c2915e31893f51ee466ed3616e6c61f86003
                                          • Instruction Fuzzy Hash: 2B715A70E00249DFEB14CFA9C8817DEBBF2BF48314F148129E815A7394EB749886CB95
                                          Function 01646ED8 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1952 1646ed8-1646f42 call 1646c40 1961 1646f44-1646f5d call 1646764 1952->1961 1962 1646f5e-1646f8c 1952->1962 1967 1646f8e-1646f91 1962->1967 1969 1646f93-1646fc8 1967->1969 1970 1646fcd-1646fd0 1967->1970 1969->1970 1971 1646fe0-1646fe3 1970->1971 1972 1646fd2 1970->1972 1973 1646fe5-1646ff9 1971->1973 1974 1647016-1647019 1971->1974 1995 1646fd2 call 16480f1 1972->1995 1996 1646fd2 call 1647908 1972->1996 1997 1646fd2 call 1647918 1972->1997 1984 1646fff 1973->1984 1985 1646ffb-1646ffd 1973->1985 1975 164702d-164702f 1974->1975 1976 164701b-1647022 1974->1976 1980 1647036-1647039 1975->1980 1981 1647031 1975->1981 1978 1647028 1976->1978 1979 16470eb-16470f1 1976->1979 1977 1646fd8-1646fdb 1977->1971 1978->1975 1980->1967 1983 164703f-164704e 1980->1983 1981->1980 1989 1647050-1647053 1983->1989 1990 1647078-164708d 1983->1990 1986 1647002-1647011 1984->1986 1985->1986 1986->1974 1992 164705b-1647076 1989->1992 1990->1979 1992->1989 1992->1990 1995->1977 1996->1977 1997->1977
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LRq$LRq
                                          • API String ID: 0-3710822783
                                          • Opcode ID: 496e366229a26473dca3f1be3380e38e6d2891c0171ea859cb2723da296edbbe
                                          • Instruction ID: addb069c6ae3a704ad1b755d36c828b8052cd16ebe41fa7b9cf97426af720f26
                                          • Opcode Fuzzy Hash: 496e366229a26473dca3f1be3380e38e6d2891c0171ea859cb2723da296edbbe
                                          • Instruction Fuzzy Hash: E7519E30A012199FDB15DF68D8507AEBBB2EF86700F10856AE405EB395EB75DC41CB90
                                          Function 0667E278 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2908 667e278-667e27c 2909 667e245-667e261 2908->2909 2910 667e27e-667e2be 2908->2910 2916 667e267-667e277 2909->2916 2917 667e263-667e266 2909->2917 2911 667e2c6-667e2f4 GlobalMemoryStatusEx 2910->2911 2913 667e2f6-667e2fc 2911->2913 2914 667e2fd-667e325 2911->2914 2913->2914
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0667E1FA), ref: 0667E2E7
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2801880364.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6670000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: afa091f9948b76e11dcbeb0b9164d4df5c6788831219c97b8e7749c3e8c966cc
                                          • Instruction ID: c14df6bef65a43d21bb01a9368ef168c6c971bd5164e953465a949e7cc5db237
                                          • Opcode Fuzzy Hash: afa091f9948b76e11dcbeb0b9164d4df5c6788831219c97b8e7749c3e8c966cc
                                          • Instruction Fuzzy Hash: A02145B1C0021A8FDB24DFAAD4457DEFBF4AF48310F24855AE818A7740D77899458FA5
                                          Function 0667D364 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2921 667d364-667e2f4 GlobalMemoryStatusEx 2924 667e2f6-667e2fc 2921->2924 2925 667e2fd-667e325 2921->2925 2924->2925
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0667E1FA), ref: 0667E2E7
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2801880364.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6670000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: 45710049f2a37a50113ac9d55de3b09ffbfc183f64e12d995b092d720dae9778
                                          • Instruction ID: 0cb5e7871723c80110d20d5a9f551f97e26f5545aac9b292e713dcb9f73dd3a4
                                          • Opcode Fuzzy Hash: 45710049f2a37a50113ac9d55de3b09ffbfc183f64e12d995b092d720dae9778
                                          • Instruction Fuzzy Hash: 251133B1C0065ADFDB10CF9AC444BEEFBF4EB08320F10816AE818A7240D378A905CFA5
                                          Function 01643E74 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \VGk
                                          • API String ID: 0-2918603798
                                          • Opcode ID: 9190be0d194d33204429aa0d388207aa8bdf55f4c7226d8b58a299475e208845
                                          • Instruction ID: 433916749c4a44d2d1e0f393fbf5f60bd924bd900b23323d22529386898aa9f0
                                          • Opcode Fuzzy Hash: 9190be0d194d33204429aa0d388207aa8bdf55f4c7226d8b58a299475e208845
                                          • Instruction Fuzzy Hash: B1914A70E00219DFDB14CFA8D985BEEBBF2BF48714F148129E815AB394DB749845CB91
                                          Function 0164F2ED Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq
                                          • API String ID: 0-3820536768
                                          • Opcode ID: b22232075399d3d88603043f6e60946197e385a7bcffe46f3db6bbfbd60895ef
                                          • Instruction ID: f566781e3b2c1a5eee0062f18313d71dc6cbc6d891b73bf0712b1be7240892dd
                                          • Opcode Fuzzy Hash: b22232075399d3d88603043f6e60946197e385a7bcffe46f3db6bbfbd60895ef
                                          • Instruction Fuzzy Hash: 1A31B230B012058FDB169B3CD95476E7BE2EB89640F2445B8D402DB396DF39DC46CB95
                                          Function 0164F300 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq
                                          • API String ID: 0-3820536768
                                          • Opcode ID: 0e014fbacb75dcb5791643738f88a5d63f8d8e87b1c6b476a965329ee34bec71
                                          • Instruction ID: 5f9f1c5ce875026875cd4d94ef8d39aa561fa596e88470e33ad9de707a765fcf
                                          • Opcode Fuzzy Hash: 0e014fbacb75dcb5791643738f88a5d63f8d8e87b1c6b476a965329ee34bec71
                                          • Instruction Fuzzy Hash: DE31CD30B012058FDB26AB3DD91476E7BE3EB88240F2484A8D406EB399DF35DC468B95
                                          Function 01646F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LRq
                                          • API String ID: 0-3187445251
                                          • Opcode ID: 58c696f09f8cf4717c125ba1a22d44bc5d34a307e4754c310ae6a80e1a7f7e31
                                          • Instruction ID: 17ddad516adbc67ed2c6fc5ae6f0d43e37575e1d9a15f02ddca42ef2dd40283a
                                          • Opcode Fuzzy Hash: 58c696f09f8cf4717c125ba1a22d44bc5d34a307e4754c310ae6a80e1a7f7e31
                                          • Instruction Fuzzy Hash: 99316D74E11209CBDB15DFA9D8507AEB7B2FF89700F108529E802EB340EB75E941CB50
                                          Function 016426DC Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: T
                                          • API String ID: 0-3187964512
                                          • Opcode ID: bd6fe28d3cf90cf0d1546e50873681162f71096ed30e9ea7a0d4813446e20399
                                          • Instruction ID: 6561769b116d7bd998a468376499a928193af01b959a8dd4aaa78d6a84311334
                                          • Opcode Fuzzy Hash: bd6fe28d3cf90cf0d1546e50873681162f71096ed30e9ea7a0d4813446e20399
                                          • Instruction Fuzzy Hash: 764100B1D00348DFEB14CFA9C894ADEBBF5AF48310F248029E819AB250DB759946CB95
                                          Function 01646B9F Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LRq
                                          • API String ID: 0-3187445251
                                          • Opcode ID: 2533ab5464491c8e0f685b64eee2763da181f01cdafbd86dc7d2233297d53cb9
                                          • Instruction ID: 7a9aece792717ca2780579b3a988614270a89aa95b6dad0d7a6a05bc6547c9f7
                                          • Opcode Fuzzy Hash: 2533ab5464491c8e0f685b64eee2763da181f01cdafbd86dc7d2233297d53cb9
                                          • Instruction Fuzzy Hash: 2D118B316053409FD716AB78D8257AE7FB2EF86300F1484ABD44ACB695EB3588468791
                                          Function 01647908 Relevance: .6, Instructions: 552COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3783d494b75e12744fa7ac0fbf2330fc6e293493193fd4cf4df93912cac5e8cd
                                          • Instruction ID: 383f1c2cfa9c0792caf490bb9eef9118598a3bac62ae6964e9124d11eb69947a
                                          • Opcode Fuzzy Hash: 3783d494b75e12744fa7ac0fbf2330fc6e293493193fd4cf4df93912cac5e8cd
                                          • Instruction Fuzzy Hash: FC124E34B112028BDB2A9B7CE89426877A2FB89205B548939E406EF351DF75DC438FC6
                                          Function 01647918 Relevance: .6, Instructions: 550COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 630b5dae857fd93733b9a39466b6a2d0326a7433dd39d01dadea032e6ef2f158
                                          • Instruction ID: 600cf42f4f9d9b1d12b087b83402a35c2b07ba39c08ae16e2aca4a2c3ee6b362
                                          • Opcode Fuzzy Hash: 630b5dae857fd93733b9a39466b6a2d0326a7433dd39d01dadea032e6ef2f158
                                          • Instruction Fuzzy Hash: F1124F34B112028BDB2A9B7CE89466877A2FB89204B548939E406EF351DF75DC43CFC6
                                          Function 01644A8F Relevance: .3, Instructions: 258COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b53e2d0c5b9e68f94de24b2ef216061f23dbe151d78f79837bc8ff9ca3edee63
                                          • Instruction ID: ef70940ab3e30d23aafb537f034d8f4a169c6ee26f3ebbf15b76b3c33dcd5647
                                          • Opcode Fuzzy Hash: b53e2d0c5b9e68f94de24b2ef216061f23dbe151d78f79837bc8ff9ca3edee63
                                          • Instruction Fuzzy Hash: 42A13B71E00219CFDB10CFA8DC867DDBBF2AF48354F288129E855AB394EB749845CB85
                                          Function 01649364 Relevance: .2, Instructions: 239COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 69fc824f0ca39b0f5c24b76dffbe26a9f357636e6f344d9d6217327095763bf7
                                          • Instruction ID: 002586467cbd86c7b050bf574bbc2ef333c24e64a5a9aece5d520e7c2024cbe0
                                          • Opcode Fuzzy Hash: 69fc824f0ca39b0f5c24b76dffbe26a9f357636e6f344d9d6217327095763bf7
                                          • Instruction Fuzzy Hash: 52913F34B01214CFDB15DFA8D994AAEBBB2EF88314F148565E805EB3A5DB35DC42CB90
                                          Function 01646CDF Relevance: .1, Instructions: 133COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: faf8bb693ecc4cea209fbca6bf23546cf5cb07c9f9bbc87f4453affedc2854d5
                                          • Instruction ID: baee3065ff6f0facb8a68f3d576a0d95de4d4d75cd227809759bb168f8eab8c4
                                          • Opcode Fuzzy Hash: faf8bb693ecc4cea209fbca6bf23546cf5cb07c9f9bbc87f4453affedc2854d5
                                          • Instruction Fuzzy Hash: 21510271E002188FDB28CFA9C894B9EBBF1BF49310F148129E815BB395D774A845CF95
                                          Function 01646CE8 Relevance: .1, Instructions: 132COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a592b81106266c9120a8015ea6756858ab4109defb9c2f7dd2a0252037d3b44b
                                          • Instruction ID: 84cb71f8d9f2e6a0bb8e10773b02b98a3ae5edb282aa3677d540219e81d57ab2
                                          • Opcode Fuzzy Hash: a592b81106266c9120a8015ea6756858ab4109defb9c2f7dd2a0252037d3b44b
                                          • Instruction Fuzzy Hash: 46510271E002188FDB28CFA9C894B9EFBF1BF49710F148129E815AB395D774A845CF95
                                          Function 01641128 Relevance: .1, Instructions: 121COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8a744d2cd0fb3716ee5638978b6b8aeb86291fa7041a13a5cbedc271bf2275fa
                                          • Instruction ID: eda5d38e83d75ac581df874872fd22a1e392dd37da85be317075357f858742d0
                                          • Opcode Fuzzy Hash: 8a744d2cd0fb3716ee5638978b6b8aeb86291fa7041a13a5cbedc271bf2275fa
                                          • Instruction Fuzzy Hash: 7251CC31A013818FE719EF29F8819A63BA5E79530470895BDE504BF226EA7C6D06CB53
                                          Function 01641138 Relevance: .1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9ec67f1b035523cd3734e5d43efe17731a63e3fd3d340ecd1b8b5431df106da3
                                          • Instruction ID: 41f166faf77893a6b6c611193bc4ea84d271c48d76e8716142515e5a38a3c02e
                                          • Opcode Fuzzy Hash: 9ec67f1b035523cd3734e5d43efe17731a63e3fd3d340ecd1b8b5431df106da3
                                          • Instruction Fuzzy Hash: A951BC31A113818FE719EF29F8809A63BA5F79530470495BDE1047B226EA7C6D05DB93
                                          Function 0164F1B0 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 10f4ef321c1446f3458dc3bedde4e2716ab69d76ca00a66c214a1383b036e44a
                                          • Instruction ID: 5ef1088611968535f1dfe91a4ee667d640dabc9a5cf0216d7fa07d69115b008b
                                          • Opcode Fuzzy Hash: 10f4ef321c1446f3458dc3bedde4e2716ab69d76ca00a66c214a1383b036e44a
                                          • Instruction Fuzzy Hash: 46312D34E102059BDB15DFA8D85569EBBB2FF89300F50C969E806EB754EB71EC42CB90
                                          Function 0164F1C0 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 55e434975d5a5a30f86bd9eb3c80ad18a3086b625fecce43f99d5b1e503152b2
                                          • Instruction ID: e4f45dda88f9f07726c00bdd95cc3d25904d8145f7133c0ede2178940cf1aac1
                                          • Opcode Fuzzy Hash: 55e434975d5a5a30f86bd9eb3c80ad18a3086b625fecce43f99d5b1e503152b2
                                          • Instruction Fuzzy Hash: 5D311E34E106059BDB15DFA8D85569EBBB2FF89300F50C969E806EB754EB70EC42CB50
                                          Function 016426E8 Relevance: .1, Instructions: 90COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4d9591a3908e3e80cf815549758ef107bbee6fb43187f86fae52597bb71a4f92
                                          • Instruction ID: e9ae804150f774beafa308aebbca91284e71665a7f96b32ecab1340f289ed56c
                                          • Opcode Fuzzy Hash: 4d9591a3908e3e80cf815549758ef107bbee6fb43187f86fae52597bb71a4f92
                                          • Instruction Fuzzy Hash: 1841EFB4D00348DFEB14DFA9D894ADEBBF5FF48310F248029E819AB250DB75A945CB94
                                          Function 01649250 Relevance: .1, Instructions: 82COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c1d1db859e84edc5bb351cc805487d6ee60f7496fd5f788b31ce91fd3e07ba54
                                          • Instruction ID: 6b3045226e1566a560b8e6d411bef5a16dabc7d8500de7c775f175ae377563fc
                                          • Opcode Fuzzy Hash: c1d1db859e84edc5bb351cc805487d6ee60f7496fd5f788b31ce91fd3e07ba54
                                          • Instruction Fuzzy Hash: A1318231E502099BDB15CFA8D88079FF7B2FF89304F54C619E805AB340EB719942CB80
                                          Function 01649260 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2890ecab22d80167dbfea129fb033641a64260ca9003707f4ab76caa8f7356ca
                                          • Instruction ID: f14201a103f9957030c2c5edf07692b68409a4ec25c0ae963dd4b65ac80cbd8e
                                          • Opcode Fuzzy Hash: 2890ecab22d80167dbfea129fb033641a64260ca9003707f4ab76caa8f7356ca
                                          • Instruction Fuzzy Hash: E8214F30E502099BDB16CFA8D89079FB7B2FF89304F54C629E805AB345EB759946CB90
                                          Function 016416A0 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33dafebe334353a289a107825145097cb473a52c29793f0b09ca779cfb1da1b8
                                          • Instruction ID: 2538fea6130f109dda59ec307cde2e4eb9c68a666afb1910d37152a0738017fb
                                          • Opcode Fuzzy Hash: 33dafebe334353a289a107825145097cb473a52c29793f0b09ca779cfb1da1b8
                                          • Instruction Fuzzy Hash: 4B212174A003019BEB25EB6CEC4476A3765E746304F104A35E806EB756EB3CEC85CB92
                                          Function 013FD01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2790191090.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_13fd000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a89363519af074715bf9c9cb3eb5faad3be75b7a593215fa3d96f740ba20d0ad
                                          • Instruction ID: 85ac76f9fb580dabbfa0669e617b503a2990abec50415cfa32fc40c31d8f54f9
                                          • Opcode Fuzzy Hash: a89363519af074715bf9c9cb3eb5faad3be75b7a593215fa3d96f740ba20d0ad
                                          • Instruction Fuzzy Hash: 11210071604204EFDB15DF64D988B26BB65FB84318F20C56DEA0A4B696C33AD807CA62
                                          Function 01649150 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c2207579f21999e8b27b53061298dc80f98a20c1e84490be4fc88bdb0901503
                                          • Instruction ID: 7ca092f158f25695e8aab57c1062ec4b3b9e80f813edd16d53bd5359b4c61110
                                          • Opcode Fuzzy Hash: 4c2207579f21999e8b27b53061298dc80f98a20c1e84490be4fc88bdb0901503
                                          • Instruction Fuzzy Hash: 3C21A434E102059BDB19CFA8D8446DFBBB2BF89304F10C62AE816B7341DB70D946CB50
                                          Function 01644F88 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 45739f9ffc2dcdd45b1c716858e8ff43ab8d1123165dfda4ce2a46522c870260
                                          • Instruction ID: 5950f45b236294dc65d09e8c121ca5b88f22a0ddfc272d7b294b01ee4b16cd54
                                          • Opcode Fuzzy Hash: 45739f9ffc2dcdd45b1c716858e8ff43ab8d1123165dfda4ce2a46522c870260
                                          • Instruction Fuzzy Hash: BB216D34B00209CFDB64DF78D958B9D77F1EF89640B1040A8E406EB3A5DB359D00CBA1
                                          Function 01649160 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 50cb57bfd71c766b47f39d83a1844092345385e1338e175fb8b44a51371181d2
                                          • Instruction ID: 58454de3bed38facb2bb494ec34907ffbf032bff38697c3ed7e910c788b7b946
                                          • Opcode Fuzzy Hash: 50cb57bfd71c766b47f39d83a1844092345385e1338e175fb8b44a51371181d2
                                          • Instruction Fuzzy Hash: 28218330E102099BDB19CFA8D8546DFBBB2AF89304F10C61AE815B7340DB71D946CB50
                                          Function 01641380 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c67ed348c3874200746958f6e0d9deb503db294e43818399221b203759d8e2d6
                                          • Instruction ID: 836de9753ab6a846d820f307cf60d5f838531b70116bd681ccf4fba9c4090e6c
                                          • Opcode Fuzzy Hash: c67ed348c3874200746958f6e0d9deb503db294e43818399221b203759d8e2d6
                                          • Instruction Fuzzy Hash: 04216070B023048FEB326B6CD85876A3665E743315F10482AE817DB786DB2DACC1C742
                                          Function 01641888 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9c24f7e9bd867a903d86b9eed64c761c6bb9039bd03ad78f99835ee42d7e1a05
                                          • Instruction ID: 8bf4697923e35942f2a73d44dc0e18ac32f920a18eec8df212e4ff2c8e76646a
                                          • Opcode Fuzzy Hash: 9c24f7e9bd867a903d86b9eed64c761c6bb9039bd03ad78f99835ee42d7e1a05
                                          • Instruction Fuzzy Hash: 62210E34B002158FEB24EB78C9547AE77F6EB8A241F100478D506EB394DB35AD81CBA1
                                          Function 016417C3 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0fdf006f76b411f18a27388012c0ca41aca56a0ec5f749fbc88982ed9c267b8e
                                          • Instruction ID: e0a67b8f4223891f7493e37bc1fea9dafe1585fed9c00df6fd24461d3d53faf8
                                          • Opcode Fuzzy Hash: 0fdf006f76b411f18a27388012c0ca41aca56a0ec5f749fbc88982ed9c267b8e
                                          • Instruction Fuzzy Hash: FA11D076F002109FEB10AB78AC883AB3BE5EB49250B050569EA06E3345EB38D942C791
                                          Function 016416B0 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4d5732b74af021afbed746f79cd287d0baffeaf8c87a34003db86bc31325420e
                                          • Instruction ID: 23348e0afb97dc87b3ffcd027faa25accc2e59dc5a729b8517d1b95a5e91cde9
                                          • Opcode Fuzzy Hash: 4d5732b74af021afbed746f79cd287d0baffeaf8c87a34003db86bc31325420e
                                          • Instruction Fuzzy Hash: F2211F74A003118BEF25EB2CEC8476A3765EB46314F104675E806EB756EB3CEC85CB92
                                          Function 0164187B Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0e40ff48db3e7312eb2202c6624be2574a7075b9a9132e604ea5e0e11a4418bc
                                          • Instruction ID: bb611b2437ddbb32a8dc91899369b43845301f57395105e5518bd4810c314e54
                                          • Opcode Fuzzy Hash: 0e40ff48db3e7312eb2202c6624be2574a7075b9a9132e604ea5e0e11a4418bc
                                          • Instruction Fuzzy Hash: 57212A34B00215CFEB24EB78C9557AE77B2EB4A241F100478D506EB3A4DB39AD80CBA1
                                          Function 01644F98 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 039ae270c2788a7085eadd599bb01cdfbedb1a6d48c30f6cfb1a203899732f9b
                                          • Instruction ID: 28ad87666127b734da114be05941c895f8918c527b8773031e7d91cad80e70cc
                                          • Opcode Fuzzy Hash: 039ae270c2788a7085eadd599bb01cdfbedb1a6d48c30f6cfb1a203899732f9b
                                          • Instruction Fuzzy Hash: C721FA74B002098FDB64EF79D958BAD77F1EF89640F104468E406EB3A4DB359D41CBA1
                                          Function 013FD006 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2790191090.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_13fd000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a91c76eb99f4e5a7b7699b0a4f961f87c1dfd651a92a0d0ba5edffc69c34a0f
                                          • Instruction ID: 8223962d95dee4790706a2602ffaf97c5462f93f2d7130737748594cf738c492
                                          • Opcode Fuzzy Hash: 5a91c76eb99f4e5a7b7699b0a4f961f87c1dfd651a92a0d0ba5edffc69c34a0f
                                          • Instruction Fuzzy Hash: FF21BE75508380CFCB03CF24D994711BF71EB46218F28C5EAD9498F6A7C33A980ACB62
                                          Function 01640848 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bbaaf76025e3dbf9ca11bc714888eb0a3536be413601a36c5aa58135cf307134
                                          • Instruction ID: 4da417d0a3a510c4e1ee409ca6489ea484f64e85ed75fe076e8b88f74c6e9be1
                                          • Opcode Fuzzy Hash: bbaaf76025e3dbf9ca11bc714888eb0a3536be413601a36c5aa58135cf307134
                                          • Instruction Fuzzy Hash: 45113D30B012298FFF25AB7DCE447AA3655EB85224F214939F606DF342DB65DC428BC2
                                          Function 01640838 Relevance: .1, Instructions: 61COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 50e02ee63a52512cca2a9b690991301394f569678a2c14f72530d4a569f85698
                                          • Instruction ID: d49f06bd978dae6dfacf0affd046b0a9b0c02aafc06ca2ac8a4d671949d1e437
                                          • Opcode Fuzzy Hash: 50e02ee63a52512cca2a9b690991301394f569678a2c14f72530d4a569f85698
                                          • Instruction Fuzzy Hash: B7115430A012258FFF255B789E447EA3655EB81214F15893AF646DB342D769CC428BC1
                                          Function 016480F1 Relevance: .1, Instructions: 60COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e188b25cf3e6e5d9acf22b20b74d45e8f8d07e0e8c1807936a8eb81f0e9bea0f
                                          • Instruction ID: 11acf50e33849c0992426d348b145e2273dbce7c6a33be6f9461663eadb6d109
                                          • Opcode Fuzzy Hash: e188b25cf3e6e5d9acf22b20b74d45e8f8d07e0e8c1807936a8eb81f0e9bea0f
                                          • Instruction Fuzzy Hash: 57117F34A10204DFEB15EBBCE84079D7BB5EB44300F104579D405AB254EB759E06CB82
                                          Function 0164148B Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: acd03e49cfe0db260bae67010b136c3def46528f5263e4dd2801f0fa7a8e687a
                                          • Instruction ID: 1ad26dfeaf81e777d724047541716e18461181bbcd7602f5b88f96ac7d68f158
                                          • Opcode Fuzzy Hash: acd03e49cfe0db260bae67010b136c3def46528f5263e4dd2801f0fa7a8e687a
                                          • Instruction Fuzzy Hash: 89118B72E012259BCB65EFBC8C501EE7BF6EB5A210B14047AE905EB301E731D9818BD5
                                          Function 01641498 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b1ae03401017505280fc15c1724619fa1c2afadcfdd80076669e0a4257ebd028
                                          • Instruction ID: db403f53b82be8bd3d666a51f2f359ce2e133bd90909829f2e19a84be358ade9
                                          • Opcode Fuzzy Hash: b1ae03401017505280fc15c1724619fa1c2afadcfdd80076669e0a4257ebd028
                                          • Instruction Fuzzy Hash: 0F018031E012259FCB65EFBC88501EE7BF6EB59210F14047AD905E7341E735D9818BD5
                                          Function 01649898 Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 48574cf5b6a486dcd68b2e61199abb5b5fa7886be3673a7d44ec587ba3bcb442
                                          • Instruction ID: d510740cc924257fa4297c037236552e417e960a269dace7705f0dcb11482654
                                          • Opcode Fuzzy Hash: 48574cf5b6a486dcd68b2e61199abb5b5fa7886be3673a7d44ec587ba3bcb442
                                          • Instruction Fuzzy Hash: 6901B934A002054BDB14EF59D8447CEBBA5FF89314F548574D8085F299E770DD05C791
                                          Function 01641524 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c3511d9f989934776fc30227e6e19c575600417344a7870aa284706756a5697d
                                          • Instruction ID: c78ba72a00a771c2b7ae9c3587237b1e4e99652b2bead2041bf8b13f2e81538c
                                          • Opcode Fuzzy Hash: c3511d9f989934776fc30227e6e19c575600417344a7870aa284706756a5697d
                                          • Instruction Fuzzy Hash: C0F09676E05150DFD7228FA89C901EC7FB1EA6621171C40ABE906DB316D725E582CB91
                                          Function 01647090 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 69d4e6eb0d0c4f0a132a2a65db88ee52e5135a689a6f0210165d305af2908038
                                          • Instruction ID: b6b3bd0cda2d350234473274c82e35d7b8495c2147ca7c8317ce9b31688cc683
                                          • Opcode Fuzzy Hash: 69d4e6eb0d0c4f0a132a2a65db88ee52e5135a689a6f0210165d305af2908038
                                          • Instruction Fuzzy Hash: 9DF07979B01214CFC704DB68D5A8B6D77B2EF88716F5140A9EA069B3A4DB35AD42CB40
                                          Function 01648100 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1e23eb2e4a2f94ef34cd220a88bab66871fe537b4198793ec6322c85fdd4e00c
                                          • Instruction ID: 13947c4253c024e98fd60535e2d403a5428bacb5b70439b9e1b6d6b5b39359f3
                                          • Opcode Fuzzy Hash: 1e23eb2e4a2f94ef34cd220a88bab66871fe537b4198793ec6322c85fdd4e00c
                                          • Instruction Fuzzy Hash: ACF03C74E10208EFEB04FFB8F890B9D7BB5EB44300F5086B8C405AB254EA756E05DB82

                                          Non-executed Functions

                                          Function 06674FF8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2801880364.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6670000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
                                          • API String ID: 0-1298971921
                                          • Opcode ID: 885e89dc51b0e5dc73cfcd3a36defe039c9b8a3b44fe30760ad51e0fa9963517
                                          • Instruction ID: 511529ab6857d50ea41516eff48c61e10ffbb9ad1797515759286a68bf0105cd
                                          • Opcode Fuzzy Hash: 885e89dc51b0e5dc73cfcd3a36defe039c9b8a3b44fe30760ad51e0fa9963517
                                          • Instruction Fuzzy Hash: A912FA30E012198FDB64DF69D954A9EB7B2BF88301F2485A9D406AB354DF349D45CF80
                                          Function 016441C8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2791940251.0000000001640000.00000040.00000800.00020000.00000000.sdmp, Offset: 01640000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_1640000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \VGk
                                          • API String ID: 0-2918603798
                                          • Opcode ID: 169c7f2236c2436a1a12ee40cc152d8e8ca270bdce3d59bd6ff401619c3ea76c
                                          • Instruction ID: 260540042deed058afb82631f17db9776dc29f86edd9c44241b3c05b942584d6
                                          • Opcode Fuzzy Hash: 169c7f2236c2436a1a12ee40cc152d8e8ca270bdce3d59bd6ff401619c3ea76c
                                          • Instruction Fuzzy Hash: A9B12B70E00219CFDF15CFA9CC8679EBBF2AF88714F148129E915AB394EB749845CB91
                                          Function 06673650 Relevance: .4, Instructions: 407COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2801880364.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6670000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8e472d1e01bb287fcf1b6fc1c099628fc597633eb263c09b491e5e77e475561a
                                          • Instruction ID: dbccdc24f56e42d7da90f281adb25d15fbf6de28b79d584fdf9d23559d972a9c
                                          • Opcode Fuzzy Hash: 8e472d1e01bb287fcf1b6fc1c099628fc597633eb263c09b491e5e77e475561a
                                          • Instruction Fuzzy Hash: F3D1E331B101148FDF64DB69D490AAEBBF6FF89320F24846AD44AEB391DA31DC41CB90
                                          Function 0667DB68 Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2801880364.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_9_2_6670000_PO 102675-PI C247SH45.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2b706a871980aeefab67ea222f0ea3d2d368ae7c0db9a7419854b4c7aa516c46
                                          • Instruction ID: a6fe0e8b672b84fca7c9b02a477eaa840f509e1124cfe53d50269651204a9efb
                                          • Opcode Fuzzy Hash: 2b706a871980aeefab67ea222f0ea3d2d368ae7c0db9a7419854b4c7aa516c46
                                          • Instruction Fuzzy Hash: 483170CBC0B7D90AC3194B34AD875591D50C9F216431C4FCCE2AA8E6A2FACDC20AC765

                                          Execution Graph

                                          Execution Coverage:11%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:311
                                          Total number of Limit Nodes:15
                                          execution_graph 33547 89cf08 33548 89cf1c 33547->33548 33550 89cf41 33548->33550 33551 89bfe0 33548->33551 33552 89d0e8 LoadLibraryExW 33551->33552 33554 89d161 33552->33554 33554->33550 33865 89f148 DuplicateHandle 33866 89f1de 33865->33866 33887 89ede8 33888 89edf5 33887->33888 33889 89ee2f 33888->33889 33891 89e990 33888->33891 33892 89e99b 33891->33892 33893 89f740 33892->33893 33895 89eabc 33892->33895 33896 89eac7 33895->33896 33900 27c1928 33896->33900 33905 27c1940 33896->33905 33897 89f7e9 33897->33893 33901 27c1934 33900->33901 33902 27c197d 33901->33902 33911 27c2787 33901->33911 33915 27c2798 33901->33915 33902->33897 33907 27c1a71 33905->33907 33908 27c1971 33905->33908 33906 27c197d 33906->33897 33907->33897 33908->33906 33909 27c2798 3 API calls 33908->33909 33910 27c2787 3 API calls 33908->33910 33909->33907 33910->33907 33912 27c2790 33911->33912 33913 27c2872 33912->33913 33919 27c3670 33912->33919 33917 27c27c3 33915->33917 33916 27c2872 33916->33916 33917->33916 33918 27c3670 3 API calls 33917->33918 33918->33916 33920 27c367c 33919->33920 33921 27c367e 33919->33921 33920->33921 33922 27c36dd CreateWindowExW 33920->33922 33927 27c3670 2 API calls 33921->33927 33929 27c36c7 33921->33929 33933 27c36d0 33921->33933 33925 27c37f4 33922->33925 33923 27c36b5 33923->33913 33927->33923 33930 27c36d0 CreateWindowExW 33929->33930 33932 27c37f4 33930->33932 33934 27c3738 CreateWindowExW 33933->33934 33936 27c37f4 33934->33936 33565 6c7aad0 33566 6c7aad6 33565->33566 33571 6c7ca16 33566->33571 33591 6c7c9b0 33566->33591 33610 6c7c9a1 33566->33610 33567 6c7aae4 33572 6c7c9a4 33571->33572 33573 6c7ca19 33571->33573 33579 6c7c9d2 33572->33579 33629 6c7cde7 33572->33629 33636 6c7ce79 33572->33636 33641 6c7d3fc 33572->33641 33645 6c7d17c 33572->33645 33653 6c7d65e 33572->33653 33658 6c7d3be 33572->33658 33663 6c7d490 33572->33663 33668 6c7ce55 33572->33668 33673 6c7d0b6 33572->33673 33681 6c7d277 33572->33681 33688 6c7d068 33572->33688 33693 6c7cea9 33572->33693 33698 6c7d1ac 33572->33698 33707 6c7d02f 33572->33707 33712 6c7cf82 33572->33712 33717 6c7cf44 33572->33717 33573->33567 33579->33567 33592 6c7c9ca 33591->33592 33593 6c7cde7 4 API calls 33592->33593 33594 6c7cf44 2 API calls 33592->33594 33595 6c7cf82 2 API calls 33592->33595 33596 6c7d02f 2 API calls 33592->33596 33597 6c7d1ac 4 API calls 33592->33597 33598 6c7c9d2 33592->33598 33599 6c7cea9 2 API calls 33592->33599 33600 6c7d068 2 API calls 33592->33600 33601 6c7d277 4 API calls 33592->33601 33602 6c7d0b6 4 API calls 33592->33602 33603 6c7ce55 2 API calls 33592->33603 33604 6c7d490 2 API calls 33592->33604 33605 6c7d3be 2 API calls 33592->33605 33606 6c7d65e 2 API calls 33592->33606 33607 6c7d17c 4 API calls 33592->33607 33608 6c7d3fc 2 API calls 33592->33608 33609 6c7ce79 2 API calls 33592->33609 33593->33598 33594->33598 33595->33598 33596->33598 33597->33598 33598->33567 33599->33598 33600->33598 33601->33598 33602->33598 33603->33598 33604->33598 33605->33598 33606->33598 33607->33598 33608->33598 33609->33598 33611 6c7c9a4 33610->33611 33612 6c7cde7 4 API calls 33611->33612 33613 6c7cf44 2 API calls 33611->33613 33614 6c7cf82 2 API calls 33611->33614 33615 6c7d02f 2 API calls 33611->33615 33616 6c7d1ac 4 API calls 33611->33616 33617 6c7c9d2 33611->33617 33618 6c7cea9 2 API calls 33611->33618 33619 6c7d068 2 API calls 33611->33619 33620 6c7d277 4 API calls 33611->33620 33621 6c7d0b6 4 API calls 33611->33621 33622 6c7ce55 2 API calls 33611->33622 33623 6c7d490 2 API calls 33611->33623 33624 6c7d3be 2 API calls 33611->33624 33625 6c7d65e 2 API calls 33611->33625 33626 6c7d17c 4 API calls 33611->33626 33627 6c7d3fc 2 API calls 33611->33627 33628 6c7ce79 2 API calls 33611->33628 33612->33617 33613->33617 33614->33617 33615->33617 33616->33617 33617->33567 33618->33617 33619->33617 33620->33617 33621->33617 33622->33617 33623->33617 33624->33617 33625->33617 33626->33617 33627->33617 33628->33617 33722 6c7a44c 33629->33722 33726 6c7a458 33629->33726 33637 6c7ce7f 33636->33637 33730 6c7a110 33637->33730 33734 6c7a108 33637->33734 33638 6c7d7a5 33738 6c7a1d0 33641->33738 33742 6c7a1c8 33641->33742 33642 6c7d42a 33646 6c7d0bd 33645->33646 33647 6c7ce90 33645->33647 33646->33647 33746 6c7a2c0 33646->33746 33750 6c7a2b9 33646->33750 33651 6c7a110 VirtualAllocEx 33647->33651 33652 6c7a108 VirtualAllocEx 33647->33652 33648 6c7d7a5 33651->33648 33652->33648 33654 6c7d664 33653->33654 33754 6c7db40 33654->33754 33759 6c7db50 33654->33759 33655 6c7d688 33659 6c7d3d3 33658->33659 33661 6c7a110 VirtualAllocEx 33659->33661 33662 6c7a108 VirtualAllocEx 33659->33662 33660 6c7d7a5 33661->33660 33662->33660 33664 6c7d496 33663->33664 33666 6c7db40 2 API calls 33664->33666 33667 6c7db50 2 API calls 33664->33667 33665 6c7d688 33666->33665 33667->33665 33669 6c7ce61 33668->33669 33670 6c7d092 33669->33670 33772 6c7a031 33669->33772 33776 6c7a038 33669->33776 33670->33579 33674 6c7d0bc 33673->33674 33679 6c7a2c0 ReadProcessMemory 33674->33679 33680 6c7a2b9 ReadProcessMemory 33674->33680 33675 6c7ce90 33677 6c7a110 VirtualAllocEx 33675->33677 33678 6c7a108 VirtualAllocEx 33675->33678 33676 6c7d7a5 33677->33676 33678->33676 33679->33675 33680->33675 33684 6c7a031 Wow64SetThreadContext 33681->33684 33685 6c7a038 Wow64SetThreadContext 33681->33685 33682 6c7d296 33686 6c7db40 2 API calls 33682->33686 33687 6c7db50 2 API calls 33682->33687 33683 6c7d688 33684->33682 33685->33682 33686->33683 33687->33683 33689 6c7cf99 33688->33689 33690 6c7cfba 33688->33690 33691 6c7a1d0 WriteProcessMemory 33689->33691 33692 6c7a1c8 WriteProcessMemory 33689->33692 33690->33579 33691->33690 33692->33690 33696 6c7a031 Wow64SetThreadContext 33693->33696 33697 6c7a038 Wow64SetThreadContext 33693->33697 33694 6c7d092 33694->33579 33695 6c7ce61 33695->33693 33695->33694 33696->33695 33697->33695 33699 6c7d1c5 33698->33699 33700 6c7d296 33698->33700 33699->33700 33705 6c7a031 Wow64SetThreadContext 33699->33705 33706 6c7a038 Wow64SetThreadContext 33699->33706 33701 6c7d76e 33700->33701 33703 6c7db40 2 API calls 33700->33703 33704 6c7db50 2 API calls 33700->33704 33701->33579 33702 6c7d688 33703->33702 33704->33702 33705->33700 33706->33700 33708 6c7ce61 33707->33708 33709 6c7d062 33708->33709 33710 6c7a031 Wow64SetThreadContext 33708->33710 33711 6c7a038 Wow64SetThreadContext 33708->33711 33709->33579 33710->33708 33711->33708 33713 6c7cf88 33712->33713 33715 6c7a1d0 WriteProcessMemory 33713->33715 33716 6c7a1c8 WriteProcessMemory 33713->33716 33714 6c7cfba 33714->33579 33715->33714 33716->33714 33718 6c7cf4a 33717->33718 33720 6c7a110 VirtualAllocEx 33718->33720 33721 6c7a108 VirtualAllocEx 33718->33721 33719 6c7d7a5 33719->33719 33720->33719 33721->33719 33723 6c7a458 CreateProcessA 33722->33723 33725 6c7a6a3 33723->33725 33725->33725 33727 6c7a4e1 CreateProcessA 33726->33727 33729 6c7a6a3 33727->33729 33729->33729 33731 6c7a150 VirtualAllocEx 33730->33731 33733 6c7a18d 33731->33733 33733->33638 33735 6c7a110 VirtualAllocEx 33734->33735 33737 6c7a18d 33735->33737 33737->33638 33739 6c7a218 WriteProcessMemory 33738->33739 33741 6c7a26f 33739->33741 33741->33642 33743 6c7a1d0 WriteProcessMemory 33742->33743 33745 6c7a26f 33743->33745 33745->33642 33747 6c7a30b ReadProcessMemory 33746->33747 33749 6c7a34f 33747->33749 33749->33647 33751 6c7a2c0 ReadProcessMemory 33750->33751 33753 6c7a34f 33751->33753 33753->33647 33755 6c7db50 33754->33755 33764 6c79f81 33755->33764 33768 6c79f88 33755->33768 33756 6c7db78 33756->33655 33760 6c7db65 33759->33760 33762 6c79f81 ResumeThread 33760->33762 33763 6c79f88 ResumeThread 33760->33763 33761 6c7db78 33761->33655 33762->33761 33763->33761 33765 6c79f88 ResumeThread 33764->33765 33767 6c79ff9 33765->33767 33767->33756 33769 6c79fc8 ResumeThread 33768->33769 33771 6c79ff9 33769->33771 33771->33756 33773 6c7a038 Wow64SetThreadContext 33772->33773 33775 6c7a0c5 33773->33775 33775->33669 33777 6c7a07d Wow64SetThreadContext 33776->33777 33779 6c7a0c5 33777->33779 33779->33669 33555 89ef00 33556 89ef46 GetCurrentProcess 33555->33556 33558 89ef98 GetCurrentThread 33556->33558 33559 89ef91 33556->33559 33560 89efce 33558->33560 33561 89efd5 GetCurrentProcess 33558->33561 33559->33558 33560->33561 33562 89f00b GetCurrentThreadId 33561->33562 33564 89f064 33562->33564 33859 6c7aa6e 33861 6c7a874 33859->33861 33860 6c7aa9d 33861->33859 33861->33860 33862 6c7ca16 12 API calls 33861->33862 33863 6c7c9a1 12 API calls 33861->33863 33864 6c7c9b0 12 API calls 33861->33864 33862->33860 33863->33860 33864->33860 33867 894550 33868 89455a 33867->33868 33870 894680 33867->33870 33871 8946a5 33870->33871 33875 894b88 33871->33875 33879 894b98 33871->33879 33876 894bbf 33875->33876 33878 894c9c 33876->33878 33883 894814 33876->33883 33880 894bbf 33879->33880 33881 894814 CreateActCtxA 33880->33881 33882 894c9c 33880->33882 33881->33882 33884 895c28 CreateActCtxA 33883->33884 33886 895ceb 33884->33886 33886->33886 33937 89ce60 33938 89cea8 GetModuleHandleW 33937->33938 33939 89cea2 33937->33939 33940 89ced5 33938->33940 33939->33938 33780 82d01c 33781 82d034 33780->33781 33782 82d08e 33781->33782 33787 27c388c 33781->33787 33795 27c3c90 33781->33795 33799 27c3c6a 33781->33799 33803 27c49e8 33781->33803 33788 27c3897 33787->33788 33789 27c4a59 33788->33789 33791 27c4a49 33788->33791 33792 27c4a57 33789->33792 33821 27c39ac 33789->33821 33811 27c4b70 33791->33811 33816 27c4b80 33791->33816 33796 27c3cb6 33795->33796 33797 27c388c 2 API calls 33796->33797 33798 27c3cd7 33797->33798 33798->33782 33800 27c3c84 33799->33800 33801 27c388c 2 API calls 33800->33801 33802 27c3cd7 33801->33802 33802->33782 33806 27c49ec 33803->33806 33804 27c4a59 33805 27c39ac 2 API calls 33804->33805 33808 27c4a57 33804->33808 33805->33808 33806->33804 33807 27c4a49 33806->33807 33809 27c4b70 2 API calls 33807->33809 33810 27c4b80 2 API calls 33807->33810 33809->33808 33810->33808 33813 27c4b7c 33811->33813 33812 27c4c20 33812->33792 33828 27c4c38 33813->33828 33832 27c4c28 33813->33832 33818 27c4b94 33816->33818 33817 27c4c20 33817->33792 33819 27c4c38 2 API calls 33818->33819 33820 27c4c28 2 API calls 33818->33820 33819->33817 33820->33817 33822 27c39b7 33821->33822 33823 27c618c 33822->33823 33824 27c60e2 33822->33824 33826 27c388c CallWindowProcW 33823->33826 33825 27c613a CallWindowProcW 33824->33825 33827 27c60e9 33824->33827 33825->33827 33826->33827 33827->33792 33829 27c4c49 33828->33829 33837 27c604f 33828->33837 33848 27c6073 33828->33848 33829->33812 33833 27c4c34 33832->33833 33834 27c4c49 33833->33834 33835 27c604f 2 API calls 33833->33835 33836 27c6073 2 API calls 33833->33836 33834->33812 33835->33834 33836->33834 33838 27c605a 33837->33838 33839 27c60b6 33837->33839 33838->33829 33841 27c39ac CallWindowProcW 33838->33841 33839->33838 33840 27c60b8 33839->33840 33842 27c618c 33840->33842 33843 27c60e2 33840->33843 33844 27c6086 33841->33844 33846 27c388c CallWindowProcW 33842->33846 33845 27c613a CallWindowProcW 33843->33845 33847 27c60e9 33843->33847 33844->33829 33845->33847 33846->33847 33847->33829 33849 27c607c 33848->33849 33850 27c39ac 2 API calls 33849->33850 33851 27c6086 33850->33851 33851->33829 33852 6c7dbd8 33854 6c7dbfe 33852->33854 33855 6c7dd63 33852->33855 33854->33855 33856 6c7b2f0 33854->33856 33857 6c7de58 PostMessageW 33856->33857 33858 6c7dec4 33857->33858 33858->33854

                                          Executed Functions

                                          Function 0089EF00 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 294 89ef00-89ef8f GetCurrentProcess 298 89ef98-89efcc GetCurrentThread 294->298 299 89ef91-89ef97 294->299 300 89efce-89efd4 298->300 301 89efd5-89f009 GetCurrentProcess 298->301 299->298 300->301 303 89f00b-89f011 301->303 304 89f012-89f02a 301->304 303->304 306 89f033-89f062 GetCurrentThreadId 304->306 308 89f06b-89f0cd 306->308 309 89f064-89f06a 306->309 309->308
                                          APIs
                                          • GetCurrentProcess.KERNEL32 ref: 0089EF7E
                                          • GetCurrentThread.KERNEL32 ref: 0089EFBB
                                          • GetCurrentProcess.KERNEL32 ref: 0089EFF8
                                          • GetCurrentThreadId.KERNEL32 ref: 0089F051
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1613914747.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_890000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: Current$ProcessThread
                                          • String ID:
                                          • API String ID: 2063062207-0
                                          • Opcode ID: 904683589d2b30537e1ea2884b145e86aa8674bf0c9656cb632d1710a96d13f3
                                          • Instruction ID: 188bb62ce9b624d4a082d31a00184e22302a7d0935db7da403b8ab2f8c2d2ca0
                                          • Opcode Fuzzy Hash: 904683589d2b30537e1ea2884b145e86aa8674bf0c9656cb632d1710a96d13f3
                                          • Instruction Fuzzy Hash: 1B5166B0901708CFEB24DFAAD548B9EBBF1FF48314F248459E019A7361DB745944CB66
                                          Function 06C7A44C Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 535 6c7a44c-6c7a4ed 538 6c7a526-6c7a546 535->538 539 6c7a4ef-6c7a4f9 535->539 544 6c7a57f-6c7a5ae 538->544 545 6c7a548-6c7a552 538->545 539->538 540 6c7a4fb-6c7a4fd 539->540 541 6c7a520-6c7a523 540->541 542 6c7a4ff-6c7a509 540->542 541->538 546 6c7a50d-6c7a51c 542->546 547 6c7a50b 542->547 555 6c7a5e7-6c7a6a1 CreateProcessA 544->555 556 6c7a5b0-6c7a5ba 544->556 545->544 548 6c7a554-6c7a556 545->548 546->546 549 6c7a51e 546->549 547->546 550 6c7a579-6c7a57c 548->550 551 6c7a558-6c7a562 548->551 549->541 550->544 553 6c7a566-6c7a575 551->553 554 6c7a564 551->554 553->553 557 6c7a577 553->557 554->553 567 6c7a6a3-6c7a6a9 555->567 568 6c7a6aa-6c7a730 555->568 556->555 558 6c7a5bc-6c7a5be 556->558 557->550 560 6c7a5e1-6c7a5e4 558->560 561 6c7a5c0-6c7a5ca 558->561 560->555 562 6c7a5ce-6c7a5dd 561->562 563 6c7a5cc 561->563 562->562 565 6c7a5df 562->565 563->562 565->560 567->568 578 6c7a732-6c7a736 568->578 579 6c7a740-6c7a744 568->579 578->579 580 6c7a738 578->580 581 6c7a746-6c7a74a 579->581 582 6c7a754-6c7a758 579->582 580->579 581->582 583 6c7a74c 581->583 584 6c7a75a-6c7a75e 582->584 585 6c7a768-6c7a76c 582->585 583->582 584->585 586 6c7a760 584->586 587 6c7a77e-6c7a785 585->587 588 6c7a76e-6c7a774 585->588 586->585 589 6c7a787-6c7a796 587->589 590 6c7a79c 587->590 588->587 589->590 592 6c7a79d 590->592 592->592
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C7A68E
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1619599583.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6c70000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: ae6248afedf7cd7797583f557c05f28c9c9aa05526e0208459c5c2bfb4f34ef5
                                          • Instruction ID: bd6009cdf77f1df22da542ba3cb9c0b6a489ce547685ece908f0dd1f1d28dccb
                                          • Opcode Fuzzy Hash: ae6248afedf7cd7797583f557c05f28c9c9aa05526e0208459c5c2bfb4f34ef5
                                          • Instruction Fuzzy Hash: F5A15A71D00719CFEB64CFA8C841BDEBBB2BF48310F148569E819A7284DB749A85CF91
                                          Function 06C7A458 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 593 6c7a458-6c7a4ed 595 6c7a526-6c7a546 593->595 596 6c7a4ef-6c7a4f9 593->596 601 6c7a57f-6c7a5ae 595->601 602 6c7a548-6c7a552 595->602 596->595 597 6c7a4fb-6c7a4fd 596->597 598 6c7a520-6c7a523 597->598 599 6c7a4ff-6c7a509 597->599 598->595 603 6c7a50d-6c7a51c 599->603 604 6c7a50b 599->604 612 6c7a5e7-6c7a6a1 CreateProcessA 601->612 613 6c7a5b0-6c7a5ba 601->613 602->601 605 6c7a554-6c7a556 602->605 603->603 606 6c7a51e 603->606 604->603 607 6c7a579-6c7a57c 605->607 608 6c7a558-6c7a562 605->608 606->598 607->601 610 6c7a566-6c7a575 608->610 611 6c7a564 608->611 610->610 614 6c7a577 610->614 611->610 624 6c7a6a3-6c7a6a9 612->624 625 6c7a6aa-6c7a730 612->625 613->612 615 6c7a5bc-6c7a5be 613->615 614->607 617 6c7a5e1-6c7a5e4 615->617 618 6c7a5c0-6c7a5ca 615->618 617->612 619 6c7a5ce-6c7a5dd 618->619 620 6c7a5cc 618->620 619->619 622 6c7a5df 619->622 620->619 622->617 624->625 635 6c7a732-6c7a736 625->635 636 6c7a740-6c7a744 625->636 635->636 637 6c7a738 635->637 638 6c7a746-6c7a74a 636->638 639 6c7a754-6c7a758 636->639 637->636 638->639 640 6c7a74c 638->640 641 6c7a75a-6c7a75e 639->641 642 6c7a768-6c7a76c 639->642 640->639 641->642 643 6c7a760 641->643 644 6c7a77e-6c7a785 642->644 645 6c7a76e-6c7a774 642->645 643->642 646 6c7a787-6c7a796 644->646 647 6c7a79c 644->647 645->644 646->647 649 6c7a79d 647->649 649->649
                                          APIs
                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C7A68E
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1619599583.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6c70000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: bb1f0ad97308fdc9bd2cc185a17c4e846eb24a70923351ae20481865e370d522
                                          • Instruction ID: a0fb20ec4c246d0e3f3119011e85e810043e03d55a4f1d1d69aaffbe517ddb48
                                          • Opcode Fuzzy Hash: bb1f0ad97308fdc9bd2cc185a17c4e846eb24a70923351ae20481865e370d522
                                          • Instruction Fuzzy Hash: 5A915A71D00719CFEF64CFA8C841BAEBBB2BB44310F148569E819A7284DB749A85CF91
                                          Function 027C3670 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 781 27c3670-27c367a 782 27c367c 781->782 783 27c367e-27c36ad 781->783 782->783 784 27c36dd-27c3736 782->784 799 27c36b0 call 27c36c7 783->799 800 27c36b0 call 27c3670 783->800 801 27c36b0 call 27c36d0 783->801 786 27c3738-27c373e 784->786 787 27c3741-27c3748 784->787 785 27c36b5-27c36b6 786->787 788 27c374a-27c3750 787->788 789 27c3753-27c37f2 CreateWindowExW 787->789 788->789 791 27c37fb-27c3833 789->791 792 27c37f4-27c37fa 789->792 796 27c3835-27c3838 791->796 797 27c3840 791->797 792->791 796->797 798 27c3841 797->798 798->798 799->785 800->785 801->785
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 027C37E2
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1615516270.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_27c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: 4dfa8a0d2facd2db97f0cd1ff994e2b735d67e27f91b73a54c2f8948ced1d664
                                          • Instruction ID: 7105e533cab49094d3d0fcfe788bb794ceb78a6d1b4251a63a7426b3611d664b
                                          • Opcode Fuzzy Hash: 4dfa8a0d2facd2db97f0cd1ff994e2b735d67e27f91b73a54c2f8948ced1d664
                                          • Instruction Fuzzy Hash: F851D175D00249EFDF15CFA9C980ADDBFB1BF48304F25816AE918AB221C7729855DF90
                                          Function 027C36C7 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 802 27c36c7-27c3736 804 27c3738-27c373e 802->804 805 27c3741-27c3748 802->805 804->805 806 27c374a-27c3750 805->806 807 27c3753-27c37f2 CreateWindowExW 805->807 806->807 809 27c37fb-27c3833 807->809 810 27c37f4-27c37fa 807->810 814 27c3835-27c3838 809->814 815 27c3840 809->815 810->809 814->815 816 27c3841 815->816 816->816
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 027C37E2
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1615516270.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_27c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: d9336ddcef79d4e6479512fd3ddff6165871bb5643c4a68702ff310b1f07924a
                                          • Instruction ID: d0a3535bf7d7bfb07bbd73a534bb2ecc20f9e14d4566a70cc4c5d7aca2c15011
                                          • Opcode Fuzzy Hash: d9336ddcef79d4e6479512fd3ddff6165871bb5643c4a68702ff310b1f07924a
                                          • Instruction Fuzzy Hash: 0B51CEB5D003499FDB14CFAAC884ADEBFB5BF48350F24816EE819AB210D775A845CF90
                                          Function 027C36D0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 817 27c36d0-27c3736 818 27c3738-27c373e 817->818 819 27c3741-27c3748 817->819 818->819 820 27c374a-27c3750 819->820 821 27c3753-27c37f2 CreateWindowExW 819->821 820->821 823 27c37fb-27c3833 821->823 824 27c37f4-27c37fa 821->824 828 27c3835-27c3838 823->828 829 27c3840 823->829 824->823 828->829 830 27c3841 829->830 830->830
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 027C37E2
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1615516270.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_27c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: CreateWindow
                                          • String ID:
                                          • API String ID: 716092398-0
                                          • Opcode ID: c1b5f738f3d2da100928d1ce227eb455ad0d4f9a3660d543339604e5f842d4af
                                          • Instruction ID: ccb77016bd0e02d0c424a5d53358886fcb0ca7635f81cef9fa9dd41307f97d78
                                          • Opcode Fuzzy Hash: c1b5f738f3d2da100928d1ce227eb455ad0d4f9a3660d543339604e5f842d4af
                                          • Instruction Fuzzy Hash: F941AFB5D103499FDB14CFAAC884ADEBBB5BF48354F24812EE819AB210D7759845CF90
                                          Function 00895C1C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 831 895c1c-895ce9 CreateActCtxA 833 895ceb-895cf1 831->833 834 895cf2-895d4c 831->834 833->834 841 895d5b-895d5f 834->841 842 895d4e-895d51 834->842 843 895d61-895d6d 841->843 844 895d70 841->844 842->841 843->844 845 895d71 844->845 845->845
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00895CD9
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1613914747.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_890000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 85eba96b6eb9b71500886035f21c36dcb9daed15836c7dd1ad013dfd16926a77
                                          • Instruction ID: ad7f7d0c47711890a6fef0361109cdade6d6ca060bb004efb24b407205e6cb9e
                                          • Opcode Fuzzy Hash: 85eba96b6eb9b71500886035f21c36dcb9daed15836c7dd1ad013dfd16926a77
                                          • Instruction Fuzzy Hash: 0841C170D00B29CFEB25DFA9C844B9DBBB1FF49308F24806AD408AB295DB755946CF90
                                          Function 027C39AC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                          Download Yara Rule
                                          APIs
                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 027C6161
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1615516270.00000000027C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_27c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: CallProcWindow
                                          • String ID:
                                          • API String ID: 2714655100-0
                                          • Opcode ID: e763b0c82ff6af19b0570bc3133e06f36df51fb2fdf3753b02b33ed6fb0e784c
                                          • Instruction ID: deaf21886f314c08437f2a82097f4b58ded4b76638b5b23b7c08464cec0f5c5f
                                          • Opcode Fuzzy Hash: e763b0c82ff6af19b0570bc3133e06f36df51fb2fdf3753b02b33ed6fb0e784c
                                          • Instruction Fuzzy Hash: 4C4109B5A00205DFDB14CF99C888A9ABBF9FB88314F25845DD519AB321D774A841CBA1
                                          Function 00894814 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateActCtxA.KERNEL32(?), ref: 00895CD9
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1613914747.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_890000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: Create
                                          • String ID:
                                          • API String ID: 2289755597-0
                                          • Opcode ID: 408c924dfc689f647cb4fb2b91515c86b28b93279cad5572fd6ddab019d517eb
                                          • Instruction ID: d968d6e0780be64e606c568098a9f2031efaf9cb44eb9d9f89b6ebabcd7aff9e
                                          • Opcode Fuzzy Hash: 408c924dfc689f647cb4fb2b91515c86b28b93279cad5572fd6ddab019d517eb
                                          • Instruction Fuzzy Hash: 2441C070C00B19CBEB25DFA9C84479EBBB5FF49304F24806AD408AB255DB755945CF90
                                          Function 06C7A1C8 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C7A260
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1619599583.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6c70000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: c707f8b0d0849632de29c32576e5dfe65c097e05e3b3d8033552eed7e8a3274f
                                          • Instruction ID: 25be0de35102c4462d170eaed69a62249d54fc78da6ed7e9628dd784a5e0d709
                                          • Opcode Fuzzy Hash: c707f8b0d0849632de29c32576e5dfe65c097e05e3b3d8033552eed7e8a3274f
                                          • Instruction Fuzzy Hash: 38212475D003599FDB20CFAAC884BDEBBF4FF48350F10842AE958A7240C7799941CBA5
                                          Function 06C7A1D0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06C7A260
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1619599583.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6c70000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 38f3ca25f991cc6ff1882614e0eaa90537c3339fb77baaefe2f7e7127f9bf818
                                          • Instruction ID: dd58f12d3844e6b374499be1eeac2f5b0b4dd2e5e792f3842209d58495dc4dbd
                                          • Opcode Fuzzy Hash: 38f3ca25f991cc6ff1882614e0eaa90537c3339fb77baaefe2f7e7127f9bf818
                                          • Instruction Fuzzy Hash: DF211375D003499FDB10CFAAC884BEEBBF5FF48310F10842AE958A7240C7799A40CBA5
                                          Function 06C7A2B9 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C7A340
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1619599583.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6c70000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 05f0aa06747a93b2a03feae986b36cd114690756684686e0c535aa02a81c2a00
                                          • Instruction ID: 5f33d4f43db366d9e04621bdcebc25c3414a0c8b0c6e25ff7e36354ad6cc54f9
                                          • Opcode Fuzzy Hash: 05f0aa06747a93b2a03feae986b36cd114690756684686e0c535aa02a81c2a00
                                          • Instruction Fuzzy Hash: 01210571C003599FDB14CFAAC885BEEBBF5FF48350F14842AE958A7640C7399941CBA5
                                          Function 06C7A031 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C7A0B6
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1619599583.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6c70000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 7424ea4460d27d986cdbd998c6baa1b869ce712a6782f4f1fb894fdeb200e372
                                          • Instruction ID: 97e97ab349e267afdbfaf6026c6972426c3c0fa9a345e0688203df856ae91357
                                          • Opcode Fuzzy Hash: 7424ea4460d27d986cdbd998c6baa1b869ce712a6782f4f1fb894fdeb200e372
                                          • Instruction Fuzzy Hash: 83213471D003099FDB24DFAAC484BEEBBF4AF48354F10842EE459A7241CB789945CBA5
                                          Function 06C7A2C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C7A340
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1619599583.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6c70000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: MemoryProcessRead
                                          • String ID:
                                          • API String ID: 1726664587-0
                                          • Opcode ID: 94239fd783cc716a6b8b13bb0dd700241219fca3632fdc2c0f6f9eacef4258ab
                                          • Instruction ID: 05ad6a9503efcb4dbedcebd52d132c9d2a777c755fc2fc7716c2f396584bf524
                                          • Opcode Fuzzy Hash: 94239fd783cc716a6b8b13bb0dd700241219fca3632fdc2c0f6f9eacef4258ab
                                          • Instruction Fuzzy Hash: 1521E671C003499FDB14DFAAC844BEEBBF5FF48310F14842AE559A7240C7799941DBA5
                                          Function 06C7A038 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06C7A0B6
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1619599583.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6c70000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 281a67156f56394396baf505ff4c451e52685434624478c332240b742db351f7
                                          • Instruction ID: e04ed19912d4aca6059b946ad1081b9e91df08d7a6fffb2738cb4932321c11b5
                                          • Opcode Fuzzy Hash: 281a67156f56394396baf505ff4c451e52685434624478c332240b742db351f7
                                          • Instruction Fuzzy Hash: 71212371D003098FDB24DFAAC484BEEBBF4AB48214F14842ED559A7240CB789A45CBA5
                                          Function 0089F148 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0089F1CF
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1613914747.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_890000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: DuplicateHandle
                                          • String ID:
                                          • API String ID: 3793708945-0
                                          • Opcode ID: eb4539cdc513bc0094923b90a44cce19de8a2a35451d9a3170d0c6f1b460b569
                                          • Instruction ID: a410e7e4ecc50e19550469da9988c988cd08f165a42fd972d3cc10329ac48560
                                          • Opcode Fuzzy Hash: eb4539cdc513bc0094923b90a44cce19de8a2a35451d9a3170d0c6f1b460b569
                                          • Instruction Fuzzy Hash: 8B21E3B5900248DFDB10CF9AD884ADEBBF4FB48310F14801AE918A7350D378A944CFA5
                                          Function 06C7A108 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C7A17E
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1619599583.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6c70000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: 2860d356db6683c10e95abef17f3d4bcc25684aab25d08ebbae8763ca2192fe3
                                          • Instruction ID: 90d943b5ad44f27808bc7da0940df9a1c2eb7f84069d1fd1fb71d91a13d620c0
                                          • Opcode Fuzzy Hash: 2860d356db6683c10e95abef17f3d4bcc25684aab25d08ebbae8763ca2192fe3
                                          • Instruction Fuzzy Hash: D82136768003499FDB24CFAAC844BDEBBF5EF48310F20841AE559A7650CB399541CBA4
                                          Function 0089BFE0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0089CF41,00000800,00000000,00000000), ref: 0089D152
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1613914747.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_890000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID:
                                          • API String ID: 1029625771-0
                                          • Opcode ID: 7d2759644d2d30c94a7be49f7a0e3010542a8e2b03cf944129f209af92f659b9
                                          • Instruction ID: c465ecf16765ca02400a305da719626109044b203cec2704d53a62fd0e7ae307
                                          • Opcode Fuzzy Hash: 7d2759644d2d30c94a7be49f7a0e3010542a8e2b03cf944129f209af92f659b9
                                          • Instruction Fuzzy Hash: 2A1103B68007489FDB20DF9AD444A9EFBF4EB48310F14842AE519A7200C379A945CFA5
                                          Function 06C79F81 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1619599583.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6c70000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 80f64515b3555effbe78bddb68ffe58bc05d66927c0c9511171e8b159ad0b5d2
                                          • Instruction ID: 4393936b7fb907068fc2d68a40bd411dec1b5955c948744155e7bb8df7024351
                                          • Opcode Fuzzy Hash: 80f64515b3555effbe78bddb68ffe58bc05d66927c0c9511171e8b159ad0b5d2
                                          • Instruction Fuzzy Hash: 321137B5D003488FDB24DFAAC4447DEBBF4EF48214F208419E559A7240CB35A941CBA4
                                          Function 06C7A110 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C7A17E
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1619599583.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6c70000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID:
                                          • API String ID: 4275171209-0
                                          • Opcode ID: eda492e69359c0f5ae0faef9ab820d33e28f194c380b00997b0b6c56f59d1ee8
                                          • Instruction ID: 4d126eac6c433b3a56e05f591827be808e8b14972aa1fc2dc4166a3aac7db452
                                          • Opcode Fuzzy Hash: eda492e69359c0f5ae0faef9ab820d33e28f194c380b00997b0b6c56f59d1ee8
                                          • Instruction Fuzzy Hash: 24112676C00348DFDB24DFAAC844BDEBBF5EF48320F148419E519A7250CB799540CBA5
                                          Function 06C79F88 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1619599583.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6c70000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 7719893c2c5cab03a67411569219f898c710962338779eda95320bc81185f5de
                                          • Instruction ID: e6caf04d9827cd61efa2ceea27fe36baa5e816ff1c43d54f53bb8754f8d4e1d3
                                          • Opcode Fuzzy Hash: 7719893c2c5cab03a67411569219f898c710962338779eda95320bc81185f5de
                                          • Instruction Fuzzy Hash: 7A112871D003488FDB24DFAAC4447DEFBF4EB48214F248419D519A7240CB79A540CBA5
                                          Function 0089CE60 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0089CEC6
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1613914747.0000000000890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_890000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: HandleModule
                                          • String ID:
                                          • API String ID: 4139908857-0
                                          • Opcode ID: 2eedf71cfc9fb55cc6d448cfef2e19f7e6040d12b72d6e4ff3052713487f2d1e
                                          • Instruction ID: 6ec9d67a5b251d9c6f7a9f28ca16c0bfb59ae46115a4711cf82962a4aeeb5ec4
                                          • Opcode Fuzzy Hash: 2eedf71cfc9fb55cc6d448cfef2e19f7e6040d12b72d6e4ff3052713487f2d1e
                                          • Instruction Fuzzy Hash: BA11DFB6C006498FDB20DF9AD444ADEFBF4EB88314F14841AD469A7610C379A545CFA5
                                          Function 06C7B2F0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 06C7DEB5
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1619599583.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6c70000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 080232644434cfa29d55054b5e67e0bbe763e76dd9515af9b7af8ed7608c5334
                                          • Instruction ID: c42b7c8178a2ed3e5534c5398545dbb00e5bdb5cfb5610db9e0ba1c5185be016
                                          • Opcode Fuzzy Hash: 080232644434cfa29d55054b5e67e0bbe763e76dd9515af9b7af8ed7608c5334
                                          • Instruction Fuzzy Hash: 0811E0B68007499FDB20DF9AD888BDEFBF8EF58360F108419E559A7640C375A944CFA1
                                          Function 06C7DE56 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 06C7DEB5
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1619599583.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_6c70000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: MessagePost
                                          • String ID:
                                          • API String ID: 410705778-0
                                          • Opcode ID: 7bc04d9b9074dfb857a3b3a31a62238008ea5d7f967d3c65bc866903cb2b8d2c
                                          • Instruction ID: 773461506a9a2066a1716f9bcf7f85b9aad794a6fa0f62f4a57eaf4f9bbc62ee
                                          • Opcode Fuzzy Hash: 7bc04d9b9074dfb857a3b3a31a62238008ea5d7f967d3c65bc866903cb2b8d2c
                                          • Instruction Fuzzy Hash: 1711E0B58003499FDB20CF9AD884BDEFBF8EF48310F20841AE558A7640C375A944CFA1
                                          Function 0081D4C4 Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1613671854.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_81d000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 49b4740f2d17bf077080582dd4ac0cf9657e6b1e2ad2d67de536ea7b258675fe
                                          • Instruction ID: afd8f59523249c8d75929f3f5b96fcb6c4e8a68b3b6609b16cb2be3723182689
                                          • Opcode Fuzzy Hash: 49b4740f2d17bf077080582dd4ac0cf9657e6b1e2ad2d67de536ea7b258675fe
                                          • Instruction Fuzzy Hash: F1212872500344DFDB15DF14D9C0BA6BF6AFF84318F20C569E8058F256C336D896CAA2
                                          Function 0082D1D4 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1613725838.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_82d000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1ef7fe889e5946975266b4268aba13254a3fc23b570252d4060119f377733793
                                          • Instruction ID: ca7002b02edee4f796274c3212eb84b71c9ceff8853dca3b27476d6bc17d34ba
                                          • Opcode Fuzzy Hash: 1ef7fe889e5946975266b4268aba13254a3fc23b570252d4060119f377733793
                                          • Instruction Fuzzy Hash: D821D771904304EFDB15DF14E5C4B25BFA5FB84318F24C56DE9098F292C336E886CA61
                                          Function 0082D01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1613725838.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_82d000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4ee9fc708af8ff7a68ff386c289016a77a138af0ca330879c6df55e6246afc3c
                                          • Instruction ID: 3b8c5e68e35dd65f43b1b76f3b8032c92c5ca539e02dd1a3fd043de4173c28ad
                                          • Opcode Fuzzy Hash: 4ee9fc708af8ff7a68ff386c289016a77a138af0ca330879c6df55e6246afc3c
                                          • Instruction Fuzzy Hash: D221F571504744DFDB14DF24E5C4B16BF65FB84318F20C56DE90A8B2A6C336D887CA62
                                          Function 0081D4BF Relevance: .1, Instructions: 56COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1613671854.000000000081D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0081D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_81d000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                          • Instruction ID: 34540cf6dcd7cf33f61715e9a92fae6723f65313f42d59bbe505d57c2f09dc61
                                          • Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                          • Instruction Fuzzy Hash: 9D11B1B6504280DFCB15CF10D5C4B96BF72FF94314F24C6A9D8494B656C336D856CBA2
                                          Function 0082D017 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1613725838.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_82d000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                          • Instruction ID: 16615de670f293eb9c8aec893208e4effd44aa7124de91924e9281a0a64c265f
                                          • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                          • Instruction Fuzzy Hash: AF118B75504780DFDB15CF14E5C4B15FFA2FB84314F24C6AAD8498B6A6C33AD84ACBA2
                                          Function 0082D1CF Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.1613725838.000000000082D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0082D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_10_2_82d000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                          • Instruction ID: c340790075f52a7ee158cb9c196abe3787b47861578150bc2a49b0d1b95394a1
                                          • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                          • Instruction Fuzzy Hash: 66118B75904280DFDB15CF10E5C4B15FFA2FB84314F24C6A9D8498B696C33AE84ACB62

                                          Execution Graph

                                          Execution Coverage:11.9%
                                          Dynamic/Decrypted Code Coverage:100%
                                          Signature Coverage:0%
                                          Total number of Nodes:3
                                          Total number of Limit Nodes:0
                                          execution_graph 28787 623e280 28788 623e2c6 GlobalMemoryStatusEx 28787->28788 28789 623e2f6 28788->28789

                                          Executed Functions

                                          Function 013C9B38 Relevance: 2.9, Instructions: 2872COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2dd3184a9c2c88fda68742ef9fe4ea16d6b4ba597ab8ddcd06ebd386ef1f5a5f
                                          • Instruction ID: 58204e934490b1b492de801c14e5529642d9609a6591d694713b516c688807f2
                                          • Opcode Fuzzy Hash: 2dd3184a9c2c88fda68742ef9fe4ea16d6b4ba597ab8ddcd06ebd386ef1f5a5f
                                          • Instruction Fuzzy Hash: 14630931D10B1A8ADB51EF68C8845A9F7B1FF99300F11D79AE45877221FB70AAD4CB81
                                          Function 013CCDB0 Relevance: 2.3, Instructions: 2313COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 88deaa46023be7fec493d9d05ce6f5814fbd5548c7c4742ad22a3050ca98859b
                                          • Instruction ID: 75b98e79b6058585f5a5902045dd01e07ce66ba305b498fdb9b297c3da09663a
                                          • Opcode Fuzzy Hash: 88deaa46023be7fec493d9d05ce6f5814fbd5548c7c4742ad22a3050ca98859b
                                          • Instruction Fuzzy Hash: DD331031D107198EDB11EF68C8846ADF7B1FF99300F15C79AE459A7221EB70AAC5CB81
                                          Function 013C3E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2920 13c3e80-13c3ee6 2922 13c3ee8-13c3ef3 2920->2922 2923 13c3f30-13c3f32 2920->2923 2922->2923 2924 13c3ef5-13c3f01 2922->2924 2925 13c3f34-13c3f8c 2923->2925 2926 13c3f24-13c3f2e 2924->2926 2927 13c3f03-13c3f0d 2924->2927 2934 13c3f8e-13c3f99 2925->2934 2935 13c3fd6-13c3fd8 2925->2935 2926->2925 2929 13c3f0f 2927->2929 2930 13c3f11-13c3f20 2927->2930 2929->2930 2930->2930 2931 13c3f22 2930->2931 2931->2926 2934->2935 2937 13c3f9b-13c3fa7 2934->2937 2936 13c3fda-13c3ff2 2935->2936 2943 13c403c-13c403e 2936->2943 2944 13c3ff4-13c3fff 2936->2944 2938 13c3fa9-13c3fb3 2937->2938 2939 13c3fca-13c3fd4 2937->2939 2941 13c3fb5 2938->2941 2942 13c3fb7-13c3fc6 2938->2942 2939->2936 2941->2942 2942->2942 2945 13c3fc8 2942->2945 2947 13c4040-13c408e 2943->2947 2944->2943 2946 13c4001-13c400d 2944->2946 2945->2939 2948 13c400f-13c4019 2946->2948 2949 13c4030-13c403a 2946->2949 2955 13c4094-13c40a2 2947->2955 2950 13c401d-13c402c 2948->2950 2951 13c401b 2948->2951 2949->2947 2950->2950 2953 13c402e 2950->2953 2951->2950 2953->2949 2956 13c40ab-13c410b 2955->2956 2957 13c40a4-13c40aa 2955->2957 2964 13c410d-13c4111 2956->2964 2965 13c411b-13c411f 2956->2965 2957->2956 2964->2965 2966 13c4113 2964->2966 2967 13c412f-13c4133 2965->2967 2968 13c4121-13c4125 2965->2968 2966->2965 2970 13c4135-13c4139 2967->2970 2971 13c4143-13c4147 2967->2971 2968->2967 2969 13c4127-13c412a call 13c0ab8 2968->2969 2969->2967 2970->2971 2972 13c413b-13c413e call 13c0ab8 2970->2972 2973 13c4149-13c414d 2971->2973 2974 13c4157-13c415b 2971->2974 2972->2971 2973->2974 2977 13c414f-13c4152 call 13c0ab8 2973->2977 2978 13c415d-13c4161 2974->2978 2979 13c416b-13c416f 2974->2979 2977->2974 2978->2979 2981 13c4163 2978->2981 2982 13c417f 2979->2982 2983 13c4171-13c4175 2979->2983 2981->2979 2985 13c4180 2982->2985 2983->2982 2984 13c4177 2983->2984 2984->2982 2985->2985
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \VGk
                                          • API String ID: 0-2918603798
                                          • Opcode ID: f7b674a1ef85b7f9b5627427e3b032a804397fe90ecc0f8833230e68fd1867f0
                                          • Instruction ID: dab6b9ae3f02be7735fde113a4889a13afad6b500c3d990cb5f21f6b9b7efd6d
                                          • Opcode Fuzzy Hash: f7b674a1ef85b7f9b5627427e3b032a804397fe90ecc0f8833230e68fd1867f0
                                          • Instruction Fuzzy Hash: D7915A70E00209DFDB14CFA9D9917DEBBF2BF88708F14852DE445AB294EB749845CB81
                                          Function 013C9378 Relevance: .6, Instructions: 622COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3e78c99dd048a27c94e2dc63362b7aa22a0fcfd579b413376dfdea32f1f4873f
                                          • Instruction ID: 851d8ec29934c0a2f3050f4cbe550f1f6ef9054b617e53f091b4708353416d5b
                                          • Opcode Fuzzy Hash: 3e78c99dd048a27c94e2dc63362b7aa22a0fcfd579b413376dfdea32f1f4873f
                                          • Instruction Fuzzy Hash: C6327E34A002048FDB14DF69D884BAEBBB6FF88718F158569E909EB396DB35DC41CB50
                                          Function 013C4A98 Relevance: .3, Instructions: 266COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 06cb4c1df38f9818f14b1584489ccb40a45032d4cc69c0c74865af99c747c2d5
                                          • Instruction ID: d3c59966af4c1a16c0a10e1ac7331eb580b3390f39407c2c77a8a063c8e1d0b5
                                          • Opcode Fuzzy Hash: 06cb4c1df38f9818f14b1584489ccb40a45032d4cc69c0c74865af99c747c2d5
                                          • Instruction Fuzzy Hash: 81B16C70E003099FEF14DFA8D89579DBBF2AF88718F14812DD855AB294EB749C45CB81
                                          Function 013C6ED8 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1877 13c6ed8-13c6f42 call 13c6c40 1886 13c6f5e-13c6f8c 1877->1886 1887 13c6f44-13c6f5d call 13c6764 1877->1887 1891 13c6f8e-13c6f91 1886->1891 1893 13c6fcd-13c6fd0 1891->1893 1894 13c6f93-13c6fc8 1891->1894 1895 13c6fe0-13c6fe3 1893->1895 1896 13c6fd2 1893->1896 1894->1893 1897 13c6fe5-13c6ff9 1895->1897 1898 13c7016-13c7019 1895->1898 1919 13c6fd2 call 13c7918 1896->1919 1920 13c6fd2 call 13c7908 1896->1920 1921 13c6fd2 call 13c80f1 1896->1921 1907 13c6fff 1897->1907 1908 13c6ffb-13c6ffd 1897->1908 1899 13c702d-13c702f 1898->1899 1900 13c701b-13c7022 1898->1900 1905 13c7036-13c7039 1899->1905 1906 13c7031 1899->1906 1903 13c7028 1900->1903 1904 13c70eb-13c70f1 1900->1904 1901 13c6fd8-13c6fdb 1901->1895 1903->1899 1905->1891 1909 13c703f-13c704e 1905->1909 1906->1905 1910 13c7002-13c7011 1907->1910 1908->1910 1913 13c7078-13c708d 1909->1913 1914 13c7050-13c7053 1909->1914 1910->1898 1913->1904 1916 13c705b-13c7076 1914->1916 1916->1913 1916->1914 1919->1901 1920->1901 1921->1901
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LRq$LRq
                                          • API String ID: 0-3710822783
                                          • Opcode ID: 4ed9c693fddb8bde095c9bdf1923bdca6819d23720783b2e8e971771e591e29d
                                          • Instruction ID: ce9c0d366c3d66293bf01ed85d1146061a24ab6ce33b794665ee1db682c6c827
                                          • Opcode Fuzzy Hash: 4ed9c693fddb8bde095c9bdf1923bdca6819d23720783b2e8e971771e591e29d
                                          • Instruction Fuzzy Hash: 6351B130A002159FDB15DF68C8557AEBBB2FF89704F10852EE801EB391DB719C46CB91
                                          Function 0623E280 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2842 623e280-623e2f4 GlobalMemoryStatusEx 2844 623e2f6-623e2fc 2842->2844 2845 623e2fd-623e325 2842->2845 2844->2845
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE ref: 0623E2E7
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2802455327.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_6230000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: 8b15ba16b61ada7c6c841df7e8b8459668cf3fd592aeff78410ad87ed0824cc4
                                          • Instruction ID: 87b956e9bc476dbe6d9a7ee00b7c81b233e734088328bf88f427dfc66974456f
                                          • Opcode Fuzzy Hash: 8b15ba16b61ada7c6c841df7e8b8459668cf3fd592aeff78410ad87ed0824cc4
                                          • Instruction Fuzzy Hash: 611112B1C0066ADFDB10DF9AC545BDEFBF4AB48220F11812AE818A7640D778A944CFA5
                                          Function 0623E27F Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2848 623e27f-623e2be 2849 623e2c6-623e2f4 GlobalMemoryStatusEx 2848->2849 2850 623e2f6-623e2fc 2849->2850 2851 623e2fd-623e325 2849->2851 2850->2851
                                          APIs
                                          • GlobalMemoryStatusEx.KERNELBASE ref: 0623E2E7
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2802455327.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_6230000_cfEpcI.jbxd
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID:
                                          • API String ID: 1890195054-0
                                          • Opcode ID: 5d14df100b524218060373299980187919ac8a0cbcaf1625cb6c88b266e843a1
                                          • Instruction ID: 5f8e3461772ed1651005f0e06ace9df3d0cea366c0c2c97868fa11906030b6f0
                                          • Opcode Fuzzy Hash: 5d14df100b524218060373299980187919ac8a0cbcaf1625cb6c88b266e843a1
                                          • Instruction Fuzzy Hash: EF1112B2C0066ADFDB10CF9AC545BDEFBF4AF08210F15812AD818B7640D378A944CFA5
                                          Function 013C3E74 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 2854 13c3e74-13c3ee6 2856 13c3ee8-13c3ef3 2854->2856 2857 13c3f30-13c3f32 2854->2857 2856->2857 2858 13c3ef5-13c3f01 2856->2858 2859 13c3f34-13c3f8c 2857->2859 2860 13c3f24-13c3f2e 2858->2860 2861 13c3f03-13c3f0d 2858->2861 2868 13c3f8e-13c3f99 2859->2868 2869 13c3fd6-13c3fd8 2859->2869 2860->2859 2863 13c3f0f 2861->2863 2864 13c3f11-13c3f20 2861->2864 2863->2864 2864->2864 2865 13c3f22 2864->2865 2865->2860 2868->2869 2871 13c3f9b-13c3fa7 2868->2871 2870 13c3fda-13c3ff2 2869->2870 2877 13c403c-13c403e 2870->2877 2878 13c3ff4-13c3fff 2870->2878 2872 13c3fa9-13c3fb3 2871->2872 2873 13c3fca-13c3fd4 2871->2873 2875 13c3fb5 2872->2875 2876 13c3fb7-13c3fc6 2872->2876 2873->2870 2875->2876 2876->2876 2879 13c3fc8 2876->2879 2881 13c4040-13c4052 2877->2881 2878->2877 2880 13c4001-13c400d 2878->2880 2879->2873 2882 13c400f-13c4019 2880->2882 2883 13c4030-13c403a 2880->2883 2888 13c4059-13c408e 2881->2888 2884 13c401d-13c402c 2882->2884 2885 13c401b 2882->2885 2883->2881 2884->2884 2887 13c402e 2884->2887 2885->2884 2887->2883 2889 13c4094-13c40a2 2888->2889 2890 13c40ab-13c410b 2889->2890 2891 13c40a4-13c40aa 2889->2891 2898 13c410d-13c4111 2890->2898 2899 13c411b-13c411f 2890->2899 2891->2890 2898->2899 2900 13c4113 2898->2900 2901 13c412f-13c4133 2899->2901 2902 13c4121-13c4125 2899->2902 2900->2899 2904 13c4135-13c4139 2901->2904 2905 13c4143-13c4147 2901->2905 2902->2901 2903 13c4127-13c412a call 13c0ab8 2902->2903 2903->2901 2904->2905 2906 13c413b-13c413e call 13c0ab8 2904->2906 2907 13c4149-13c414d 2905->2907 2908 13c4157-13c415b 2905->2908 2906->2905 2907->2908 2911 13c414f-13c4152 call 13c0ab8 2907->2911 2912 13c415d-13c4161 2908->2912 2913 13c416b-13c416f 2908->2913 2911->2908 2912->2913 2915 13c4163 2912->2915 2916 13c417f 2913->2916 2917 13c4171-13c4175 2913->2917 2915->2913 2919 13c4180 2916->2919 2917->2916 2918 13c4177 2917->2918 2918->2916 2919->2919
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: \VGk
                                          • API String ID: 0-2918603798
                                          • Opcode ID: 12483f046c2f4405297e6faa42a91279b766d02bb180025d5f11fcb5e3ed8f2c
                                          • Instruction ID: 64bc912bc3630415421453bb47554d4d1819f710b9f832ae0dfc480c5ff8812f
                                          • Opcode Fuzzy Hash: 12483f046c2f4405297e6faa42a91279b766d02bb180025d5f11fcb5e3ed8f2c
                                          • Instruction Fuzzy Hash: E3A16B70E10209DFDB24CFA8D9917DDBBF2BF88718F14852DE445A7294EB749845CB81
                                          Function 013CF2ED Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq
                                          • API String ID: 0-3820536768
                                          • Opcode ID: 3ae73c8c20adad8e92ddef14f91b964c436899d68c5efe5dfd4b8708881c7478
                                          • Instruction ID: c9ad7e8d372157f27357a9bdde4edff7033e207383c24274961b975f742fb3fc
                                          • Opcode Fuzzy Hash: 3ae73c8c20adad8e92ddef14f91b964c436899d68c5efe5dfd4b8708881c7478
                                          • Instruction Fuzzy Hash: 5D3121307002048FDB1AAB38D8547AE7BA7AF89604F24457DD406DB396DF39DC46C781
                                          Function 013CF300 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PHq
                                          • API String ID: 0-3820536768
                                          • Opcode ID: 2965b06a166324dfc60a620cfd3fc84eb83f80671141920ed5836fa88846170f
                                          • Instruction ID: 69675b3cd0dbd28a9d78c5189ecd10d04e6c4ce8d0f17442204990acfae2e681
                                          • Opcode Fuzzy Hash: 2965b06a166324dfc60a620cfd3fc84eb83f80671141920ed5836fa88846170f
                                          • Instruction Fuzzy Hash: 7931F030B002049BDB15AB38D91476E7BA7EF88604F24456CD406EB38ADF35DC42C795
                                          Function 013C6F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LRq
                                          • API String ID: 0-3187445251
                                          • Opcode ID: 434020bf451156e2b93e6e54c8dbce56f6c5acf0333acb92a6595ef8ac6e4c21
                                          • Instruction ID: 5b8a16c59d0bd615f8023b2360463ab8b032262a5909960f971f4136fd5ae99f
                                          • Opcode Fuzzy Hash: 434020bf451156e2b93e6e54c8dbce56f6c5acf0333acb92a6595ef8ac6e4c21
                                          • Instruction Fuzzy Hash: ED31A174E002198BDB15CF69C85179EB7B2FF89704F10852AE901EB340EB71ED45CB50
                                          Function 013C6B9F Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LRq
                                          • API String ID: 0-3187445251
                                          • Opcode ID: ee0de12167633121706ad63981329f56d190e0e3babea03fd8f37283b165c5c5
                                          • Instruction ID: cf65890a12d7a26d6e1236effd27ddf5d41e6f415a36babc8dd2c452a95c460b
                                          • Opcode Fuzzy Hash: ee0de12167633121706ad63981329f56d190e0e3babea03fd8f37283b165c5c5
                                          • Instruction Fuzzy Hash: 2621F5307042409FC712AB7D94257AD3FB2EF8B304B0485ABD445CB3A6DE369C469BA1
                                          Function 013C7908 Relevance: .6, Instructions: 554COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3d79d2164a248a9cd1ef6a866625c130540a04187eb68e39f543708caa441c7a
                                          • Instruction ID: d60b2dbabea5cc6307ade44074143af8efb0c21040238dd50ab7720a709cd8ed
                                          • Opcode Fuzzy Hash: 3d79d2164a248a9cd1ef6a866625c130540a04187eb68e39f543708caa441c7a
                                          • Instruction Fuzzy Hash: F71241347002018BDB29AB3CD89966C76A3EF8D248B54893AF505CF356DE75EC47AF81
                                          Function 013C7918 Relevance: .6, Instructions: 550COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d46b6cf43b4c5eace344a90ae4ac371f5b5e925122a2f9409a13f7e41d571913
                                          • Instruction ID: fba27014776aa9383e7787c95052886fa0d19f8535d4f8c98650933bb527fb87
                                          • Opcode Fuzzy Hash: d46b6cf43b4c5eace344a90ae4ac371f5b5e925122a2f9409a13f7e41d571913
                                          • Instruction Fuzzy Hash: 9E1241347002018BDB29AB3CD88966C76A3EF8D648B548939F505CF356DE75EC47AF81
                                          Function 013C4A8C Relevance: .3, Instructions: 260COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cc739d8cd536bfb92fdf02e20cb031db0ea997d357ebc5f2f5002806bd2bd9c6
                                          • Instruction ID: 1d6a6ba457bf800880cd155a7eb0ee4ae215201f0508828d923dd682997127f0
                                          • Opcode Fuzzy Hash: cc739d8cd536bfb92fdf02e20cb031db0ea997d357ebc5f2f5002806bd2bd9c6
                                          • Instruction Fuzzy Hash: B4B15C70E10209DFEF10DFA8D8957DDBBF1AF48718F14812DD855AB294EB749845CB81
                                          Function 013C9364 Relevance: .2, Instructions: 243COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 175f11102b918528a53ed85e7e82df660e5bdbb1111959f2603659ecb1e0524e
                                          • Instruction ID: 440f6004af159471542f2aa96f60109fa9963050edf733aaed4372c451a6abf1
                                          • Opcode Fuzzy Hash: 175f11102b918528a53ed85e7e82df660e5bdbb1111959f2603659ecb1e0524e
                                          • Instruction Fuzzy Hash: 2E917E34A002148FDB15DF68D594BADBBB6EF88728F158569E805EB3A5DF31EC42CB40
                                          Function 013C6CDF Relevance: .1, Instructions: 136COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6bff49f3d5f707b3a21c68de84554d7209e0954d7adfa6809adea7242d2ead8d
                                          • Instruction ID: 7b43872b841a08cbcc2f0864f1896128e49ba46d9a78f24b30baa92ab56267fc
                                          • Opcode Fuzzy Hash: 6bff49f3d5f707b3a21c68de84554d7209e0954d7adfa6809adea7242d2ead8d
                                          • Instruction Fuzzy Hash: 6C5124B1D102188FDB18CFA9C859B9DBBB1BF48714F14811ED81AAB351D7749884CF95
                                          Function 013C6CE8 Relevance: .1, Instructions: 132COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6f0c44550111763c6c2b6dbcb2371cc207941983400dc5c36618e2575810c0c2
                                          • Instruction ID: 18d81bb4b0933bb928330a8f75f5a2bad61bb9c01d928a155c455513f829cc37
                                          • Opcode Fuzzy Hash: 6f0c44550111763c6c2b6dbcb2371cc207941983400dc5c36618e2575810c0c2
                                          • Instruction Fuzzy Hash: 225114B1D002188FDB18CFA9C859B9DBBB1BF48714F14811EE81AAB351D774A884CF95
                                          Function 013C1128 Relevance: .1, Instructions: 128COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 992be77628f9ce6f46a8ffc8b55469528a9bf6e945aa9ca5db9320124a5627d5
                                          • Instruction ID: 55fd38421fad3ad69c15030b07509c1750a94576fb3d50b7006a4f2042f48f67
                                          • Opcode Fuzzy Hash: 992be77628f9ce6f46a8ffc8b55469528a9bf6e945aa9ca5db9320124a5627d5
                                          • Instruction Fuzzy Hash: 5D51FE359153A68FDB0AFB7AF8C49593BF1E79630C3048B69D2005F23AD6367986CB41
                                          Function 013C1138 Relevance: .1, Instructions: 112COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b1ae298d6fc7e9a6a501b8a15239ed104f46f8911b76d2a89b45a30296e81bd0
                                          • Instruction ID: ef74718e52c1be3a05e599a52918875e0fbfa29c7383091029d555a643839196
                                          • Opcode Fuzzy Hash: b1ae298d6fc7e9a6a501b8a15239ed104f46f8911b76d2a89b45a30296e81bd0
                                          • Instruction Fuzzy Hash: F851DD349112A68FDB09FB7AF8C49493BE1F79530C3049B69D2005F27ADA767985CB81
                                          Function 013CF1B0 Relevance: .1, Instructions: 99COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ece085c7e8157655190197137c84e93f32d78d74c3f0afb0e096cf07028cf13b
                                          • Instruction ID: cf8cd76ab1f8d627c273cfb08821d54cdca26b5c92183645601a8da27be7433b
                                          • Opcode Fuzzy Hash: ece085c7e8157655190197137c84e93f32d78d74c3f0afb0e096cf07028cf13b
                                          • Instruction Fuzzy Hash: D5316F38E002059BCB15DFA9D45569EBBB7FF89704F108519E806EB745DB71EC82CB40
                                          Function 013C26DC Relevance: .1, Instructions: 95COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cb96bef0135ef596c835ebba548d01ba871815f45f636933b9b686e0364236b9
                                          • Instruction ID: 57691717274ce323f0d99740b1faaa0f0c91c01850a24961058c9b75270ef7b3
                                          • Opcode Fuzzy Hash: cb96bef0135ef596c835ebba548d01ba871815f45f636933b9b686e0364236b9
                                          • Instruction Fuzzy Hash: AA41DFB4D00348DFEB14CFA9C584ADEBBF5FF48714F148029E809AB250DB759945CB95
                                          Function 013CF1C0 Relevance: .1, Instructions: 91COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f1c099db6c1e4741063b76f6442d2a9f2de9492be4c954b9247ad52d34e48908
                                          • Instruction ID: a4229a47d52e697eb1b3f9e763532803953f81c39d47ba9c67acfa4204120202
                                          • Opcode Fuzzy Hash: f1c099db6c1e4741063b76f6442d2a9f2de9492be4c954b9247ad52d34e48908
                                          • Instruction Fuzzy Hash: 31316F38E003059BCB15DFA8D454A9EBBB7FF88304F108529E806EB754DB70EC428B40
                                          Function 013C26E8 Relevance: .1, Instructions: 90COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3a63bdd132d726aba1cc27ebf4d30780560c6a08a93d99ab9768a7fb5411174d
                                          • Instruction ID: 1d3222f8a753adcd38f3e10abbf582ee8ea15e002db234d18108e1cd8cf6451e
                                          • Opcode Fuzzy Hash: 3a63bdd132d726aba1cc27ebf4d30780560c6a08a93d99ab9768a7fb5411174d
                                          • Instruction Fuzzy Hash: 9E41EDB4D00348DFEB14DFA9C584ADEBBF5FF48314F208029E809AB250DB75A949CB94
                                          Function 013C9250 Relevance: .1, Instructions: 85COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c51e4782fe2316a10633b509c663c6dc204879ff5eaa5d783bae504f4e876346
                                          • Instruction ID: a2d008e0dd0c0e6e6a1cc7895168bb7031a70053f1b49e282ee9c0419e246b87
                                          • Opcode Fuzzy Hash: c51e4782fe2316a10633b509c663c6dc204879ff5eaa5d783bae504f4e876346
                                          • Instruction Fuzzy Hash: 1F318F31E002199BDB06CFA9C89079EBBB2FF89308F158619E405AB245EB71DC46CB50
                                          Function 013C16A0 Relevance: .1, Instructions: 80COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 109493faf820bf534f59d9f4f4bb91e49469b1555024b293a81e97f231d29980
                                          • Instruction ID: fd9f85cf61eff8594e1f5a303504fb81e58be355690ee8457724d89cd5fb5470
                                          • Opcode Fuzzy Hash: 109493faf820bf534f59d9f4f4bb91e49469b1555024b293a81e97f231d29980
                                          • Instruction Fuzzy Hash: 4B21B538510210CFEF22AB7DE84476A3765EB4570CF104769E406CB26BEA25DC869B92
                                          Function 013C9260 Relevance: .1, Instructions: 78COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cdfaf50059c32e5e759e7647426171c7816d8832d01db70ad5fd87afd1c163d2
                                          • Instruction ID: 26a03e19ccdd60a4dc705bffbb676fedb106514a340a1477ef70a27e738fa531
                                          • Opcode Fuzzy Hash: cdfaf50059c32e5e759e7647426171c7816d8832d01db70ad5fd87afd1c163d2
                                          • Instruction Fuzzy Hash: 88216F30E002199BDB05CFA9D88079EFBB2FF89308F558629E805EB245DB71DC42CB90
                                          Function 013C9150 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ca4722897c8d8addd3082dbffb5bff9c6ecbf3168a09df8de47a39edbbaf6c2f
                                          • Instruction ID: ecf6a920e1e058936074527b36b1c1ef557ea702c794c239caad4211c8d6abf3
                                          • Opcode Fuzzy Hash: ca4722897c8d8addd3082dbffb5bff9c6ecbf3168a09df8de47a39edbbaf6c2f
                                          • Instruction Fuzzy Hash: 93218334E0020A9BDB19CFA9D8546DEBBB2EF89708F11862EE815BB351DB70DD45CB50
                                          Function 013C1380 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1461a7154d829fe394ca5e80742e96656972099ec64b4db5371008091b6ad37d
                                          • Instruction ID: 4a248ac40ab999dcb3f99b738c96e5a202f6a66054e953dc0e1f75762f9afd36
                                          • Opcode Fuzzy Hash: 1461a7154d829fe394ca5e80742e96656972099ec64b4db5371008091b6ad37d
                                          • Instruction Fuzzy Hash: EA21A574600241CFEB3667ACE49876D7771EB4771DF10046EE406EB6A7DB258C81E742
                                          Function 013C4F88 Relevance: .1, Instructions: 73COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3129166096ce841c30aa0e28cf7f1218009332b3fd3965b26a51988fc3aa765
                                          • Instruction ID: 65402be07646ceb7784d7828e703cd6af30e9417e3991a8275e5e273c4e87444
                                          • Opcode Fuzzy Hash: a3129166096ce841c30aa0e28cf7f1218009332b3fd3965b26a51988fc3aa765
                                          • Instruction Fuzzy Hash: A7212830B40219CFDB54EB78C968BAD77F1EF89609B100468D506EB3A1DF36AD05DB90
                                          Function 00FED01C Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2790190698.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_fed000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 506f238685b26c8f1049a2306bbd5b5892fadfa906a92a78853a01aa3abc8539
                                          • Instruction ID: 1ef79e00c2682cd90d1c8c1d0efbc7f5f77da5123b7c68877755b553b86e5e6e
                                          • Opcode Fuzzy Hash: 506f238685b26c8f1049a2306bbd5b5892fadfa906a92a78853a01aa3abc8539
                                          • Instruction Fuzzy Hash: 0B212572904380DFDB14DF24D9C0B16BB61FB84324F28C56DEA0A0F69AC336D807DA62
                                          Function 013C9160 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6ae1c34918c3b2ae1ba446d2dc2b100436834f6591dba78616f6b133ad13fbff
                                          • Instruction ID: 028a1d16d0b4312d1a32450b423050c62c6b46e0407f86fd900d80d1523eea21
                                          • Opcode Fuzzy Hash: 6ae1c34918c3b2ae1ba446d2dc2b100436834f6591dba78616f6b133ad13fbff
                                          • Instruction Fuzzy Hash: B2218334E002099BCB19CFA8D84469EB7B6EF89708F11862EE815B7351DB70ED45CB50
                                          Function 013C1888 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 453f8573cf46769a375a4b1bbdc7552ed78d4a7961022946dba4d60c60508187
                                          • Instruction ID: f30a1df7c77135210b8efc4b855e5c837493c2a77dfd2a462cb7fee942f1cc65
                                          • Opcode Fuzzy Hash: 453f8573cf46769a375a4b1bbdc7552ed78d4a7961022946dba4d60c60508187
                                          • Instruction Fuzzy Hash: AE214A30B00219CFEB24EB78C5147AE77F6AB89648F20047CD502EB396DB369C40DBA1
                                          Function 013C16B0 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e8c3a4ad30dc5315903e77217b3dfdde78ff218e5662a4b8f7a070a033a089a2
                                          • Instruction ID: a01d49528c9759cdbe327c138f7c8c3582e1025e82f78bab698b46413e0f83df
                                          • Opcode Fuzzy Hash: e8c3a4ad30dc5315903e77217b3dfdde78ff218e5662a4b8f7a070a033a089a2
                                          • Instruction Fuzzy Hash: B121C3386102108FEF36E77DE88475A3365EB4570CF104729E406CB26BEA35DC819B91
                                          Function 013C1879 Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c649831bf009e71edf5323f498230ba36646b163282a819f66f7d1cdbfed5062
                                          • Instruction ID: f781afc94980b73317803b45aaaedab6c391c5bd2b91202a75e9e35844fc6fff
                                          • Opcode Fuzzy Hash: c649831bf009e71edf5323f498230ba36646b163282a819f66f7d1cdbfed5062
                                          • Instruction Fuzzy Hash: 5B214A30B00215CFEB64EB78C5547AE77F2AB49648F20056CD505EB3A6DB369D40DB91
                                          Function 013C4F98 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5f1558b6fe18f43b830a7d7e5f460967ffe90fe439d3a400d93145374a9ad635
                                          • Instruction ID: d6b2356e4adbcf5cb14f3746826b9282d0baaad16be7224768c2dcd11fd97341
                                          • Opcode Fuzzy Hash: 5f1558b6fe18f43b830a7d7e5f460967ffe90fe439d3a400d93145374a9ad635
                                          • Instruction Fuzzy Hash: 61212830B00219CFDB14EB79C958BAD77F5EF88648B100468E506EB3A1DF36AD00CBA0
                                          Function 013C148B Relevance: .1, Instructions: 66COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 54bdaa4cb31cb7d08c6dcadd6f7c18b7d4e71531507b2af84872e0427ccb0213
                                          • Instruction ID: b3842bd150c3ab55939240fe367f21fee08d537418291c198d5be24d8c8923ce
                                          • Opcode Fuzzy Hash: 54bdaa4cb31cb7d08c6dcadd6f7c18b7d4e71531507b2af84872e0427ccb0213
                                          • Instruction Fuzzy Hash: 9A118231B00256CFCB25AFBC94501BEBBF5EB59658F15007ED405EB202D636CC829B91
                                          Function 013C17C3 Relevance: .1, Instructions: 66COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 50d27bdcf85a1f4028bd2d1a5d31cf9659038e9fefeb24e1f4d23c60407868f8
                                          • Instruction ID: 702386b1eb434fb1cb90897723d5b7b33a43e654e7b95a7ce427806a4654619a
                                          • Opcode Fuzzy Hash: 50d27bdcf85a1f4028bd2d1a5d31cf9659038e9fefeb24e1f4d23c60407868f8
                                          • Instruction Fuzzy Hash: A611C475F00251DFDF21AB79984835F7BE5EB88768F100529EA06D3356EA35CC42D781
                                          Function 013C80F1 Relevance: .1, Instructions: 64COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a285b93ad18fd946740d47f81b4bf8d8140ccc8f04a4aff8857c7ca687965d35
                                          • Instruction ID: 4f15e445ece358dc935e8f1d6773dde3893b67ef74f4e36a208f42e0fb9520d3
                                          • Opcode Fuzzy Hash: a285b93ad18fd946740d47f81b4bf8d8140ccc8f04a4aff8857c7ca687965d35
                                          • Instruction Fuzzy Hash: 6721A534A00314DBDF15EB7DE84469D7BB1EB44308F1046BAE404DB259EB72AE45DB42
                                          Function 013C0838 Relevance: .1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d96341a4e4e80eb222cbad1841d8200d6fa49c5cf3139d0e7bcabaa60cb0aca2
                                          • Instruction ID: 00d1812f990cddbaa509551d7383feca767e5cc52e24386f9c757bce12c0b63b
                                          • Opcode Fuzzy Hash: d96341a4e4e80eb222cbad1841d8200d6fa49c5cf3139d0e7bcabaa60cb0aca2
                                          • Instruction Fuzzy Hash: 36110838A04385CBEF2E5BB9C8143AA3B51EB42A1CF14897DF042DB292DA21CC414BC2
                                          Function 013C0848 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 80c5f2cb8b28b168771886195190442a6ebe1d257b9bdbcf724a08457bbe9b86
                                          • Instruction ID: 9f30e3a7e0b5fd6d59e9f1a8bfb28d85dc1645e82e6ef89c044168b8bb5314da
                                          • Opcode Fuzzy Hash: 80c5f2cb8b28b168771886195190442a6ebe1d257b9bdbcf724a08457bbe9b86
                                          • Instruction Fuzzy Hash: 40118238B00349CBEF2D5B7DD95476A3655FB45A18F10893DF106CB256DA21CC854BC2
                                          Function 00FED005 Relevance: .1, Instructions: 62COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2790190698.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_fed000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 94e3280457fe3a73327fff638cb9e69708d3b0b9f48b1941357c0a2eb610cc37
                                          • Instruction ID: 59253b2db239afd726f3bfa42743b1c31d0e68b876bb3c42804eccebd56c7931
                                          • Opcode Fuzzy Hash: 94e3280457fe3a73327fff638cb9e69708d3b0b9f48b1941357c0a2eb610cc37
                                          • Instruction Fuzzy Hash: 99218E755093C09FCB12CF20D990715BF71EB46324F28C5EAD9498F6A7C33A980ACB62
                                          Function 013C1498 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2bd2a4e2cee0a9dcfa6e44529f79ed05ea812b476617d59d60aaae3239dc253a
                                          • Instruction ID: e55551e12f0e6233185a3fd3b05db0bd865b05b808ac33184389ec39078f6bf9
                                          • Opcode Fuzzy Hash: 2bd2a4e2cee0a9dcfa6e44529f79ed05ea812b476617d59d60aaae3239dc253a
                                          • Instruction Fuzzy Hash: 8C018035A00626CFCB25EFBC84501AEBBF5EB58618F24047ED805E7302EA36CD818B91
                                          Function 013C1524 Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 50b53325d4c951aec82b8cf516d9314768b78146a3363390d0ca362f94e5400c
                                          • Instruction ID: c75b60e4401dc4644cb5065537d59de46e3c6ac8de5b563487f470089a156f81
                                          • Opcode Fuzzy Hash: 50b53325d4c951aec82b8cf516d9314768b78146a3363390d0ca362f94e5400c
                                          • Instruction Fuzzy Hash: 8EF0F636A08151CFD7228BE884901ACBF75EA64519B1C009FD406EB216D632DC42E751
                                          Function 013C7090 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6513895f7808a1367c929628a6e16fe5c7bceb9e95457bfcf7014bc8dfbd322e
                                          • Instruction ID: 490aae69a76925799951e66be866a88f80bded78ae6870985783da651884e35a
                                          • Opcode Fuzzy Hash: 6513895f7808a1367c929628a6e16fe5c7bceb9e95457bfcf7014bc8dfbd322e
                                          • Instruction Fuzzy Hash: 4EF0EC39700214CFC714DB78D5A8B6D77B2EF88716F104068EA069B3A8DF35AC42CB40
                                          Function 013C8100 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2791790551.00000000013C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013C0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_14_2_13c0000_cfEpcI.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 900d1bb5550b1e208222083cec45ff5086b689892ddfbabcd96b2e1c85d9160c
                                          • Instruction ID: 69b184c6e2341eb0a198e007fa4fa82767acad29d6ec4bcb3e43b7f58c6f0844
                                          • Opcode Fuzzy Hash: 900d1bb5550b1e208222083cec45ff5086b689892ddfbabcd96b2e1c85d9160c
                                          • Instruction Fuzzy Hash: 3DF03134A00308EFDF09FBB9F88469D77B5EB44304F5046B9D5049B259EA716E45DB82